European automotive and logistics operators are accelerating open-standards-based retrofits of operational technology (OT) infrastructure as enforcement of the EU's NIS2 Directive tightens, reshaping procurement strategies, capital expenditure priorities, and supplier relationships across the sector.
Background
The NIS2 Directive entered into force in January 2023, with Member States required to transpose it into national law by 17 October 2024. Despite that deadline, transposition has been uneven: as of mid-2025, 16 EU and EEA countries had adopted national NIS2 laws, while others remained in draft stages. In May 2025, the European Commission responded by issuing formal "reasoned opinions"-legal warnings giving lagging Member States a final window to comply before referral to the Court of Justice of the EU. On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published nearly 200 pages of technical guidance mapping NIS2 obligations to existing international standards, including ISO 27001 and IEC 62443.
The directive covers OT-dependent sectors-including transport, manufacturing, and logistics-under its "essential" and "important" entity classifications. Fines for non-compliance reach up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% for important entities. Company directors can face personal liability for compliance failures, including sanctions and mandatory corrective action.
Complicating implementation, national interpretations vary considerably. According to the European Cyber Security Organisation (ECSO), measures differ in strictness, registration deadlines, sectoral coverage, and enforcement timelines across Member States, creating fragmentation risks for cross-border operators. Some countries go further than the directive requires: France is bundling NIS2 with DORA and the Critical Entities Resilience Directive into a single Resilience Act, while Germany is integrating NIS2 into its broader KRITIS critical infrastructure regime.
Details
For automotive OEMs and tier suppliers, NIS2 is triggering a structural shift in OT procurement. OEMs are now required to demonstrate due diligence and ongoing oversight of third-party cybersecurity risks, driving a shift toward embedding security clauses and audit rights into supplier contracts. According to legal analysis by Lexology, TISAX certification at the "Strictly Confidential" and "Very High Availability" labels is anticipated to place automotive organizations in broad compliance with NIS2's information security controls, though registration and incident reporting requirements must still be met separately.
The retrofit response centers on two open standards. IEC 62443-the international standard for industrial automation and control system (IACS) security-is the dominant technical framework cited by practitioners. IEC 62443 was approved by the IEC in 2021 as a "horizontal standard," meaning sector-specific OT cybersecurity standards must build upon it as a foundation. OPC Unified Architecture (OPC UA), the machine-to-machine communication protocol, is emerging as the preferred migration target from legacy proprietary protocols. Industrial cybersecurity advisories from CISA, ENISA, and Germany's BSI regularly identify OPC Classic's DCOM interface as a risk factor in OT environments, and migration to OPC UA eliminates that attack surface.
Legacy OT protocols such as Modbus TCP and classic OPC-DA were designed for reliability, not security, and have no built-in integrity or confidentiality mechanisms. Replacing or supplementing them with OPC UA-which provides authentication, encryption, role-based access control (RBAC), and audit logging-directly supports both IEC 62443 and NIS2 compliance.
The technical challenge is acute. OT environments consist of heterogeneous devices, real-time control loops, and proprietary protocols, many of which were not originally designed with cybersecurity in mind. Meeting NIS2's mandatory 24/72-hour incident reporting window is practically impossible using only manual audits on legacy OT systems, which were built for availability, not for logging or alerting. One European food and beverage operator cited in Schneider Electric's published case analysis reported a more than 40% improvement in threat detection and response times after deploying centralized OT monitoring and structured incident response playbooks.
Supply chain pressure is cascading through logistics OT as well. NIS2 applies regardless of whether an organization is directly attacked-if a supplier's security failure affects an essential entity's operations, both parties may face regulatory consequences. This is forcing logistics operators with connected warehouse management systems, automated guided vehicles (AGVs), and multi-vendor conveyor control platforms to audit the OT security posture of every system integrator and equipment vendor in their stack.
Global cyberattacks rose approximately 21% in Q2 2025 versus the same period in 2024, with Europe recording the highest region-level increase, according to data published by Schneider Electric. Manufacturing and logistics OT remains a primary target: 93% of manufacturing ransomware attacks in 2024 attempted to compromise backup systems, according to Sophos.
Outlook
Most EU countries require in-scope entities to register with national authorities between Q3 and Q4 2025, with enforcement continuing to roll out into 2026. For plant managers and operations directors, the near-term priority is completing asset inventories and OT network segmentation aligned with IEC 62443 zone-and-conduit models before national auditors-such as Greece's National Cybersecurity Authority, which has audits scheduled from Q4 2025-begin formal inspections. On 20 January 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity; the changes are expected to simplify compliance for smaller entities while sustaining enforcement pressure on large OT-heavy operators.
Related coverage: EU Strengthens OT/ICS Cybersecurity under NIS2 Expansion · Cross-Industry Push Strengthens Industry 4.0 Interoperability Standards
