Mid-market manufacturers across Europe are anchoring equipment retrofit strategies to vendor-agnostic communication standards, as tightening NIS2 enforcement timelines force procurement teams to weigh cybersecurity compliance alongside interoperability and lifecycle cost.
Background
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity framework, replacing the original 2016 directive with the aim of harmonizing and strengthening cybersecurity across 18 critical sectors, including manufacturing. The directive entered into force in January 2023 and required EU member states to transpose it into national law by October 17, 2024. As of 2025, several member states have published detailed NIS2 security requirements, and implementation is actively underway across critical sectors. Many local authorities are introducing sector-specific interpretations that raise security maturity expectations beyond the directive's minimum baseline.
Non-compliance with NIS2 can result in fines of up to €10 million or 2% of global annual turnover, with potential personal liability for C-level executives. The directive makes senior management explicitly accountable for cybersecurity decisions, elevating OT risk to a board-level and legal exposure topic.
For mid-market plant operators, the regulatory shift intersects directly with aging infrastructure. OT equipment poses a persistent challenge due to its long operational lifespan: while IT components such as servers typically cycle every three to five years, production machines commonly run for ten to fifteen years or longer. The hardware and software embedded in these machines cannot easily be kept current and may eventually fall out of step with prevailing security standards.
Details
Open communication protocols are emerging as the practical bridge between legacy assets and modern compliance requirements. Adopting a protocol that ensures high interoperability and security is considered essential to establishing Industry 4.0 capabilities. OPC Unified Architecture (OPC UA) has become a widely accepted standard for this purpose, enabling seamless, manufacturer-independent data exchange crucial to the Industrial Internet of Things (IIoT). Europe's largest industrial association, the VDMA, lists OPC UA as "a key prerequisite for the successful introduction of Industry 4.0 into production."
Traditionally, each automation layer-from PLC to SCADA to Manufacturing Execution System (MES)-required custom integration code. OPC UA replaces that patchwork with a single standardized interface. The protocol incorporates security features including authentication, authorization, encryption, and message signing, and supports X.509 certificates while complying with industrial cybersecurity standards such as IEC 62443.
The alignment between OPC UA and IEC 62443 is becoming a decisive procurement criterion. Industrial manufacturers are changing how they evaluate vendors: cybersecurity is no longer treated as a feature or a future improvement but as a procurement requirement and a condition for trust. IEC 62443 is rapidly becoming the baseline standard manufacturers use to determine which vendors remain on approved lists. Adopting IEC 62443 typically requires 12 to 24 months and demands changes to development processes, documentation, and training according to Real Time Automation.
NIS2's supply chain provisions amplify these procurement pressures. One of the most significant shifts under the directive is an "all-hazards approach" that extends beyond an organization's own perimeter-industrial leaders are now responsible for assessing and ensuring the cyber hygiene of every third-party vendor, system integrator, and OEM that interacts with their operations.1Secure Data Bridging in Industry 4.0: An OPC UA Aggregation Approach for Including Insecure Legacy Systems The directive mandates risk-based cybersecurity measures, incident reporting within 24 hours, and supply chain security.
IEC 62443 standards can help organizations meet NIS2 compliance specifically for secure industrial remote access. ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443.
For brownfield sites, OPC UA aggregation architectures allow OT teams to extract data from legacy PLCs without replacing field-level hardware. IEC 62443 addresses OT cybersecurity through a zones-and-conduits model that strengthens industrial network security. Zones connect via conduits-typically firewalls or one-way gateways-that restrict unauthorized traffic. This segmentation model maps directly onto retrofit projects where older Modbus or proprietary devices cannot be patched but must still be isolated from internet-facing systems.
CISA reported a 155% rise in OT-targeted cyberattacks in 2024, with breaches costing an average of $24 million, reinforcing the operational as well as the regulatory case for standardized security controls.
Workforce readiness represents an emerging constraint. NIS2 emphasizes the importance of cybersecurity culture, requiring awareness to become as routine as safety training-demanding continuous education from the boardroom to the shop floor. OT environments face unique cybersecurity challenges: legacy systems, real-time operational requirements, and the critical need for availability and safety make these systems highly sensitive to cyber risks.
Outlook
NIS2 implementation remains uneven across EU member states, but organizations that adopt best practices now will be better positioned as enforcement tightens. Procurement teams that embed IEC 62443 certification and OPC UA conformance into vendor qualification criteria stand to reduce both integration cost and compliance exposure over successive retrofit cycles. Vendors that can demonstrate IEC 62443-aligned practices will maintain market access; those that cannot increasingly risk exclusion from approved vendor lists.
