For years, the EU's Network and Information Security Directive 2 (NIS2) was treated by many industrial operators as a distant policy exercise. That phase is over. With member states now publishing enforcement calendars, opening infringement procedures, and scheduling formal audits, NIS2 is transitioning from regulatory text to operational reality - and the industrial sector is squarely in the crosshairs.
In Q2 2025, global cyberattacks rose approximately 21% year-on-year, with Europe recording the highest regional increase - a data point that lends urgency to a directive regulators are no longer willing to leave in limbo.
A Directive in Motion: Where Enforcement Stands
NIS2 came into force in January 2023, with a member state transposition deadline of October 17, 2024. The reality has been considerably messier. Only four countries met the transposition deadline, and on November 28, 2024, the European Commission opened infringement procedures against 23 member states.
Progress since then has been uneven but accelerating. As of mid-February 2025, the number of transposing countries had grown from four to nine, though substantial divergence in adoption timelines and requirements has created compliance challenges for entities operating across multiple jurisdictions.
Critically, several states are now publishing concrete enforcement calendars rather than aspirational timelines:
- Greece: Audits are planned from Q4 2025 under the National Cybersecurity Authority, with structured risk-based assessments covering IT/OT systems mandatory annually or after major changes.
- Hungary: The deadline for companies to complete their first NIS2 compliance audit shifted to June 30, 2026, with an external certified auditor required within 120 days of registration.
- Germany: Germany's NIS2 Implementation Act entered into force on December 6, 2025, after an extended parliamentary process - bringing Europe's largest manufacturing economy fully into scope.
- Netherlands: The Netherlands activated its Cyberbeveiligingswet (Cybersecurity Act) in Q1 2026, transposing NIS2 with the same 24/72/one-month incident reporting cadence.
On January 20, 2026, the Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance for companies operating in the EU. The measures are intended to ease obligations for an estimated 28,700 companies, including 6,200 micro and small enterprises. The amendments signal that the framework is maturing - not retreating.
Who Is Actually in Scope? The OT and Manufacturing Picture
A defining feature of NIS2 is its dramatic scope expansion relative to its predecessor. NIS1 did not mention OT directly, sector lists varied by country, and supervisory enforcement was often weak. NIS2 aims to close those gaps.
All organizations with more than 50 employees and annual revenues exceeding €10 million must now comply, whether public or private. Manufacturing companies - previously largely overlooked under NIS1 - have been explicitly included as important entities, a fundamental change for European industry. In practice, this means manufacturers above the thresholds must implement comprehensive cybersecurity risk management covering not only IT but also OT/ICS systems controlling production.
NIS2 emphasizes OT security and industrial IoT security, recognizing that cyber-physical systems such as PLCs, SCADA systems, and IoT sensors are prime targets for cyberattacks. An estimated 350,000 organizations across the EU are affected by the NIS2 directive.
The penalty structure reinforces the seriousness of scope. Essential entities face fines of up to €10 million or 2% of global revenue, while important entities face penalties of up to €7 million or 1.4% of global revenue. More significantly, NIS2 places direct responsibility on senior management. If an organization fails to implement proper cybersecurity measures, executives can face fines, legal action, or even temporary bans from management roles.1The Impact of NIS2 on Operational Technology (OT)
Supply Chain Security: The Most Demanding Requirement
For OT vendors, system integrators, and equipment suppliers, NIS2's supply chain provisions represent the steepest compliance climb. The requirement for in-scope entities to secure their immediate supply chain is among the less-discussed aspects of the directive - yet given the actions it could trigger, including contract renegotiation, enhanced due diligence, and potentially replacing suppliers with insufficient cybersecurity standards, it may prove one of the most demanding elements of the compliance journey.
The primary obligation covers direct suppliers, but NIS2's non-binding recitals indicate that organizations should assess the cybersecurity quality of both direct suppliers and their suppliers in turn. The Implementing Regulation further states that contract terms should include cybersecurity requirements for subcontractors of direct suppliers - implying NIS2 standards should extend beyond the first tier.
In OT environments, the complexity is amplified. Hardware and software are often treated as closed "black boxes," making supply chain risks greater and harder to manage. A new PLC, HMI panel, or industrial robot is an extremely complex product consisting of hundreds of hardware components and thousands of lines of code from dozens of sub-suppliers.
