NIS 2: What does the new directive mean for OT operators and manufacturers?

It’s no secret that the cyber threat landscape in Europe has evolved dramatically. Over the last decade, we’ve seen ransomware take down production lines, state-sponsored groups target national grids, and more than one late-night scramble to patch systems that weren’t meant to be connected to the internet in the first place. Some examples are:

• Volt Typhoon Campaign (Ongoing since 2023–2024) – waterfall-security.com > top 10 OT attacks (2024)
  U.S. and allied agencies have repeatedly issued warnings about Volt Typhoon, a Chinese-affiliated group targeting OT/ICS infrastructure (including energy and water utilities) via stealthy “living-off-the-land” tactics. Their activity has been linked to multiple CISA advisories.
• Colonial Pipeline Ransomware Attack (May 2021) – time.com
  A ransomware attack by the DarkSide group forced Colonial Pipeline to shut down operations, causing gas shortages and price surges. The incident even drew a national emergency response.
• Oldsmar, Florida Water Treatment Facility Hack (Feb 2021) – wired.com
  For nearly a minute, an attacker remotely increased sodium hydroxide (lye) levels in the water supply from 100 ppm to over 11,000 ppm. It was only stopped when an operator noticed his cursor moving and prevented the change.
• Ukraine Power Grid Cyber‑Attacks (Dec 2015 & Dec 2016) – wikipedia.org
  In two coordinated assaults, Russian-linked hackers (referred to as “Sandworm”) infiltrated Ukrainian power utilities using BlackEnergy and Industroyer malware to trip breakers and erase system data – causing outages lasting hours.

In this context, the EU’s NIS 2 Directive isn’t just a policy update – it’s a wake-up call.

A Quick Refresher: What Is NIS 2?

NIS 2 (short for Network and Information Security Directive 2) came into force in January 2023, with Member States required to implement it by October 17, 2024. Its goal is straightforward: raise the cybersecurity baseline across essential services in the EU.

If you worked with NIS 1, you’ll remember that it focused on digital services and operators of essential services (OES). But it had limitations. OT wasn’t mentioned directly. Sector lists varied by country. Supervisory enforcement was often toothless.

NIS 2 aims to fix those gaps. More details and practical implementation details in our NIS 2 training.

Related Regulations at a Glance

As you prepare for NIS 2, it helps to understand how it fits into the broader cybersecurity landscape:

• IEC 62443: Widely used standard to be used for securing industrial automation and control systems. It overlaps with many NIS 2 technical expectations, particularly in OT environments.
• ISO/IEC 27001: A recognized standard for information security management systems (ISMS). NIS 2 expects governance, which can be covered though ISO 27001 focusing more on the system level than product-level OT security.
• Cyber Resilience Act (CRA): A separate upcoming EU regulation focused on product-level security for digital hardware and software. While CRA and NIS 2 share goals, CRA applies mostly to manufacturers, but need to be considered by Integrators as well as operators, since only products that apply CRA measures can be implemented after 11.12.2027.

Each regulation/standard plays a role, but NIS 2 is the umbrella directive for critical infrastructure cybersecurity.

Implementation in Germany

Germany missed the October 2024 deadline. Its implementation law – the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) – was delayed by federal elections and must now be re-approved by the new Bundestag. Current projections expect final approval in the second half of 2025, with national legislation likely coming into effect then. (openkritis.de).

Until the German law is passed, the EU directive itself does not yet apply directly in Germany. However, organizations should treat this as an opportunity to prepare proactively for when NIS 2 gains legal binding in the coming months.

What’s Actually New?

Here’s what stands out:

• Wider scope: NIS 2 explicitly includes more sectors, particularly energy, water, transport, manufacturing, and digital infrastructure.
• Better alignment: Member States are now required to maintain consistent rules (so it’s not up to each country to interpret things wildly differently).
• Stronger consequences: Authorities can now conduct audits, issue fines, and even hold management personally accountable.
• Clearer requirements: Organizations must now implement technical and organizational measures that go well beyond checkbox compliance.

