NIS2 and OT Networks

In September 2025, Jaguar Land Rover shut down production across the UK, Slovakia, and Brazil for five weeks after a ransomware attack. Reuters reported losses of around £50 million a week, with 33,000 staff sent home and hundreds of suppliers unable to operate. The intrusion started in IT, but what stopped production was how deeply the manufacturing floor depended on that IT.

If you run a plant in the European Union, that story is also a preview of your regulatory reality. The NIS2 directive is now live in 22 of 27 EU member states, and manufacturing is explicitly in scope. The real challenge is not reading the directive. It is bridging decades of OT technical debt with a security framework designed for IT. If your OT network is invisible to your IT team, you are already non-compliant.

Frequently Asked Questions:

What is the NIS2 directive?

The NIS2 directive (EU Directive 2022/2555) is the EU’s updated cybersecurity law, which replaced NIS1 in October 2024. It covers 18 sectors, including manufacturing, and applies to any organisation with 50 or more employees or €10 million or more in annual turnover operating in a covered sector. It introduces two tiers of covered entities, Essential and Important, each with different supervision regimes and penalties.

Does NIS2 apply to manufacturing companies?

Yes. NIS2 explicitly covers manufacturers of chemicals, food products, medical devices, electronic equipment, machinery, and transport equipment. Applicability is based on company size, not designation by authorities. Most manufacturing companies fall into the Important Entity category, subject to fines of up to €7 million or 1.4% of global annual turnover.

How do you segment OT and IT networks to meet NIS2 requirements?

NIS2 expects logical separation between OT and IT networks with monitored boundaries. In practice this means a DMZ between the two environments, firewalls or data diodes at zone boundaries, documented data flows, and continuous monitoring of crossing traffic. IEC 62443 provides the zones and conduits model that maps directly onto these requirements and is the standard most supervisory authorities accept as evidence of compliance.

What are the fines for NIS2 non-compliance?

Essential Entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important Entities face fines of up to €7 million or 1.4%. Beyond financial penalties, Article 20 makes senior management personally liable for cybersecurity oversight failures, including the possibility of temporary suspension from management roles. Enforcement is active across the majority of EU member states as of mid-2026.

Who Must Comply: Manufacturing Is Now Explicitly in Scope

The NIS2 directive (EU Directive 2022/2555) replaced NIS1 in October 2024, raising the baseline for cyber resilience across the European Union. As of April 2026, 22 member states have transposed it into national law, with the remaining five finalising secondary legislation. Germany’s NIS2 implementation law took effect in December 2025. Poland’s amended KSC Act entered into force on 3 April 2026. Belgium set the first conformity assessment deadline at 18 April 2026. Enforcement is no longer theoretical.

Manufacturing was a notable NIS1 absence. The NIS2 directive fixed that. It now covers chemicals, food products, medical devices, computer, electronic and optical products, electrical equipment, machinery, and transport equipment, alongside energy, water, transport, banking, health, and digital infrastructure. If your plant produces any of these and you meet the size threshold, you are covered.

The threshold is based on company size, not designation by authorities (unlike NIS1). You are in scope if you are medium-sized (50+ employees OR €10M+ turnover) or larger, operating in a covered sector. This size-based rule is why the scope jumped from roughly 15,000 entities under NIS1 to an estimated 160,000 essential and important entities under NIS2.

Essential Entity or Important Entity: Which Category Is Your Plant?

The NIS2 directive splits covered organisations into two tiers. Essential Entities (EE) face stricter supervision, proactive audits, and fines up to €10 million or 2% of global annual turnover, whichever is higher. Important Entities (IE) face reactive supervision and fines up to €7 million or 1.4% of global turnover.

Most manufacturing companies land in the Important Entity category. Essential Entity status is reserved for specific large producers in critical sub-sectors or companies providing essential services to the broader economy. But watch national transpositions. Germany’s law (NIS2UmsuCG) is broader than the base directive, Austria’s NISG 2026 introduces its own national variations, and Poland’s KSC Act has sector-specific additions. If you operate across multiple EU countries, your classification may differ from plant to plant.

