MARCH 11, 2025

12 MIN.

In this article

The NIS 2 Directive: The measures industrial companies must take to comply

In the first part of our series on the NIS 2 Directive of the European Union, we explained the timeline of the NIS 2 introduction, and clarified which companies will be affected. Now, we want to address the actual content of the regulation. What measures must you take, and what are the consequences of non-compliance?

In many EU member states, the requirements have already been transposed into law, while in some countries, such as Germany and France, the process has been delayed by several months. However, this doesn’t mean you can sit back and relax. On the contrary. For manufacturing companies with multi-layered production environments and complex operating procedures, introducing new security measures will take time – more than the time left until the new national law is put into place. Read on to find out how to prepare for the new directive.

NIS 2 Directive: An overview of the requirements

The NIS Directive provides a framework that each country must transpose into concrete national information security and cybersecurity requirements for the affected companies. Using an All-Hazards Approach, the directive aims to cover the broadest possible spectrum of risks, not limited to IT or cyberattacks.

Although we are still waiting for the final legal text in Germany, the core content of the EU legal framework, e.g., for critical infrastructure KRITIS, provides excellent insight into the measures that affected companies will have to address. The following is not an exhaustive list of the directive’s measures, but they are the ones most pertinent.

1. Risk management

Every company is exposed to a number of risks that extend beyond cyber risks to include all assets, persons, and business units, including intangible assets such as intellectual property and reputation. In risk management, we identify these risks, taking individual factors into account, assess the threat potential, and ultimately contain them.

The established standard is an Information Security Management System (ISMS), which covers all risk management and mitigation steps. As the international ISO 27001 standard has similar requirements for dealing with risks to the NIS 2 Directive, organizations such as TRIOVEGA with an ISO 27001-compliant ISMS are well-prepared for the new regulations. Most of the requirements for dealing with risks are designed similarly in the two frameworks.

Companies should not underestimate the continuous effort of updating the ISMS due to changing threat requirements and the adjustments required after security incidents. It is also necessary to review and accept unavoidable residual risks, in consultation with management.

Furthermore, the OT environments in production play a significant role in risk management. In many cases, potential risks for production lines have never been systematically recorded, so remain unknown. Yet it is precisely the long service life of systems, with software that cannot be updated, that makes OT particularly susceptible to cyberattacks. Affected industrial companies should therefore carefully identify all assets and risks in the production area and initiate special mitigation measures in order to best prepare for NIS-2.

2. Incident Handling

Should security incidents occur despite careful risk mitigation, they must be quickly identified, rectified, and ultimately reported. The industrial sector should pay particular attention to the detection of cyberattacks: According to the IBM Data Breach Report 2024, it takes 199 days to identify an attacker in the systems of the industrial companies, significantly longer than in other sectors.

In addition, NIS 2 sets strict deadlines for reporting to the authorities. Serious incidents must be reported to the responsible body within 24 hours of becoming known. To this end, suitable processes must be proven and personnel must be trained accordingly.

edge. SHIELDOR, TRIOVEGA’s OT security software solution, minimizes the damage that a cyber incident can cause. Similar to the Air Gap principle, the plant network is completely isolated from the higher-level company IT, and the individual services are segmented, preventing the spread of malware. Unwanted communication attempts are identified and blocked. Information about attackers can also be collected and analyzed in central logging systems by logging network traffic.

3. Business continuity and recovery plans

As it is imperative for industrial companies to maintain production operations, this plays a major role in NIS 2. In the event of an emergency, the organization must have recovery plans, and all relevant data must be regularly backed up. To increase reliability, production lines must have an adequate level of redundancy.

The more production is automated, the faster operations can be resumed after an incident. With individual solutions for customers, TRIOVEGA automates, for example, machine parameterization. This allows systems to be managed effectively and restarted promptly after an emergency without data being lost.

4. Supply chain security

The NIS 2 Directive also addresses the supply chain, which is a particular concern of the manufacturing industry.

Organizations must thoroughly check suppliers of both hardware and software components for compliance with the required security standards. Every service level agreement (SLA) with business partners must define security obligations and requirements, and compliance must be monitored.

For closer partnerships, manufacturers must carry out audits of their suppliers, to identify and rectify potential weaknesses before the collaboration begins. If partners can already demonstrate a high level of security with existing certifications, the workload for this task can be minimized. TRIOVEGA, for example, can prove compliance with the IEC 62443 standard for industrial communication networks.

5. Access controls and rights management

In most companies, physical access to offices and factory buildings is already strictly controlled as part of information security. However, NIS 2 also requires the implementation of seamless access controls and rights management in the digital space to increase the security of IT systems and connected networks.

Employees should be assigned clearly defined user roles that regulate access across all of the organization’s systems and draw on established best practices, such as the principle of least privilege, i.e., the assignment of the minimum rights required to perform a task. As these rights are often granted almost automatically on many shop floors, altering this approach will require a change in the daily working practices of production staff.

What are the penalties for inadequate implementation?

The previous NIS Directive did not stipulate possible sanctions for companies at the EU level, preferring to leave this up to the member states. As this led to a confusing patchwork of different regulations, especially for international organizations, the NIS 2 Directive provides a clearer framework.

Overall, the legal consequences for non-compliance have been significantly expanded:

Company management must approve measures taken and monitor compliance. If management does not comply with this obligation, those responsible can be held personally liable.

Fines have been significantly increased and can be up to €10 million or 2% of global turnover.

If network security is compromised by widespread malware, for example, regulators can shut down business operations until the threat is contained.

Secure the future of your company – act now

For companies in the production industry, the NIS 2 Directive makes it critical to establish a safety culture. Measures to increase information security and cybersecurity should not be seen purely as an expense, but rather as an investment in company resilience, which secures future business success. Stand out from your tardy competition with effective security practices that provide a unique selling point.

With its customized products and services for industrial manufacturing, TRIOVEGA offers a balance between safety and increased efficiency. edge.SHIELDOR secures your production against cyber risks and paves the way for data-driven process optimization, implemented by our service.factoryINSIGHTS experts. In addition, our Custom Software Solutions teams develop secure individual software solutions for your entire value stream right through to the end product. Get in touch with us!

Author: René Janz

René Janz is an industrial engineer with extensive knowledge of the shop floor. He has been with TRIOVEGA GmbH since 2023, and as Director Business Development, René is responsible for the strategic expansion of OT security and digitalization in the production industry.

Book your individual consultation here!

You want to know more about our products
and solutions?

edge.SHIELDOR

Holistic OT security for industrial plants that enables data connectivity and sustainably reduces costs

READ MORE

service.factoryINSIGHTS

Discover potential and optimize production processes effectively with our data science expertise

READ MORES

This might also interest you:

Book your individual meeting here
Contact