The European Union's NIS2 Directive is forcing operational technology (OT) and industrial control system (ICS) vendors to overhaul cybersecurity practices as enforcement rolls out unevenly across member states. As of March 2026, NIS2 is being enforced or is in the process of becoming enforceable in all EU member states, according to compliance tracker Compliquest, though the pace of transposition varies widely. On 7 May 2025, the European Commission sent a reasoned opinion to 19 member states - including Germany, France, Spain, and the Netherlands - for failing to fully transpose the directive, according to the European Commission's digital strategy unit. OT vendors and manufacturers operating across multiple jurisdictions now face a patchwork of national requirements with material consequences for procurement, auditing, and incident response.
Background
NIS2 (Directive (EU) 2022/2555) replaced the original 2016 NIS Directive, entered EU law with broader scope and stricter obligations, and required member states to transpose it into national law by 17 October 2024, according to compliance guide publisher Shieldworkz. The directive expanded coverage from seven to 18 critical sectors, explicitly including manufacturing as an "important entity" category. An estimated 350,000 organizations across the EU are affected by the NIS2 directive, according to a Cisco white paper on NIS2 compliance for industrial networks.
For the manufacturing sector, the shift is significant. Manufacturing companies with turnover above EUR 10 million or employing more than 50 people must implement comprehensive cybersecurity risk management covering not only IT but also OT/ICS systems controlling production, according to nFlo, a managed security services provider. Non-compliant important entities face penalties of up to €7 million or 1.4% of global revenue, while essential entities face fines up to €10 million or 2% of global turnover, according to DataGuard's compliance guide.
Details
NIS2 imposes a tiered incident reporting structure that challenges many OT environments built for availability rather than logging. OT organizations must report incidents to their national Computer Security Incident Response Team (CSIRT) within 24 hours of becoming aware of a significant incident, with a final report required no later than one month after the initial notification, according to Radiflow's compliance checklist. Intermediate reports within 72 hours detailing severity and impact are also mandated.
Supply chain security has become a procurement gatekeeper. NIS2 explicitly requires entities to manage cyber risk across supplier relationships, with regulators expecting pre-contract cybersecurity assessments and continuous monitoring of critical supplier performance, according to Shieldworkz. Vendors and suppliers are required to meet the same security standards as their clients, Sophos noted in its NIS2 compliance FAQ. For OEM equipment buyers, this means security evidence for networked production systems - MES, SCADA, OT gateways, and remote services - is now a hard procurement criterion, according to manufacturing software firm Symestic.
ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443, according to Rockwell Automation's NIS2 guidance. ISA/IEC 62443 is a key cybersecurity standard for designing secured industrial automation and control system infrastructures and is widely used in sectors where NIS2 applies, such as power utilities, manufacturing, and oil and gas, Cisco stated in its compliance white paper. Organizations already certified against these frameworks have a compliance head start, though gaps remain around mandatory incident reporting timelines and management liability provisions unique to NIS2.
The directive also introduces personal accountability. Management bodies must approve cybersecurity measures and are subject to training and potential liability if duties are neglected, according to Shieldworkz. Executives can face fines, legal action, or even temporary bans from management roles if proper measures are not implemented, DataGuard reported.
Outlook
On 20 January 2026, the European Commission proposed targeted amendments to NIS2 as part of a broader cybersecurity package, aiming to clarify scope, harmonize technical measures, introduce certification-based compliance pathways, and strengthen cross-border supervision through an expanded role for ENISA, according to Global Policy Watch. The amendments are expected to ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises, the European Commission stated. Member states could require entities to obtain a "cyber-posture certificate" - an entity-level certification under a future European cybersecurity certification scheme, law firm Covington reported. Negotiations in the European Parliament and Council are expected later in 2026, with adoption potentially extending into 2027.