What the NIS2 Directive Actually Requires from Your OT Environment

Article 21 of the NIS2 directive lists ten cybersecurity measures that essential and important entities must implement. The directive does not prescribe specific tools. It demands appropriate security measures proportionate to the risk, and tells EU member states to translate that into national supervision and enforcement measures.

For manufacturing, four of those cybersecurity measures are where the operational pain lives: incident reporting, network segmentation, supply chain security, and vulnerability management. The rest, including cryptography, access control, training, business continuity and crisis management, are mandatory but more familiar to IT teams.

A practical note. The NIS2 directive tells you what to achieve. It does not tell you how. This is why IEC 62443 keeps appearing as the de facto implementation framework for OT. It gives you the zones and conduits model, maturity levels, and concrete technical controls that map onto the directive’s risk-based language. Treat the NIS2 directive and IEC 62443 as complementary, not competing.

Incident Reporting: 24 Hours Is Not Much Time in a Plant

The NIS2 directive mandates a three-stage reporting cadence for significant security incidents:

Early warning within 24 hours of becoming aware of a significant incident
Incident report within 72 hours with initial assessment of impact
Final report within one month

A „significant incident” is one that causes substantial operational disruption, financial loss, or affects third parties. A halted production line qualifies.

Here is where manufacturing stumbles. Most plants have OT incident procedures oriented around safety and downtime, not cyber threats. A SCADA anomaly at 02:00 rarely triggers a call to a national CSIRT. The operations team isolates the issue, restores production, and moves on. Under the NIS2 directive, thcyat same anomaly, if caused by unauthorised access or malicious code, starts a 24-hour clock you may already have missed.

You need a classification workflow that connects OT events (abnormal PLC behaviour, unexpected HMI activity, unknown device on the control network) to regulatory reporting, before an incident happens. Retrofitting this under pressure is how plants miss deadlines.

Network Segmentation and IT-OT Zones

Segmentation is where the NIS2 directive’s theoretical requirements collide with twenty years of accumulated plant architecture. The directive expects logical separation between OT and IT networks, with monitored boundaries.

In practice, most plants have informal IT-OT connectivity nobody documented. A remote maintenance laptop that plugs into the PLC rack. An ERP integration that pulls production data over a flat network. A supervisory PC that also has corporate email installed. The Purdue Model zones you drew on a whiteboard five years ago rarely match what is actually running on your shop floor today.

The JLR case made this vivid. Attackers entered through an IT-side supplier, moved laterally, and reached systems that, on paper, should have been isolated from production. Once lateral movement reached the OT boundary, a purely IT incident became a five-week manufacturing halt.

Proper segmentation under the NIS2 directive means an enforceable DMZ between OT and IT, firewalls or data diodes at zone boundaries, documented data flows, and continuous monitoring of crossing traffic. In most plants, this starts with a painful asset discovery exercise.

Network Segmentation and IT-OT Zones

Not sure where your plant stands?

A structured OT readiness assessment maps your actual exposure - in weeks, not months.

Start your assessment

TT PSC has been connecting OT and IT environments in manufacturing plants across Europe for over a decade. Our OT Security Assessments are run by engineers who have commissioned PLCs and configured SCADA systems on the shop floor, not just reviewed architecture diagrams. That distinction matters when the gap assessment has to fit around a production schedule and the findings have to hold up under supervisory scrutiny.

The Real Challenge: OT Was Never Built for Compliance

This is where manufacturing differs from every other sector covered by the NIS2 directive.

The average industrial control system has a lifecycle of 15 to 25 years. PLCs commissioned in 2008 are still running production lines in 2026. Many run unsupported operating systems (Windows CE, Windows 7, even XP for HMI panels). The industrial protocols they speak (Modbus, DNP3, legacy OPC) have no built-in authentication. They were engineered for reliability and determinism, not against modern cyber threats.

