European and multinational manufacturers are accelerating legacy system retrofits and vendor consolidation as the EU's Network and Information Security Directive 2 (NIS2) compels procurement teams to embed open interoperability standards into operational technology (OT) contracting and supply chain governance.
Background
The NIS2 Directive, which repealed NIS1 as of October 18, 2024, established a unified legal framework covering cybersecurity obligations across 18 critical sectors in the EU, including manufacturing, energy, transport, and waste management. Unlike its predecessor, NIS2 applies to all medium-sized and large entities-defined as those with more than 50 employees or annual revenue exceeding €10 million-operating in covered sectors. The directive also introduces top-down accountability: senior management can be personally fined up to €10 million or 2% of global annual turnover for non-compliance, with governance failures potentially resulting in temporary leadership bans.
Transposition into national law has proceeded unevenly. According to the European Cybersecurity Organisation (ECSO), as of mid-2025, only nine EU member states had transposed the directive into national legislation, with divergences in sectoral scope, enforcement timelines, and incident reporting thresholds creating a fragmented compliance landscape for cross-border entities. In a significant escalation, the European Commission issued a reasoned opinion in May 2025 calling on 19 member states to complete their NIS2 transposition. Several national implementations have raised the stakes for manufacturers specifically: Poland reclassified manufacturing-including chemical production, food processing, and distribution-from the "important" to the "essential" category, triggering stricter proactive oversight.
Details
Compliance pressure is translating directly into procurement and architecture decisions on the shop floor. NIS2 requires manufacturers to conduct mandatory risk assessments of all third-party vendors, OEMs, and system integrators, and to embed security requirements into supplier contracts and request-for-quotation (RFQ) processes. This supply chain mandate is accelerating vendor consolidation at mid-market plants, where procurement teams increasingly use standards compliance-specifically alignment with ISA/IEC 62443-as a qualification criterion.
ISA/IEC 62443 is a series of international standards for securing industrial automation and control systems (IACS) across their full lifecycle, covering risk assessment, security policies, network architecture, access control, and incident management. According to Cisco's NIS2 compliance white paper, ISA/IEC 62443 is the key cybersecurity standard for designing secured industrial automation and control system (IACS) infrastructures and is the basis upon which the EU's anticipated industrial cybersecurity certification scheme is expected to be built.
For plants operating mixed legacy and modern equipment-a common condition in mid-market European manufacturing-open standards offer a practical pathway. The IEC 62443 standards include frameworks for implementing compensating controls on legacy devices where native security capabilities are absent, enabling retrofits without full equipment replacement. The EU's 2025 Rolling Plan for ICT Standardisation calls on standards development organizations to foster adoption of the EN 62443 series (based on IEC 62443) as the firm regulatory baseline for OT security in critical infrastructure across Europe.
The threat environment underscores the urgency. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), OT-targeted cyberattacks rose 155% in 2024, with breaches costing an average of $24 million. In Q2 2025, global cyberattacks increased approximately 21% year-over-year, with Europe recording the highest region-level increase. Industry data indicates that 60% of industrial data breaches originate from third-party vendors.
Operational case data illustrates the returns from standards-aligned retrofits. According to Schneider Electric, a European food and beverage manufacturer that deployed centralized OT monitoring and structured incident response protocols-aligned with NIS2's 24/72-hour reporting windows-achieved a more than 40% improvement in threat detection and response times. A separate European pharmaceutical manufacturer used structured vendor risk assessments aligned with NIS2 supply chain requirements to evaluate and securely onboard new automation vendors, identifying compliance gaps before integration.
NIS2's incident reporting requirements impose hard operational constraints that legacy OT architectures struggle to meet. NIS2 mandates an initial incident notification within 24 hours, a detailed report within 72 hours, and a final report within one month. Legacy OT systems were built for availability rather than logging or alerting, making manual compliance with these reporting windows practically impossible without additional monitoring infrastructure.
Outlook
On January 20, 2026, the European Commission proposed targeted amendments to the NIS2 directive to increase legal clarity, with the stated aim of easing compliance for approximately 28,700 companies, including 6,200 micro and small enterprises. The ECSO has noted that several member states, including Germany, were still finalizing implementing legislation as of early 2025, meaning compliance obligations-and their procurement implications-will continue to evolve throughout 2026. Manufacturers with cross-border supply chains should anticipate further divergence in national enforcement timelines and audit schedules, reinforcing the strategic case for standards-based OT architectures that can satisfy varying national implementations from a single unified framework.
