Tightening enforcement of the EU's NIS2 Directive is pushing automotive and logistics operators to accelerate private 5G deployments across operational technology (OT) environments, as stricter incident reporting and supply chain security mandates reshape network architecture decisions in European manufacturing.

Background

The NIS2 Directive replaced its predecessor NIS1 in October 2024, raising the EU's cybersecurity ambitions through a wider scope, clearer rules, and stronger supervision tools. All organizations with more than 50 employees and annual revenues exceeding €10 million must now comply, whether public or private.[1] Crucially, the directive extends beyond traditional IT systems. NIS2 broadens cybersecurity obligations to include industrial and logistics providers and mandates integrated security across device, edge, and platform layers rather than isolated measures.

The directive classifies transport and logistics as an essential sector, subjecting them to the highest security requirements and strictest sanctions. Manufacturing falls under the important entities category, which carries somewhat lighter obligations but still requires proportionate security measures, supply chain oversight, and incident reporting.

Transposition across EU member states remains uneven. By early 2026, Germany, the Netherlands, and several other member states had enacted national legislation, while others-including Norway and Sweden-were still working through transposition. The European Commission sent formal warnings to 19 member states in May 2025 for failing to transpose the directive on time. In Germany specifically, the NIS2 Implementation Act entered into force on December 6, 2025, bringing approximately 29,500 entities under BSI supervision, compared to 4,500 previously.

Details

The directive's OT security requirements are proving especially disruptive for automotive and logistics operators whose production and warehousing environments depend on wireless connectivity. Modern manufacturing floors mix legacy OT infrastructure with newer connected equipment-robots, production line sensors, quality control systems, and logistics tracking-all running alongside older controllers never designed with network security in mind. NIS2 requires security across all of it.

Private 5G networks are emerging as a preferred architectural response. Mercedes-Benz expanded its use of dedicated mobile private networks across manufacturing operations, explicitly choosing private over public 5G to eliminate latency variability and support high-precision, time-critical automation. Siemens has gone global with its private 5G offering, calling industrial-grade 5G deployed on enterprise premises "one of the essential key pillars connecting AI-driven manufacturing." The ability to enforce network segmentation-a core NIS2 control-at the radio access layer is a primary driver. Cargill deployed private 5G on factory floors to support AI-enabled workflows, reporting that a single 5G access point covers the footprint of approximately nine Wi-Fi access points, shifting the economics of large-footprint factory wireless deployments.

Open Radio Access Network (Open RAN) architectures are also drawing attention from compliance-conscious procurement teams. Private 5G mobile networks are considered early adopters of Open RAN, targeting industrial settings such as manufacturing, mining, and warehouses. Rakuten Symphony and Celona have announced collaboration on end-to-end Open RAN-based private 5G solutions for large and mid-sized enterprises, designed on O-RAN specifications to provide radio flexibility across spectrum bands. Multi-vendor Open RAN architectures reduce single-supplier dependency-an advantage for organizations required to conduct formal vendor risk assessments under NIS2 Article 21.

NIS2's incident reporting framework requires an initial 24-hour early warning, a 72-hour incident notification, and a 30-day final report for significant cybersecurity events. Meeting the 24/72-hour reporting window is practically impossible through manual audits alone, as legacy OT systems were built for availability, not logging or alerting. Compliance demands a shift toward automation and continuous visibility, including monitoring tools that provide real-time oversight of OT networks and feed into centralized security operations centers.

Supply chain security requirements under the directive are generating additional overhead. NIS2 requires organizations to vet and monitor their suppliers-including connectivity and SIM providers-whose security posture, data handling practices, and infrastructure choices all affect compliance status. For mid-sized manufacturers, the financial impact is substantial. Mid-sized businesses often face first-year NIS2 compliance investments ranging from €200,000 to €600,000, with operational expenses regularly exceeding planned IT spending by at least 20%.

Manufacturing has topped the list of most-targeted industries globally for four consecutive years, accounting for 32.4% of all recorded cyber incidents in 2024. Ransomware represented 68% of all industrial ransomware attacks in the first quarter of 2025. Non-compliance penalties are equally severe: essential entities face fines of up to €10 million or 2% of global annual turnover, while important entities face penalties of up to €7 million or 1.4% of global turnover. Executives bear personal liability under NIS2; individuals can face fines, legal action, or temporary bans from management roles if an organization fails to implement proper cybersecurity measures.

Outlook

The NIS2 directive envisions a European certification scheme, currently under development, for 5G, cloud services, and consumer IoT. The industrial infrastructure certification scheme is likely to derive from ISA/IEC 62443. In January 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance for approximately 28,700 companies, including 6,200 micro and small-sized enterprises. Automotive and logistics operators planning cross-border operations will need to track national implementation variances closely, as enforcement intensity and sector-specific interpretations continue to diverge across EU member states.