You cannot patch most of these systems. Patching a PLC often requires a production stop, and may void the vendor warranty. The ransomware surge in manufacturing (a 56% increase year-on-year in 2025, per Check Point) is not happening because factories are careless. It is happening because the installed base was never built to defend itself, and the cost of disruption makes manufacturers attractive ransom targets.

This is the compliance puzzle. The NIS2 directive expects you to manage risk on systems you cannot patch, monitor networks that were never instrumented, and report on incidents in environments where „normal” is poorly defined. You cannot retrofit security onto a broken architectural foundation. You need to rethink the OT network itself.

Legacy Systems and the Patching Paradox

The standard IT security response to a known vulnerability is straightforward: apply the patch, close the gap, move on. NIS2 expects you to manage risk. Vulnerability management is one of the ten Article 21 measures. The logic seems simple enough.

In OT, it breaks immediately.

A PLC commissioned in 2008 may carry an unpatched vulnerability that has been public knowledge for six years. The vendor knows. Your IT team knows. The reason it has not been patched is not negligence. It is that patching that PLC requires a planned production stop, a vendor engineer on-site, a full regression test of the control logic, and in some cases re-certification of the safety system under IEC 61511. The cost and disruption can easily run to six figures for a single asset. Multiply that across a plant floor with 40 controllers and the economics stop the conversation before it starts.

The situation is worse for HMI panels running Windows XP or Windows CE, where no patch exists at all. Microsoft stopped issuing security updates for Windows XP in 2014. The HMI vendor may have certified their software against that specific OS version and will not support an upgrade. The plant is left with a known, unresolvable vulnerability on a networked system – and a NIS2 obligation to manage risk on it.

This is the paradox: the directive requires you to address risk on assets that the industry’s primary risk-management tool – patching – cannot touch.

IEC 62443 resolves this explicitly, and the NIS2 directive’s risk-based language accepts the resolution: compensating controls. When you cannot eliminate a vulnerability at the asset level, you contain it at the network level. Isolate the unpatched PLC behind an industrial firewall. Apply virtual patching – a rule at the network boundary that blocks traffic patterns known to exploit the vulnerability, without touching the controller itself. Enforce application whitelisting so only known-good processes can execute on the HMI. Use passive anomaly detection that monitors OT traffic without sending packets that could disrupt deterministic control loops.

Done properly, compensating controls do not just neutralise individual vulnerabilities. They produce something more important: an architectural layer between your fragile legacy assets and everything else on the network. That layer is also the foundation of real OT visibility – which is where the compliance story and the operational modernisation story start to converge.

The Architecture Argument: Compliance as a By-Product, Not a Project

There is a way through the OT compliance puzzle that does not require a separate compliance programme running indefinitely on the side of your operations.

The same project that modernises your plant connectivity – establishing proper asset visibility, creating a plant-wide data layer, segmenting OT zones – produces exactly the evidence base the NIS2 directive requires: a complete asset inventory, documented data flows, access logs, and a defensible risk management story you can present to your supervisory authority.

This is not a rationalisation. It is how real OT security is built. Layering controls onto a fragile architectural foundation produces a compliance checklist, not cyber resilience. Fixing the foundation – clean network segmentation, a unified data layer that makes OT visible to IT without collapsing the boundary between them, proper access management for vendor remote sessions – produces both.

The practical implication for project sequencing: your NIS2 gap assessment should inform your modernisation roadmap, and your modernisation roadmap should be sequenced so that compliance milestones land as outputs of work you were already going to do. That alignment is where the real budget argument lives when you take this to the board.

Management Liability: This Is a Board-Level Issue

If only one point from this article reaches your leadership, make it this one.

