Menu

The NIS2 Directive: Cybersecurity Duties Reach the Factory Floor

The NIS2 Directive explained for manufacturers: expanded cybersecurity obligations, OT scope, incident duties, and how maintenance and OT segmentation connect.

The NIS2 Directive is the EU’s expanded cybersecurity law, and it matters to manufacturers because it pulls far more of them into scope than its predecessor and reaches into operational technology, the PLCs, SCADA, and machine networks that run production. Manufacturing of critical products, and many mid-size manufacturers previously untouched by cyber regulation, now face concrete security and incident-reporting duties. Educational overview, not legal advice; your security and legal functions own compliance.

What NIS2 changes

  • Wider scope: more sectors and more mid-size organizations are covered as essential or important entities, including significant parts of manufacturing.
  • Risk-management obligations: concrete measures, risk analysis, incident handling, business continuity, supply-chain security, and security of network and information systems, including OT.
  • Incident reporting: tight timelines for notifying significant incidents to authorities.
  • Management accountability: senior management responsible for, and trained on, cybersecurity risk measures.
  • Supply-chain security: duties that ripple to suppliers and service providers.

Why OT is the hard part for manufacturers

IT security is well-trodden; OT security is where factories struggle, and where NIS2 now looks. Production networks are full of legacy controllers, flat networks, and systems that cannot be patched on IT timelines. The foundational control is network segmentation and access discipline, isolating the OT network so a compromise cannot walk from email to a PLC, which is precisely the architecture behind IEC 62443 zones and conduits. NIS2 gives that long-standing OT-security engineering a regulatory deadline.

A worked example: the data connection nobody classified

A manufacturer connects a production line’s OEE monitoring to a cloud dashboard, sensible operationally. Under NIS2, the security question is now mandatory: how does data leave the OT network, what boundary controls it, and could that path be reversed into the controls? A well-designed connection answers cleanly, data flows one way through a controlled boundary, raw control data never leaves the OT zone, and only derived production metrics cross, satisfying the segmentation the directive expects (the model in the IEC 62443 primer). A carelessly designed one is an audit finding and a real attack path. The lesson generalizes: every OT data connection a plant adds is now a security decision with a regulatory dimension, not just an IT convenience.

Where maintenance and NIS2 quietly connect

Cybersecurity is not obviously a maintenance topic, but the seams show: OT asset inventories (you cannot secure what you have not inventoried), patch and firmware management on controllers, access control on maintenance connections and vendor laptops, and the discipline that changes to OT systems flow through management of change rather than ad hoc. The maintenance function often holds the most accurate picture of what OT actually exists on the floor, which is why it belongs in the NIS2 conversation.

Where Fabrico fits

Fabrico is not a cybersecurity platform and does not secure networks or manage patches, that is the domain of security teams and OT-security tooling. Where Fabrico contributes is narrower and honest: it is EU-built with EU data residency, so the operational data it holds stays under European governance rather than crossing to jurisdictions that complicate compliance, and its production monitoring is designed to work from derived metrics without requiring raw control data to leave a well-segmented OT network (including computer-vision capture on machines with no PLC connection at all). It also holds the maintenance-side OT asset history that security inventories draw on. Fabrico does not make you NIS2-compliant; it is a data foundation that does not work against the segmentation the directive expects. EU-built, with EU data residency.

Frequently Asked Questions

Does NIS2 apply to my manufacturing company?

It depends on sector and size: NIS2 broadened coverage to many medium and large organizations in sectors including certain manufacturing, as essential or important entities, and national transposition laws set the precise scope. Manufacturers near the thresholds should assess with legal and security advisers rather than assume they are out of scope.

How does NIS2 relate to IEC 62443?

NIS2 sets legal duties; IEC 62443 is the technical standard framework for securing industrial automation and control systems. Many organizations use IEC 62443 as the engineering means to meet the OT-security expectations that NIS2 makes a legal obligation, the regulation says what, the standard helps with how.

Where should a manufacturer start with OT security under NIS2?

Commonly with an accurate OT asset inventory, network segmentation between IT and OT, controlled boundaries for every data connection leaving the plant, and access discipline for maintenance and vendor connections. These foundations address the highest-risk gaps and align with both NIS2 duties and IEC 62443 architecture.

Want a production-data foundation that respects OT segmentation and keeps your data in the EU? Book a Fabrico demo to see EU-built OEE and CMMS designed for well-segmented plants.

Najnowsze wiadomości z naszego bloga

Zdefiniuj swoją mapę drogową niezawodności
Sprawdź swój potencjalny zwrot z inwestycji: zarezerwuj prezentację na żywo
Zdefiniuj swoją mapę drogową niezawodności
Klikając przycisk Akceptuj, wyrażasz zgodę na korzystanie z plików cookie podczas uzyskiwania dostępu do tej witryny i korzystania z naszych usług. Aby dowiedzieć się więcej o tym, jak pliki cookie są używane i zarządzane, zapoznaj się z naszą Polityką prywatności Polityka prywatności i Deklaracja plików cookie