The EU's NIS2 Directive is forcing a fundamental reconfiguration of operational technology (OT) security across automotive and logistics supply chains. Enforcement is accelerating in 2026 as member states finalize transposition, non-compliance penalties reach up to €10 million, and the European Commission proposes further amendments to standardize certification pathways.
Background
The NIS2 Directive came into force in January 2023, marking a decisive shift in how digital risk is governed across critical sectors, including transport and automotive manufacturing.1NIS2 for Transport & Logistics — Guide 2026 | Plan Be Eco Member states had until 17 October 2024 to transpose the directive into national law, with NIS2 formally repealing its predecessor from 18 October 2024. The rollout has been uneven. Only four countries met the October 2024 deadline, and on 28 November 2024, the European Commission opened infringement procedures against 23 member states. As of early 2026, twenty-two of 27 EU countries have implemented NIS2 into national law.
Germany's NIS2 implementation act entered into force on 6 December 2025, transposing the directive's provisions via amendments to the BSI Act (BSIG) and KRITIS regulations. Italy has incorporated NIS2 into national legislation, while France remains in the process of enacting the necessary laws. This divergence in adoption timelines and requirements is creating compliance challenges for entities operating across multiple jurisdictions.
Beyond sectors covered by the original directive, NIS2 now extends to critical product manufacturing, postal and courier services, and transport and logistics operators. Transport and logistics is explicitly listed as a critical sector, encompassing road carriers, rail operators, airports, port authorities, and logistics service providers that operate digital infrastructure or rely on networked systems.
Details
NIS2 is particularly impactful for manufacturers because of its emphasis on the supply chain: the directive places direct and indirect obligations on every level of the supply ecosystem, from Tier 1s to Tier 3s and beyond.2NIS2 Update: EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities | DLA Piper Even companies below standard size thresholds may be affected if they serve supply chains for critical sectors, with compliance requirements cascading down the entire value chain.
For OT environments, the directive expands its scope to include both IT and operational technology, elevating OT cybersecurity from a backend concern to a boardroom priority. Meeting NIS2's 24/72-hour incident reporting window is practically impossible through manual audits alone, given that legacy OT systems were built for availability rather than logging or alerting. Suppliers must therefore deploy continuous monitoring and automated incident response capabilities across plant-floor networks.
On penalties, essential entities face fines of up to €10 million or 2% of global revenue, while important entities face penalties of up to €7 million or 1.4% of global revenue. Management bodies are personally accountable for compliance, and governance failures may result in temporary bans or disqualification from leadership roles.
For certification pathways, the automotive sector benefits from existing frameworks. According to analysis from ENX's expert working groups, companies already TISAX-assessed have established a solid foundation covering all key aspects of NIS2 requirements, having implemented appropriate measures and demonstrated compliance through independent assessment. With more than 17,500 assessed sites in over 90 countries, TISAX is one of the most widely used assessment frameworks globally. ISO 27001, the global benchmark for information security, covers approximately 70% of NIS2 requirements, while TISAX adds industry-specific security controls that complement NIS2.
OEM procurement processes are adapting accordingly. OEMs now require cybersecurity questionnaires and evidence of controls during vendor onboarding, incorporate security audit clauses into contracts, mandate incident notification SLAs, and expect suppliers to align with recognized frameworks such as ISO/IEC 27001 and ISO/SAE 21434. The supply chain security provisions-which require in-scope entities to ensure the security of their immediate supply chain-could prove among the more exacting and time-consuming elements of NIS2 compliance, potentially requiring contract renegotiation or even replacement of suppliers whose cybersecurity standards fall short.
Reporting obligations under NIS2 vary significantly between countries, creating a fragmented compliance landscape. In Germany, for example, entities must immediately inform individuals of an incident if instructed to do so by regulators, adding complexity for multisite operators.
Outlook
On 20 January 2026, the Commission proposed targeted amendments to NIS2 to increase legal clarity, aiming to simplify compliance for an estimated 28,700 companies, including 6,200 micro and small enterprises. Proposed changes include:
- Clearer scope boundaries
- Simplified jurisdictional rules
- Stronger cross-border supervisory tools
- A unified approach to ransomware reporting
- EU-wide certification schemes as a fast-track route to demonstrating compliance
The amended proposal is expected to be adopted in late 2026 or 2027, after which member states will have a 12-month implementation period. With 2026 set to bring the first enforcement actions under NIS2, companies must assess their readiness to comply with current national rules while monitoring the trajectory of the proposed amendments.
For further coverage of NIS2's impact on OT and ICS environments, see our earlier reporting: EU Strengthens OT/ICS Cybersecurity under NIS2 Expansion.
