FEBRUARY 10, 2025

12 MIN.

The NIS 2 Directive is coming. How industrial companies can get ready.

Cybersecurity in Europe is being strengthened. In December 2022, the European Union adopted the NIS 2 Directive, which builds on the first Network and Information Security (NIS) Directive from 2016.

The new regulations expand the sectors affected by the directive, and significantly increase the cybersecurity standards that affected companies must meet.

Particularly in the manufacturing industry, the requirements are immense. Highly complex production systems, with many components, often run for decades on outdated software, if the manufacturer does not provide updates. Hackers are aware of these problems and frequently target the manufacturing industry in their attacks.

In this environment, swift and decisive action is required. In our two-part series, we provide the information you need to optimally prepare your manufacturing company for the NIS 2 Directive.

Let’s start with the when and the who. Will your company be affected by the NIS 2 Directive, and when are the deadlines you must meet. We will also cover the initial steps you can take to prepare for the directive.

NIS 2 Directive – When does it start?

Originally, the EU directive should have been transposed into the national laws of the member states by October 18, 2024. However, many countries have not completed this step, including Germany, France, and Poland.

In Germany, the Federal Ministry of the Interior and Community, which is responsible for the NIS 2 Directive, expects the NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) to go into force by March 2025. Hearings are currently taking place in the national parliament (Bundestag), after which the law still has to go through the federal state chamber (Bundesrat). However, the general election in February could postpone the introduction further.

This delay gives you valuable time to implement the measures. The delay may prove to be particularly important, as the NIS2UmsuCG does not currently provide for a transition period.

This means that the cybersecurity adjustments must be completed from the day they come into force, otherwise there is a risk of severe penalties.

A good starting point is the establishment of an information security management system (ISMS), which is critical for ISO 27001 certification. Depending on the situation in your company, this process can take anywhere from a couple of months to over a year. If you have not already done so, it is advisable to address this issue as soon as possible. If you reach the required security level before the directive becomes legally binding, you will be optimally prepared and won’t be liable for high penalties.

Who is affected?

The new regulations will affect significantly more companies than the original NIS Directive. A basic distinction is made between two groups of entities, the Essential Entities and Important Entities.

Companies that fall into the Essential Entities group are subject to greater regulatory oversight, and stricter sanctions than Important Entities.

Essential Entities

The Essential Entities group include sectors that are particularly important for infrastructure, health, and public safety in the EU member states. In Germany, many of these sectors are known as critical infrastructure (KRITIS) and have been regulated for some time. However, it is important to note that the NIS 2 sectors are not identical to the KRITIS sectors. sectors.

Except for a few special cases in the area of public administration and digital infrastructure, which are designated Essential Entities regardless of their size, a company must have at least 250 employees or generate over €50 million in annual revenue in order to be assigned to this group.

Important Entities

While the essential organizations are only relevant for large companies, a company with at least 50 employees or € 10 million in turnover is considered an important facility if it is active in one of the listed sectors.

The size classification of NIS 2 follows the general definition of small and medium-sized enterprises (SMEs) as opposed to large companies, although only medium-sized and large companies are affected by the new regulation.

The manufacturing industry, including manufacturers of medical products and mechanical engineering companies, are included in the group of Important Entities.

In Germany, smaller organizations, in particular, have been inadequately informed about the NIS 2 Directive. It is not always clear if a company belongs to one of the affected sectors. Until the law comes into force, and has been applied through precedents, there is still some legal uncertainty. Our NIS-2 Quick Check can help. Find out if your company is affected by NIS 2.

Next steps

Once a company has determined that it is affected by NIS 2, it is often faced with the question of how to implement the required measures as cost-effectively as possible. Here are the first steps that organizations can take to quickly raise cyber resilience to the required level.

1. Identify gaps in the security landscape
First, it is important to get an overview of the situation by implementing company-wide asset scans. This involves recording all physical, digital, and intangible assets to obtain a comprehensive overview.

The main focus should be on the shop floor, with the inventory of all machines, and a component check to ensure they are up-to-date. This step should include all networked machines, their connections, and the software used.

At this point, the areas where action is required have been identified.

2. Prioritize risks
The risks are then assessed and prioritized. Here, too, the focus is likely to be on the production lines. Production downtimes due to cyberattacks can cause such serious damage that the company’s survival can be put at risk.

In addition, as outdated hardware and compatibility issues in production facilities often result in a lengthy update process, this should be tackled as early as possible. If an update is not possible, an OT security solution such as edge.SHIELDOR can secure the machine without having to disconnect it from the company network.

3. Develop mitigation plans
Plans to mitigate the most important risks are an essential part of any security strategy. This includes suitable measures for the rapid detection of cyber incidents and incident response processes. In accordance with the NIS 2 guidelines, serious security incidents in Germany must be reported within 24 hours to the Federal Office for Information Security (BSI)

4. Check supply chain
NIS 2 extends the security requirements to the entire supply chain. This means that an affected company is not only responsible for its own cybersecurity, but also for the security of its suppliers. Contractors must independently check whether the requirements are continuously met.

To ensure the security of your supply chain, we recommend working with your suppliers from an early stage and, ideally, demanding compliance with established standards, such as ISO 27001. In the production environment, standards such as IEC 62443, to which TRIOVEGA is also certified, provide an excellent reference point for purchasing secure solutions and components.

What happens next?

As you can see, manufacturing companies face extensive obligations in cybersecurity with the introduction of the NIS 2 Directive. In the second part of our series, we will take a detailed look at the requirements catalog to help you prepare optimally.

Author: Mareike Redder

Mareike Redder has been working as an IT engineer at TRIOVEGA GmbH since 2018, and has been responsible for product management since 2022.

Book your individual consultation!