Article 20 of the NIS2 directive makes senior management personally responsible for approving cybersecurity measures and overseeing their implementation, including crisis management arrangements. Executives who neglect this can be suspended from management roles. Training for management bodies is explicitly required. The Dutch transposition (Cyberbeveiligingswet, in force Q2 2026) spells out that delegating entirely to IT without active oversight creates direct personal exposure.

The rough analogue is the General Data Protection Regulation, which did to data protection what the NIS2 directive is doing to OT cybersecurity. Five years ago, a CIO could tell the board „we have it handled.” That answer no longer works under a directive that names individuals. Much like the General Data Protection Regulation, NIS2 puts accountability on specific people, not just processes.

Splunk’s 2026 CISO report found that 78% of security leaders are concerned about personal liability. They are right to be. And in manufacturing, where the CISO often has limited visibility into the plant floor, the liability is shared with COOs, plant managers, and operations directors who actually control OT decisions.

Practical implication: OT cybersecurity is no longer an IT line item. It is a board risk that needs a budget, an owner, and a reporting cadence.

Common Misconceptions About the NIS2 Directive in Manufacturing

„We’re not critical infrastructure, so NIS2 doesn’t apply.” Manufacturing is explicitly in scope as of October 2024. Size-based thresholds, not critical-infrastructure designation, determine applicability. Many manufacturers now fall into the same compliance bracket as operators in traditional critical infrastructure sectors such as energy and water.

„Our OT is air-gapped, we’re safe.” Air-gapped in 2010, maybe. In 2026, almost every plant has some form of IT-OT connectivity: remote maintenance, MES integration, cloud analytics, predictive maintenance platforms. The first step of any NIS2 project usually reveals that the air gap is marketing, not architecture.

„ISO 27001 covers us.” It helps but does not equal NIS2 compliance. ISO 27001 is an IT-centric information security standard. The NIS2 directive specifically demands OT coverage, concrete responses to industrial cyber threats, and stricter incident reporting timelines.

„We’ll deal with it when enforcement hits.” Enforcement measures are already active in Germany, France, and the Netherlands. Belgium’s first conformity deadline was 18 April 2026. Polish KSC Act registration began 13 April 2026. The „wait and see” window is closed.

Urgency: The Enforcement Curve Is Steepening

The window between „NIS2 exists” and „NIS2 is enforced against manufacturers” is closing fast across Europe. EU member states that transposed in 2024 are now conducting systematic supervisory assessments and applying the first enforcement measures. Those transposing in 2025 and 2026 have compressed enforcement ramps because the Commission is applying pressure through infringement proceedings.

Meanwhile, the threat environment is not waiting. Manufacturing has been the most-targeted sector for cyber threats four consecutive years. Dragos tracked 119 ransomware groups targeting industrial organisations in 2025 – a 49% increase year on year – collectively impacting more than 3,300 organisations. Manufacturing accounted for more than two-thirds of all victims. Of the ransomware incidents Dragos responded to, 75% led to partial OT shutdown and 25% to a full production halt.

The manufacturers who move first have time to run proper gap assessments, sequence remediation into planned shutdowns, and align compliance work with already-budgeted modernisation. The ones who wait will be doing all of this under regulatory scrutiny, after their first significant incident, or both.

Where to Start: The Gap Assessment Before Anything Else

Before any remediation work, you need a clear picture of where you actually stand. A structured OT Security Assessment maps your current environment against Article 21 requirements, identifies the three highest-priority gaps, and produces a sequenced remediation roadmap aligned with your production schedule.

The assessment output is also the document you hand to your board and to your supervisory authority: a compliance gap map grounded in the actual state of your plant, not a theoretical framework.

One point worth flagging. An assessment run by a pure cybersecurity auditor finds security gaps. An assessment run by an IT-OT integration partner with hands-on plant experience also finds the architectural opportunities – where the same project can fix technical debt, improve operational visibility, and deliver compliance as a by-product. In manufacturing, where every intervention has to fit around production, that distinction matters.

-> Book a consultation