What Comes Next – The Three Core Measures

NIS 2 introduces a wide range of obligations, but some are more foundational than others – especially for OT-heavy sectors. In the coming articles, we’ll explore the core measures that every essential or important entity should focus on. Here are the top 3 foundational measures:

1. Risk Management and Technical Measures
   Organizations must implement a comprehensive set of risk-based controls, tailored to both IT and OT environments. This includes patch management, access control, encryption, and supply chain security.
2. Incident Detection and Reporting
   NIS 2 sets strict timelines for breach notification – typically within 24 hours of becoming aware. But more importantly, it requires organizations to have the systems and processes in place to detect incidents in the first place.
3. Governance and Accountability
   Cybersecurity is now a board-level responsibility. Senior management must ensure governance structures are in place and can be held liable for serious failures. This includes regular training, oversight, and policy review.

We’ll break each of these down in the next few articles – what they mean in practical terms, how OT is affected, and where organizations often underestimate the effort required.

OT Is No Longer in the Shadows

If you’re working in Operational Technology (OT), whether that’s a water treatment facility, a railway control center, or a chemical plant; this is where things are starting to happen.

OT used to be air-gapped. Isolated. Safe. But those days are gone.

Between digital transformation, remote access, and supply chain interconnection, OT systems are now directly exposed to cyber threats. In some cases, we’ve seen 30-year-old PLCs (Programmable Logic Controllers) suddenly connected to cloud platforms via hastily set up interfaces. That’s not resilience – that’s risk.

NIS 2 finally recognizes this reality. For the first time, it brings OT systems fully into scope. That means:

• Your ICS/SCADA systems must be considered part of your overall cybersecurity posture.
• IT/OT boundaries won’t protect you legally anymore.
• Incidents in the OT environment could trigger reporting obligations and penalties.

Essential vs. Important – Are You in Scope?

NIS 2 introduces two legal categories:

• Essential Entities – These include energy providers, water suppliers, railway and air traffic operators, healthcare providers, and financial services.
• Important Entities – This covers a wide range of companies like food manufacturers, postal services, and digital service providers.

If you’re unsure which you are, here’s a rule of thumb: If your OT systems could cause disruption to society or the economy, you’re probably in.

And the difference isn’t just semantic. Essential entities face proactive supervision, meaning authorities can audit you at any time. Important entities are supervised reactively, but that doesn’t mean the rules are lighter. Both categories share the same core cybersecurity obligations.

While NIS 2 generally applies to medium and large entities, smaller organizations (SMEs) may also fall under the directive – particularly if they are the sole provider of a service or play a critical role in a supply chain.

Germany’s national implementation is expected to align with the BSI’s criticality criteria, which consider not just size, but societal and economic impact. (read more here)

Enforcement Just Got Serious

These aren’t just words – the consequences are clear.

Under NIS 2, regulators have the power to:

• Demand evidence of your risk assessments and controls.
• Conduct onsite inspections (including in the OT environment).
• Impose fines of up to €10 million or 2% of your global turnover.
• Disqualify company directors in serious cases of negligence.

This marks a cultural shift: cybersecurity is no longer just the CISO’s job. Boards and executive leadership are expected to understand and manage cyber risk as a matter of governance.

Final Thoughts: From Compliance to Culture

For many organizations operating in OT-heavy sectors, NIS 2 brings necessary (but demanding) changes. It formalizes what many in the field already know: cybersecurity is now an operational concern, not just an IT one.

Whether you’re in the early stages of identifying which systems fall under scope, or you’re already aligning policies with the directive, this is a valuable opportunity to strengthen internal processes and close long-standing gaps.

Translating the directive’s requirements into concrete, OT-aware practices isn’t always straightforward. In many cases, it helps to draw on outside expertise – not for compliance alone, but to ensure the measures put in place are actually effective and proportionate.

If your team could use a clear starting point, or a sense-check on your current approach, it’s a good time to start the conversation or book one of our NIS 2 training programs.