NIS2

NIS2 is EU Directive 2022/2555, aimed at raising the level of cybersecurity across the European Union. It significantly expands the scope of affected organizations compared to its predecessor and establishes binding obligations for cyber risk management, incident reporting, and supply chain security.

In Germany, the NIS2 implementation law came into force on December 6, 2025, with central provisions in the amended BSI Act – without a general transition period.

Why NIS2 Directly Affects Manufacturing Companies

NIS2 shifts cybersecurity from an internal IT matter to a management responsibility with auditable requirements. At the same time, pressure on supply chain security is increasing: companies must be able to demonstrate that relevant IT and OT suppliers also meet adequate security standards.

This makes security evidence for networked production systems – MES, SCADA, OT gateways, remote services, data pipelines – a hard procurement criterion. Anyone evaluating a cloud MES or OT integration platform today should treat NIS2 requirements as a mandatory part of the RFP.

What NIS2 Concretely Requires

NIS2 does not require a single security product but a risk management set: incident handling, business continuity (backups, disaster recovery), supply chain security, secure development and operations, access control, and appropriate cryptography.

Particularly operationally relevant is the incident reporting logic: 24-hour early warning, 72-hour detailed report, final report within one month. This forces organizations to actually operate logging, detection, responsibilities, and escalation paths – not just document them.

Why OT and MES Are Particularly in Focus

In production environments, three factors combine to elevate risk: availability is directly business-critical because downtime immediately generates costs. OT systems have long lifecycles, difficult patch windows, and third-party maintenance as the norm. And increasing IT connectivity – cloud MES, BI, ERP integration, IIoT, remote access – significantly expands the attack surface.

The risk is therefore not just data loss but operational disruption and manipulation of process data. NIS2 makes this resilience a purchasing criterion.

Key Questions in MES and OT Procurement

Anyone evaluating a networked production system should ask vendors about: the OT connectivity architecture (edge gateway, DMZ, segmentation); how logging and audit events are provided and whether they can be exported to a SIEM; how remote access is managed (time-limited, approval-required, session recording); what certifications are available (ISO 27001, SOC reports, pen test summaries); and which security costs are included in the contract versus added later.

A pragmatic evaluation criterion: can the system answer within 72 hours what happened, which systems were affected, and what measures were taken? If not, that is a real risk – regardless of how impressive the demo looks.

Cloud-native MES platforms built from the ground up with API-first architecture, role-based access control, encrypted data transmission, and complete audit trails have structural advantages here over retroactively hardened on-premise software.

FAQ

Does NIS2 apply to mid-sized manufacturing companies? Yes. NIS2 significantly expands the scope. Companies in certain sectors – including manufacturing – may fall under the directive above defined thresholds for headcount and revenue. Exact classification depends on sector and company size; a review by IT legal or compliance counsel is recommended.

What are the penalties for NIS2 violations? NIS2 provides for significant fines – for essential entities up to €10 million or 2% of global annual revenue, whichever is higher. In addition, management can be held personally liable.

What is the difference between NIS and NIS2? NIS (2016) was the first EU directive on network and information security with a limited scope. NIS2 (2022) substantially expands scope, requirements, and sanctions, with stronger emphasis on management responsibility and supply chain security.

Does a MES vendor itself need to be NIS2-compliant? Not automatically – but it must be able to support its customers' compliance requirements. Supply chain security is an explicit component of NIS2: companies are also responsible for ensuring that relevant service providers meet adequate security standards.