As of early 2025, only nine EU member states had fully transposed the NIS2 Directive into national law - yet enforcement obligations have been active since October 18, 2024. For OT vendors, machinery manufacturers, and industrial supply chain operators, that gap is not a grace period. National competent authorities (NCAs) in jurisdictions that have transposed the directive are already equipped to audit, issue binding instructions, and levy fines. The compliance clock runs at different speeds across the bloc, but the regulatory direction is unambiguous.
This analysis maps the current enforcement landscape, clarifies which industrial entities fall in scope, and outlines the specific steps OT organizations must take to achieve demonstrable, audit-ready compliance.
Who Is In Scope: Essential vs. Important Entities in Manufacturing
NIS2 establishes a unified legal framework covering 18 critical sectors across the EU - a substantial expansion from the seven sectors targeted by its predecessor. The manufacturing sector, previously largely overlooked by NIS1, is now explicitly included, marking a fundamental change for European industry.
All organizations with more than 50 employees and annual revenues exceeding €10 million must comply, whether public or private. The directive assigns entities to one of two tiers - Essential or Important - based on sector criticality and organizational size. Both categories must implement the same core cybersecurity risk management measures, but Essential entities face proactive supervision and higher maximum fines, whereas Important entities face reactive oversight.
The table below summarizes the key distinctions relevant to OT operators and manufacturers:
| Criterion | Essential Entity | Important Entity |
|---|---|---|
| Typical sector examples | Energy, transport, health, digital infrastructure | Manufacturing, chemicals, food processing, waste management |
| Size threshold | >250 employees or >€50M turnover | >50 employees or >€10M turnover |
| Supervision model | Proactive - regular audits, on-site checks | Reactive - triggered by incidents or complaints |
| Max fine | €10M or 2% of global annual turnover | €7M or 1.4% of global annual turnover |
| Management liability | Personal liability for gross negligence | Personal liability for gross negligence |
| Incident reporting timeline | 24-hr / 72-hr / 30-day | 24-hr / 72-hr / 30-day |
Poland has reclassified manufacturing - including chemical production, food processing, and distribution - from 'important' to 'essential,' subjecting those operators to the stricter supervision tier. Industrial organizations should verify their classification under each member state's national transposition, not solely the EU-level directive text.
NIS2's reach also extends beyond EU borders. The directive can apply to organizations outside the EU that provide services within the bloc, meaning non-EU entities delivering critical or important services to the EU must still comply.
The Fragmented Enforcement Landscape
Amid soaring vulnerabilities driven by emerging cyber threats and state-sponsored attacks, only four countries met the transposition deadline of October 17, 2024. On November 28, 2024, the European Commission opened infringement procedures against 23 member states.1Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive) - FAQs | Shaping Europe’s digital future
As of the latest tracking, 16 EU and EEA countries have adopted NIS2 into national law, with others still in draft or consultation phases and enforcement expected by 2026. This divergence creates compliance complexity that is particularly acute for multinational manufacturers and OT vendors serving multiple markets.
Multinational Exposure: Organizations operating in multiple EU member states face overlapping obligations. The competent authority of the member state of main establishment holds primary supervisory responsibility; however, competent authorities in other member states where the entity provides services may request the primary authority to take supervisory or enforcement actions. Manufacturers should map obligations country by country and maintain a consolidated compliance register.
Substantial divergence in adoption timelines and requirements creates operational and compliance challenges for entities providing services across multiple jurisdictions. Measures vary in strictness, registration deadlines, sectoral coverage, incident reporting requirements, and enforcement timelines - posing real risks of fragmentation.
Mandatory internal or third-party cybersecurity audits are required in several jurisdictions. Poland, for example, requires biennial audits, and Belgium has introduced ISO-aligned self-assessments. In Greece, audits are planned from Q4 2025 under the National Cybersecurity Authority.
Board-Level Accountability: A Structural Shift for OT
NIS2 fundamentally repositions cybersecurity in the industrial governance hierarchy. The directive introduces strict management accountability: top management can now be held personally liable for gross negligence in cybersecurity risk management, elevating industrial vendor security from a purely technical IT concern to a board-level imperative.
Corporate management must oversee, approve, and be trained on the entity's cybersecurity measures and address cyber risks. Breaches may result in penalties for management, including personal liability and a potential temporary ban from management roles.
This represents a significant shift for manufacturing, where cybersecurity was traditionally delegated exclusively to the IT department. Governance programs now require documented evidence of board engagement, approved security policies, and formal risk acceptance - all auditable by NCAs.
Supply Chain Security: The Most Exacting Obligation
The requirement for in-scope entities to adopt measures ensuring the security of the immediate supply chain is one of the lesser-discussed aspects of NIS2. However, given the actions that could flow from this - including renegotiating supplier contracts, enhancing due diligence, and potentially replacing suppliers whose cybersecurity standards fall short - this requirement could prove one of the most exacting and time-consuming elements of an organization's NIS2 compliance journey.
NIS2 requires that entities "take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their supplier and service providers, including their secure development processes."
The non-binding recitals of NIS2 indicate that organizations should assess the cybersecurity quality of both direct suppliers and their suppliers in turn. The Implementing Regulation states that contract terms should include cybersecurity requirements for subcontractors of direct suppliers, implying that NIS2 standards should extend beyond the direct supply chain.
Procurement and vendor management processes must evolve, embedding security standards into contracts and RFQs. For OEM equipment manufacturers and system integrators, existing standard-form contracts almost certainly require revision. Cybersecurity clauses, incident notification obligations, and audit rights must now be standard procurement terms.
For deeper background on the broader OT/ICS regulatory context, see the earlier analysis: EU Strengthens OT/ICS Cybersecurity under NIS2 Expansion.
