The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024, bringing with it an overhaul of cybersecurity risk management across Europe.
The new Network and Information Systems Directive (NIS2) came into effect on 18 October 2024, bringing with it an overhaul of cybersecurity risk management across Europe.
NIS2 introduces a package of measures aimed at reducing the risk of cyberattacks and strengthening cyber resilience. These measures include new incident reporting obligations, stricter security requirements, and enhanced cyber incident response planning.
The core focus of NIS2 is to enhance the cybersecurity of European critical infrastructure. While sectors such as telecommunications, digital services, energy, healthcare, and transport are clearly integral to Europe’s core infrastructure, NIS2 also expands its scope to cover the vast supply chains and manufacturing base that support these industries.
In this regard, NIS2 regulates a wide range of sectors involved in the manufacturing, supply, and distribution of equipment, chemicals, industrial products, and critical processes.
Sanctions for non-compliance under NIS2 are substantial, with fines of up to €10 million or 2% of worldwide turnover and, in some cases, sanctions against senior management and the C-suite. Above all, NIS2 mandates a proactive approach to cybersecurity and operational resilience.
This article, part of our NIS2 series, provides a high-level overview of what you need to know for your sector and the steps you should take now. For a more in-depth insight into NIS2 and its requirements, see our article here.
Note on the UK: This article focuses on the EU’s enhanced cybersecurity regime, which does not apply in the UK. For specific guidance on the UK’s approach to cybersecurity regulation, please contact a member of our Resiliency team.
What manufacturing industries are covered
While the scope of NIS2 may be straightforward for some industries, it presents particular challenges for manufacturers, given the complexity and diversity of supply chains in the sector.
NIS2 introduces a significant shift in cybersecurity regulation for key sectors of the European economy, including manufacturing. Under NIS2, certain manufacturing industries are now classified as either essential or important entities, requiring them to meet strict cybersecurity measures, risk management obligations, and incident reporting requirements.
Unlike its predecessor, NIS1, which had a narrower focus on critical infrastructure, NIS2 expands its reach to cover a broader range of industries essential to the EU’s supply chains, industrial production, and economic stability. For large-scale manufacturers, this means cybersecurity is no longer just an IT concern—it is now a regulatory priority with strict compliance obligations.
Below is a summary of the manufacturers and their critical supply chains covered by NIS2:
| Manufacturing Sector | Subgroups / Covered Industries |
| Pharmaceuticals & Biotechnology | Drug manufacturers, vaccine production, biotechnology firms, medical research labs |
| Medical Device Manufacturing | Producers of diagnostic equipment, surgical instruments, imaging systems, implantable devices (e.g., pacemakers) |
| Chemical Manufacturing & Distribution | Industrial chemicals, petrochemicals, pharmaceutical ingredients, bio-chemicals |
| Automotive & Transport Equipment | Car manufacturers, aerospace & defence equipment, railway infrastructure, shipbuilding |
| Computer, control and optical products | Manufacturers of computers, laptops and hand held computing devices, smart phones, telecommunications equipment, TVs, consumer electronics devices, and video games consoles |
| Electronics & Semiconductor Manufacturing | Semiconductor fabrication, circuit board production, consumer electronics |
| Energy Equipment & Infrastructure | Manufacturers of transformers, batteries, generators, wind turbines, solar panels |
| Industrial Machinery & Automation | Robotics, automation systems, CNC machinery, factory equipment, industrial control systems and industrial testing equipment. |
| Food & Beverage Processing | Large-scale food production, dairy processing, beverage bottling plants |
| Metals & Heavy Manufacturing | Steel production, aluminium processing, mining equipment, industrial welding when used to supply critical industries such as energy |
| Textile & Apparel Manufacturing | Mass garment production, synthetic materials, technical textiles for industrial use (e.g., safety equipment and PPE) |
| Paper, Pulp & Packaging | Paper mills, packaging material manufacturers, sustainable packaging solutions |
| Construction Materials & Engineering | Cement and concrete production, glass manufacturing, insulation materials |
IMPORTANT: the above list provides an illustrative overview of the types of manufacturers covered by NIS2. However, organizations must conduct their own scoping assessment to determine whether their products fall within the scope of NIS2-regulated manufacturing sectors.
What does this mean for the critical manufacturers and distributors?
NIS2 imposes obligations on a broader range of entities, categorizing them as either ‘essential’ or ‘important’ entities. Cyber incidents affecting critical manufacturers have demonstrated the far-reaching impact that such disruptions can have on critical infrastructure providers and the wider European economy.
The Norsk Hydro ransomware attack severely impacted aluminium production, while the cyberattack disrupted pulp and paper manufacturing operations. More recently, the Varta’s data incident in February 2024 resulted in the shutdown of five battery manufacturing plants. These cases illustrate how attacks on core manufacturing sectors can create significant knock-on effects for industries reliant on their production.
Organizations involved in the manufacture, supply, and distribution of chemicals—particularly those supporting critical infrastructure sectors—are also subject to NIS2’s enhanced compliance requirements. The State-backed cyberattack on Lanxess’ chemical production facilities in 2020 and the series of attacks targeting chemical distribution companies supplying the oil industry in 2021 further highlight the increasing cyber risks facing this sector.
