The European Commission's NIS2 Directive imposes mandatory operational technology (OT) cybersecurity requirements on automotive manufacturers and logistics operators across the EU, with enforcement timelines extending into mid-2026 and penalties reaching €10 million for non-compliance.
Background
NIS2 replaced its predecessor NIS1, raising the EU's common level of cybersecurity ambition through a wider scope, clearer rules, and stronger supervision tools.1Products - NIS2 Compliance for Industries White Paper - Cisco Member States had until October 17, 2024, to transpose the directive into national law, with NIS1 formally repealed from October 18, 2024.
Transposition across the bloc has been uneven. As of mid-2025, 16 EU and EEA countries had adopted NIS2 into national law, while implementation deadlines varied and enforcement continued rolling out into 2026. On May 7, the European Commission issued a reasoned opinion calling on 19 Member States to fully transpose the directive-a formal legal warning that precedes referral to the Court of Justice of the EU. Germany's NIS2 implementation law entered into force on December 6, 2025, with registration and reporting conducted via the BSI portal, activated at the start of 2026.
Beyond sectors covered by NIS1-including energy, transport, and finance-NIS2 now applies to critical product manufacturing and postal and courier services. The directive classifies transport as an essential sector subject to the highest security requirements and the strictest sanctions.
Details
Manufacturers and OT operators are classified as "important entities" under NIS2 and must comply with strict cybersecurity, incident reporting, and governance requirements. Transport and logistics operators-including air, rail, road, and maritime-are treated as essential entities and face stricter oversight and enforcement.
The OT environment presents particular challenges. Operational systems in warehouses-automated sorting equipment, robots, and AGVs-along with vehicle telematics and IoT sensors are rarely updated and often lack basic security controls. Companies frequently secure office systems while neglecting PLCs, SCADA, or MES environments, yet NIS2 requirements apply to the entire IT/OT environment. It is OT that is critical to production continuity.
Incident reporting obligations follow a prescribed cascade: an early warning must be filed within 24 hours of becoming aware of a significant incident, followed by an incident notification within 72 hours and a final report within one month.
Supply chain governance is a central pillar of the directive's automotive provisions. NIS2's emphasis on the supply chain places direct and indirect obligations on every level of the supply ecosystem-from Tier 1 to Tier 3 suppliers and beyond. OEMs must demonstrate due diligence and ongoing oversight of third-party cybersecurity risks. According to PECB Insights, this will drive a shift in procurement strategy, including cybersecurity questionnaires during vendor onboarding and security clauses in contracts with rights to audit and terminate.
Executive accountability provisions are equally consequential. Company directors can be held personally liable for non-compliance, facing sanctions and mandatory corrective action. If an organization fails to implement proper cybersecurity measures, executives risk fines, legal action, or temporary bans from management roles.
Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher, while important entities face penalties of up to €7 million or 1.4% of global annual turnover.
Practical compliance steps for plant managers span multiple functions. Operators, engineers, and maintenance personnel all need to understand the risks and their role in security-training limited to IT staff does not satisfy the directive's requirements. Standards such as IEC 62443 and ISO 21434 for automotive cybersecurity could become formal "state of the art" benchmarks under EU technical standards.
Outlook
On January 20, 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance with EU cybersecurity and risk-management requirements for companies operating in the EU.2NIS2 requirements: A complete guide to compliance & implementation The amendments aim to ease compliance for approximately 28,700 companies, including 6,200 micro and small-sized enterprises. For automotive and logistics plants not yet audit-ready, Hungary extended its first compliance audit deadline to June 30, 2026, while Italy's technical annexes establishing minimum OT security requirements are due by October 2026.