IEC 62443 as the Practical Compliance Bridge
NIS2 does not mandate specific technologies but explicitly references international standards as a path to demonstrating compliance. IEC 62443 is the global standard for securing Industrial Automation and Control Systems (IACS), originally developed by the International Electrotechnical Commission (IEC) in partnership with the International Society of Automation (ISA).
NIS2 stresses the use of international standards to ensure entities implement effective cyber risk-management measures. ISA/IEC 62443 is a key cybersecurity standard for designing secured IACS infrastructures, widely used in sectors where NIS2 applies - including power utilities, manufacturing, and oil and gas. Organizations with experience in ISA/IEC 62443 are well positioned to achieve NIS2 compliance.
The directive envisions a European certification scheme, currently under development, for cloud services, 5G, consumer IoT, and industrial infrastructures. The industrial infrastructure certification scheme will likely be based on or derived from ISA/IEC 62443. For mid-market plants undertaking retrofit projects, aligning with IEC 62443 zone-and-conduit architecture provides both a technical framework and a defensible compliance posture.
ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443, offering a clearer picture of practical implementation in OT/ICS environments.
Incident Reporting: Why Legacy OT Systems Create Structural Risk
Meeting NIS2's 24/72-hour incident reporting window is practically impossible through manual audits alone. Legacy OT systems were built for availability, not for logging or alerting. Compliance demands a shift toward automation and continuous visibility.
Organizations must follow a multi-stage reporting process: an early warning within 24 hours of becoming aware of a significant incident, followed by a final report within one month. This requires mature detection, escalation, and communication procedures.
OT environments face unique cybersecurity challenges: legacy systems, real-time operational requirements, and the critical need for availability and safety make these systems highly sensitive to cyber risks. Deploying OT-capable monitoring tools that feed into a centralized Security Operations Centre (SOC) - or a managed SOC-as-a-Service provider - is increasingly the pragmatic approach for plants without dedicated security engineering resources.
A Staged Compliance Roadmap for OT Operators
The following sequence provides a practical framework for organizations initiating or accelerating their NIS2 compliance program. A typical NIS2 compliance process - including security assessments, auditing, consulting, and tool implementation - takes approximately 12 months.
Step 1 - Determine Scope and Entity Classification Confirm whether the organization meets NIS2 size thresholds and operates in an Annex I or II sector. Identify whether classification as Essential or Important applies under each relevant member state's national law. Non-EU manufacturers supplying services into the EU must designate an EU representative.
Step 2 - Conduct an OT-Specific Risk Assessment Map all IT and OT assets, including PLCs, SCADA systems, industrial IoT devices, and remote access gateways. Apply IEC 62443-3-2 zone-and-conduit methodology to identify threat vectors. Structured, risk-based assessments covering IT/OT systems, supply chain, and personal data environments are mandatory - and reviews must be conducted annually or after major changes in member states such as Greece.2The NIS 2 Directive | Updates, Compliance, Training
Step 3 - Audit the Supply Chain Inventory every vendor, integrator, maintenance provider, cloud service, and support partner that touches the OT environment - going beyond obvious software vendors to include HVAC contractors with remote access to building management systems and third-party logistics systems tied to the warehouse.
Step 4 - Implement Baseline Security Controls Deploy network segmentation separating OT from IT. NIS2 states that entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles and network segmentation. Enforce multi-factor authentication (MFA) for all remote access connections, establish continuous monitoring, and document patch management procedures.
Step 5 - Build Incident Response Capability Establish OT-specific incident response playbooks. Assign a designated NCA contact. Run regular tabletop exercises simulating production-affecting cyber scenarios to validate that reporting workflows meet the 24-hour early-warning requirement.
Step 6 - Engage NCAs and Register Most countries require in-scope entities to register with national authorities between Q3 and Q4 2025, but exact deadlines vary by country. File compliance declarations and, where required, arrange for certified external cybersecurity audits.
Step 7 - Establish Continuous Board-Level Governance Embed cybersecurity into board-level governance cycles. Document evidence trails for all controls. Management bodies must formally approve security policies and demonstrate ongoing oversight - not a one-time attestation.
The Broader EU Cybersecurity Package
NIS2 does not operate in isolation. On January 20, 2026, the European Commission proposed targeted amendments to the NIS2 directive to increase legal clarity and simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating in the EU. The directive also intersects with the Cyber Resilience Act (CRA), which imposes security-by-design requirements on connected product manufacturers, and the DORA regulation for financial sector digital operations.
For organizations tracking the full regulatory stack, the combined effect of NIS2 and insurance-driven compliance pressure is producing notable acceleration in OT security maturity across Europe. Organizations that once viewed security as a technical add-on now treat it as a core operational requirement, integrated into governance, procurement, and performance management.
Key Takeaways for Plant Managers and OT Security Leaders
- Classification first: Determine Essential or Important status under each jurisdiction's national law before selecting compliance measures - supervision intensity and penalty exposure differ significantly.
- Supply chain contracts are non-negotiable: Standard procurement terms require revision. Cybersecurity clauses, incident notification obligations, and audit rights must be embedded in all OT vendor and integrator agreements.
- IEC 62443 is the fastest path: Organizations already familiar with IEC 62443 zone-and-conduit frameworks can map directly to NIS2 technical obligations, reducing implementation lead time.
- Legacy OT monitoring is the critical gap: Manual processes cannot meet 24-hour reporting windows. Continuous OT-network monitoring is now an operational necessity, not an enhancement.
- Board accountability is legally binding: Cybersecurity is no longer a delegable IT function. Documented management oversight, approved policies, and formal training are audit requirements.
- Enforcement timelines diverge: Multinational operators must track country-by-country registration deadlines, audit schedules, and NCA contacts - a consolidated compliance register is essential.
