European enforcement of the EU's Network and Information Security Directive 2 (NIS2) is rippling well beyond directly regulated operators, forcing operational technology (OT) and industrial control system (ICS) vendors - including control-system integrators, valve suppliers, and programmable logic controller (PLC) manufacturers - to overhaul cybersecurity governance, contractual terms, and product roadmaps or risk disqualification from supply chains serving regulated customers.
Background
NIS2 became enforceable on 18 October 2024, requiring EU member states to transpose its provisions into national law. The directive supersedes the original NIS directive and expands mandatory cybersecurity obligations to 18 critical sectors, including manufacturing, chemical processing, energy, water, and transport, applying a size-cap rule: all medium-sized and large organizations - generally those with more than 50 employees and over €10 million in annual turnover - operating in listed sectors are automatically in scope, according to the directive's text.
Transposition has been uneven. On 28 November 2024, the European Commission opened infringement procedures against 23 member states for failing to meet the October 2024 deadline. On 7 May 2025, the Commission escalated by sending formal reasoned opinions to 19 member states - including Germany, France, Spain, and Poland - giving each two months to complete transposition or face referral to the Court of Justice of the European Union, according to the European Commission. As of June 2025, only 14 EU member states had fully transposed NIS2 into national law, though enforcement timelines are compressing rapidly.
Details
The directive's supply-chain provisions, codified under Article 21, are proving to be its most consequential element for the broader industrial ecosystem. NIS2 explicitly requires in-scope entities to assess, monitor, and manage cyber risks across their entire value chain. ENISA's Technical Implementation Guidance, published in June 2025, requires organizations to maintain a register of in-scope suppliers and conduct continuous - not merely annual - risk management, according to ENISA documentation cited by industry sources. According to law firm DLA Piper, suppliers identified as in-scope are subject to contractual flow-downs, with implementing guidance recommending clauses covering cybersecurity standards, employee awareness, incident reporting, and audit rights.
For OT-focused vendors not directly regulated under NIS2, the practical pressure is already material. According to an IDC survey published in late 2025, 41.1% of organizations that are not themselves in scope for NIS2 reported facing compliance requests from partners that are covered by the directive. This dynamic means small to mid-sized OT vendors - remote maintenance providers, third-party sensor manufacturers, and system integrators - face indirect but enforceable obligations through customer procurement contracts.
The compliance burden on legacy OT infrastructure is particularly acute. Legacy OT systems were built for availability, not for logging or alerting, making NIS2's mandatory 24-hour initial incident notification and 72-hour detailed report practically impossible to meet without automated monitoring infrastructure, according to Schneider Electric. PLC/SCADA vendors, system integrators, cloud providers hosting engineering workstations, and remote maintenance providers represent the highest supply-chain risk categories for OT owners under NIS2, according to compliance platform Shieldworkz.
Penalties for non-compliance are structured in two tiers. Essential entities face fines of up to €10 million or 2% of global annual turnover, while important entities - the classification covering most mid-size manufacturers - face penalties of up to €7 million or 1.4% of global annual turnover, according to the directive. Critically, executive management is personally liable for cybersecurity failures, with NIS2 providing for temporary bans or disqualification from leadership roles for repeated non-compliance, according to Greenberg Traurig and Rockwell Automation analyses.
In Q2 2025, global cyberattacks rose approximately 21% year-on-year, with Europe recording the highest regional increase, according to Schneider Electric, underscoring the threat environment driving regulatory urgency. CISA reported a 155% rise in OT-targeted cyberattacks in 2024, with breaches costing an average of $24 million, according to Shieldworkz.
Industry bodies are responding. ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks including ISO/IEC 27001, NIST CSF, and IEC 62443, providing clearer implementation guidance for OT/ICS environments, according to Rockwell Automation. IEC 62443, which addresses network segmentation and access control for ICS, is increasingly referenced by procurement teams as a baseline supplier qualification criterion.
Outlook
The deadline for companies to complete the first audit verifying NIS2 compliance in several jurisdictions was extended from December 31, 2025, to June 30, 2026, according to the European Cyber Security Organisation (ECSO). National enforcement agencies in early-adopter states are already conducting systematic compliance assessments. Analysts tracking the trajectory note parallels with GDPR: light-touch supervision in year one has historically given way to substantial fines by year two.
For OT vendors and integrators without direct regulatory exposure, the window to align supplier documentation, vulnerability disclosure processes, and contractual terms with customer NIS2 requirements is narrowing as procurement audits intensify across the manufacturing supply chain.
