The manufacturing sector has been undergoing an intense digital transformation for years. Automation, robotization, MES systems, integration of IT with OT and the concept of Industry 4.0 are increasing efficiency, but they also bring challenges related to cyber risks. It is in this context that NIS2 is becoming one of the key topics for manufacturing companies in Europe.
The NIS2 directive is not just another abstract regulation “for the IT department.” For industry, it means real requirements that directly affect the continuity of production, the safety of people and the stability of supply chains. It’s an area close to my and explitia‘s philosophy, where technology should support business and production, not generate chaos and uncontrollable risk.
NIS2 is an updated directive on network and information systems security, adopted by the European Union in response to the growing number of cyber attacks targeting critical infrastructure and key economic sectors.
Compared to the original NIS directive, the new regulation:
For manufacturing plants, this means that cybersecurity is becoming part of production management, not just a technology issue.
Many manufacturers still assume that the NIS2 directive only covers energy or large critical infrastructure operators, which is a false assumption.
It concerns, among other things:
Importantly, even if an organization is not formally classified as a “key entity,” it may be subject to it indirectly, as a supplier to regulated companies. In such cases, security requirements are often transferred directly into supplier contracts and audits.
One of the most frequently asked questions in the context of this directive is “What are the requirements of NIS2?” In the manufacturing sector, they have a very practical dimension. A cyber incident is not just a reputational problem, but a real risk:
This means combining technology, processes and people, which may not be easy without the right technological expertise.
One of the biggest challenges for manufacturing plants is integrating directive requirements with OT realities. Industrial systems:
The directive does not impose specific technologies or solutions. Instead, it requires an informed, documented and proportionate approach to risk. This means that even older production lines can comply if the organization can demonstrate that risks are known, managed and monitored.
For industry, a key issue in the context of NIS2 is business continuity. Cyber security cannot be separated from manufacturing realities.
The directive enforces:
This means that a cyberattack is treated similarly to a technical failure, that is, as an event for which the organization must be prepared operationally, not just formally.
In many manufacturing plants, NIS2 is still treated as a side topic or purely formal. This leads to several repetitive errors that significantly increase operational risk.
The most common mistake is the belief that the NIS2 directive applies only to the IT department. In practice, it also includes OT, production, maintenance and management. Without their involvement, requirements are implemented piecemeal.
Companies often secure office systems and ignore PLC, SCADA or MES. Meanwhile, NIS2 requirements apply to the entire IT/OT environment, and it’s OT that’s critical to production continuity.
Having a document does not mean preparedness. Lack of testing for emergency scenarios and cyber incidents is a common problem in manufacturing plants.
Manufacturing relies on outside technologies. The lack of supplier security assessments and contract provisions is a gap that NIS2 pays particular attention to.
Training limited to IT is not enough. Operators, engineers and maintenance also need to understand the risks and their role in security.
By avoiding these mistakes, NIS2 can be approached as a tool to help strengthen production continuity, not just as a regulatory obligation.
Get 5 chapters of the book for free!
Join the newsletter and gain access to 40% of the book
“15 Steps to Buying an Information System“.
Implementation of the NIS2 directive in industry should not be a one-time “under audit” project. An evolutionary approach yields the best results. Implementing NIS2 in a manufacturing company requires a different approach than in classic IT.
This approach will help the production facility meet regulatory requirements without crippling production and excessive investment.
While NIS2 is sometimes seen as yet another regulatory burden, for manufacturing companies it could provide the impetus to clean up the cyber security area. Many plants today operate based on the expertise of individuals, informal procedures and historical solutions.
Directive:
This is exactly the direction I try to promote individually and with explitia: technology as a stable foundation for business, not a source of uncontrollable risk.
For the manufacturing sector, NIS2 is much more than “compliance.” The NIS2 directive touches the very heart of industrial operations: production continuity, human safety and supply chain stability.
Companies that approach NIS2 requirements strategically, combining IT, OT, processes and management, can gain a real competitive advantage. In an industry where every hour of downtime can cost thousands or millions, cyber security stops being a cost and becomes an investment in stability and growth. Every manufacturing company is different, so NIS2 is worth translating to the realities of a specific plant.