Article 21 of the directive requires essential and important entities to implement technical and organizational measures managing security risks in the acquisition of network and information systems and their components. In practice, companies can no longer ignore the security practices of their partners. They must implement a formal risk assessment process for direct hardware and software suppliers, considering not only price and functionality but also vendor cybersecurity practices, incident response capabilities, and vulnerability management policies.
NIS2 requires procurement and vendor management processes to evolve, embedding security standards into contracts and RFQs. Industry observers note this is driving consolidation toward providers with demonstrable NIS2-aligned security certifications and documented incident-tracking capabilities - particularly for critical components such as PLCs, HMIs, and industrial controllers that interface with enterprise IT.
Incident Reporting: A 24/72/30 Cadence That OT Environments Must Meet
NIS2's incident reporting requirements impose a structured, time-pressured cadence that legacy OT environments are poorly equipped to meet without investment in monitoring infrastructure.
Organizations must follow a three-stage reporting cadence for any notifiable cyber event: an initial 24-hour early warning, a comprehensive 72-hour update, and a closure or final report once mitigation is complete.
Meeting the 24/72-hour incident reporting window is practically impossible using only manual audits. Legacy OT systems were built for availability, not for logging or alerting. This is not a theoretical gap - the 24-hour window may be entirely manageable for organizations with centralized visibility, but for those still collecting logs manually from separate firewalls, endpoint tools, and applications, it is nearly impossible.
The reporting requirements also carry a critical OT-specific nuance: an IT incident response instinct - cutting off a server from the network immediately, for example - can cause physical damage or safety hazards if applied to a PLC or SCADA system without OT-adapted protocols.
{{widget:placeholder-incident-timeline}}
Practical Steps for OT Vendors and Manufacturers
The following framework addresses the core NIS2 obligations for industrial operators and OT vendors:
{{component:placeholder-steps}}
Enforcement Landscape Across Member States
The following table summarizes current transposition and enforcement status across key EU manufacturing jurisdictions:
{{component:placeholder-table}}
Market Impact: Vendor Consolidation and Investment Priorities
The enforcement push is reshaping procurement behavior across European industrial supply chains. Manufacturers are increasingly factoring NIS2 compliance posture into vendor selection - a shift that favors suppliers with formal vulnerability disclosure programs, documented security certifications, and audit-ready incident tracking.
Available 2025 data indicates that a secure-by-design approach reduces security management OpEx by approximately 30% compared to post-sale retrofitting, while approximately 60% of OT vulnerabilities cannot be resolved through simple software updates because they reside in obsolete hardware architectures. This finding reinforces the case for embedding security criteria at procurement rather than remediating after deployment.
One European food and beverage manufacturer deployed centralized monitoring and structured incident response protocols to align its OT security with NIS2 requirements, achieving a more than 40% improvement in threat detection and response times - strengthening compliance while reducing the risk of production disruptions.
Attacks on industrial control systems increased by 140% over the last two years, with average downtime costs exceeding €2 million per incident, according to available 2025 data - a financial exposure that frames compliance investment in operational risk terms, not just regulatory ones.
The competitive divide is already emerging. Firms with mature NIS2 programs are positioned to access European critical infrastructure contracts that increasingly require documented cyber governance. Firms without structured programs face not only regulatory exposure but growing commercial exclusion.
Key Takeaways for Industrial Operations
NIS2 is no longer a horizon risk. Enforcement timelines are published, infringement procedures are open, and audits are underway in multiple member states. For plant managers, operations directors, and OT vendors supplying European critical infrastructure, the practical imperatives are clear:
- OT asset visibility is non-negotiable. Compliance cannot begin without a complete, current inventory of OT devices, communication paths, and vendor access points.
- Supply chain due diligence extends beyond direct suppliers. Contractual flow-downs, SBOM requirements, and cybersecurity clauses must reach sub-suppliers, particularly for firmware and software components.
- Incident reporting requires infrastructure, not just paperwork. Meeting the 24-hour early warning requirement demands continuous OT network monitoring - not manual log retrieval.
- Management accountability is personal and enforceable. Executives cannot delegate NIS2 compliance to IT departments and remain insulated. Board-level governance and documented decision-making are regulatory requirements.
- Procurement is now a security function. Vendor selection for PLCs, HMIs, and industrial controllers must incorporate NIS2-aligned security assessments alongside traditional cost and capability criteria.
For further context on how the EU's regulatory framework is evolving for OT/ICS systems, see the related analysis of EU OT/ICS cybersecurity rule expansions under NIS2 and the broader picture of rising systemic cyber risk from exposed ICS/OT devices.
