The European Union has expanded its Network and Information Security Directive 2 (NIS2), introducing broader cybersecurity requirements for manufacturers, systems integrators, and service providers utilizing operational technology (OT) and industrial control systems (ICS). The updated regulations, implemented in German law as of December 6, 2025, mandate enhancements to governance, incident reporting, threat monitoring, and supplier risk management. Organizations must comply before 2026 or risk fines up to €10 million or 2% of global annual turnover.
Background
The revised NIS2 Directive, adopted in December 2022, extends compliance obligations beyond critical infrastructure to cover industrial and manufacturing sectors. In Germany, manufacturing companies now fall under expanded regulatory oversight as of December 6, 2025. These entities must establish structured IT and OT security measures, implement supply chain risk management, and ensure executive accountability. The German NIS2 Implementation Act entered into force on December 6, 2025. Legal action and significant penalties apply for violations. Fines can reach up to €10 million or 2% of global turnover1Which laws and regulations will be relevant for industry in 2026?
Details
NIS2 requires operators of industrial and OT systems to implement comprehensive cybersecurity risk management across both IT and OT domains. Incident reporting demands an initial notification within 24 hours, followed by detailed reports and final updates. Incident reporting must include an initial report within 24 hours, a detailed report within 72 hours, and a final report within 30 days2NIS2: New cyber obligations for companies : AMDT. Executive management is now legally responsible for verifying OT and IT cyber risk controls. Management accountability for OT and IT cybersecurity is now a legal requirement under NIS22NIS2: New cyber obligations for companies : AMDT.
A key provision in NIS2 requires manufacturers to conduct supplier and third-party risk assessments. All integrators, original equipment manufacturers (OEMs), and service providers must meet the same cybersecurity standards. Vulnerabilities spreading via unsecured devices such as USB-programmed PLCs can now have regulatory consequences unless supply chain governance is enforced3How NIS2 is redefining OT security for Europe’s industrial leaders - Schneider Electric Blog. Security criteria must be included in procurement contracts, and real-time OT threat monitoring is often mandated, with many companies deploying automation and centralized incident response. Some firms saw over 40% improvement in threat detection and response times using centralized OT monitoring and incident response playbooks3How NIS2 is redefining OT security for Europe’s industrial leaders - Schneider Electric Blog.
Outlook
As EU member states enforce these measures, organizations must update governance, risk, and compliance (GRC) programs to address OT and supply chain cybersecurity. Further amendments, potentially covering ransomware reporting and supply chain certification, are expected in 2026, highlighting the need for ongoing compliance assessments.4European Commission Announces Potential NIS2 Cybersecurity Reform With Implementation Well Underway | Insights | Skadden, Arps, Slate, Meagher & Flom LLP