In the computing and high-end electrical equipment sectors, companies in Europe are no stranger to cyberattacks. However, incidents in these industries tend to be more insidious, often linked to State-backed foreign espionage activities due to the sensitive technologies and intellectual property involved. Data exfiltration attacks against Airbus in 2023 and Schneider Electric’s data breach in 2024 demonstrate the scale of these risks, while ongoing cyber threats against the Netherlands’ semiconductor industry—often described as the "jewel in the crown" of Europe’s semiconductor sector—underscore the importance of cybersecurity for organizations operating in these fields.
With the advent of NIS2, cybersecurity is no longer just an IT concern—it is now a critical regulatory and operational priority for the manufacturing and distribution sectors.
Registration
With NIS2 comes a new mandatory registration requirement. A regulated entity will be required to register with its competent authority and provide key details about where the organisation provides its services, its IP ranges, and (where applicable) the identity and contact information of its designated representative.
Providers and suppliers located outside Europe with no legal presence will need to appoint a local representative.
For manufacturing and distribution organizations, registration under NIS2 is particularly complex due to the way registration obligations are structured. Unlike some other sectors, manufacturers and distributors do not benefit from the "main establishment" principle, which would otherwise allow them to register in a single Member State where their core cyber operations are based.
As a result, many organizations will need to make a judgment call on which countries they must register in, based on the locations of their facilities, supply chain dependencies, and customer obligations.
Incident management
NIS2 represents a significant cultural shift in how manufacturers and distributors approach incident management, placing a heightened emphasis on supply chain resilience and coordinated response obligations. For organizations operating within critical supply chains, cyber incidents are no longer an isolated risk but a shared responsibility that can trigger widespread disruptions across NIS2-regulated customers and partners.
One of the most critical aspects of NIS2 is its strict breach reporting requirements, which mandate that affected entities report cybersecurity incidents to the relevant authority within 24 hours of detection, followed by more detailed reporting at additional intervals.
Given the interconnected nature of manufacturing and distribution networks, an incident within a key supplier may not only require direct reporting to regulators but could also initiate secondary notifications across multiple customers and industries—especially for those supplying healthcare, energy, transport, or defence sectors.
Unlike other industries, manufacturers and distributors are deeply embedded in the supply chains of multiple NIS2-regulated entities. As a result, organizations should expect enhanced flow-down obligations from their customers, emphasizing greater transparency in reporting, faster incident response times, and stronger cooperation with both regulators and downstream partners.
More generally, manufacturers and distributors supplying Europe’s critical industries should take steps to proactively strengthen their incident response capabilities, ensuring that:
- Incident escalation, containment, and communication protocols align with regulatory requirements
- Supply chain dependencies are mapped and accounted for in response plans
- Incident response teams are trained and prepared for heightened notification obligations
Interplay with the Cyber Resiliency Act
As manufacturing companies increasingly rely on connected devices, industrial control systems, and embedded software, cybersecurity risks within hardware and software supply chains have come under greater regulatory scrutiny. The Cyber Resilience Act (CRA) introduces a new EU-wide framework aimed at ensuring that products with digital components—including IoT devices, industrial control systems, and embedded microprocessors—are secure throughout their lifecycle.
The CRA establishes baseline cybersecurity requirements for IoT-enabled hardware and software, ensuring that all connected products sold in the EU market meet minimum security standards before being placed on the market. This regulation directly impacts manufacturers that produce or integrate network-connected devices, software-driven industrial components, or embedded systems. The CRA aligns with the "security-by-design" principle, requiring manufacturers to proactively address vulnerabilities before their products reach end-customers.
While NIS2 focuses on cybersecurity governance and incident response obligations for critical sectors, the CRA targets cybersecurity at the product level, ensuring that manufacturers adhere to strict security and compliance measures during development, testing, and deployment.
Key Requirements and Compliance Obligations Under CRA
The CRA introduces enhanced security obligations for manufacturers of digital and connected products, emphasizing:
- Security-by-Design & Default: Manufacturers must ensure products are designed with security from inception and contain built-in risk mitigation measures.
- Vulnerability Management: Companies must implement continuous security monitoring and provide security updates and patches throughout the product lifecycle.
- Testing & Certification: Certain categories of connected products will require enhanced security testing and, in some cases, third-party certification before they can be marketed in the EU.
- Incident Reporting Obligations: Manufacturers must notify the EU cybersecurity agency (ENISA) and relevant regulators of any significant security vulnerabilities or exploits discovered in their products within 24 hours of detection.
For manufacturing companies, this means that products incorporating software, firmware, or digital interfaces will be subject to stricter cybersecurity compliance, requiring a shift in product development, supply chain security, and post-market support strategies.
Enhanced Oversight for Critical Product Categories
Under the CRA, certain categories of high-risk products are subject to enhanced security assessments and compliance requirements. These include:
- Industrial Control Systems (ICS) & Supervisory Control and Data Acquisition (SCADA) Systems – Essential for factory automation, power grids, and industrial networks, these systems must undergo rigorous cybersecurity testing to prevent exploitation by threat actors.
- Microprocessors & Embedded Systems – Hardware components that power critical infrastructure (e.g., automotive, aerospace, and medical devices) require mandatory security testing and vulnerability mitigation.
- Networked Consumer & Industrial IoT Devices – Products such as smart sensors, connected manufacturing robots, and wireless industrial equipment will be subject to strict lifecycle security requirements.
- Critical Software (Operating Systems, Firmware, and Security Modules) – Software that controls key industrial processes, automation, and remote management must meet compliance benchmarks to reduce security risks.
Manufacturers producing any of these critical product categories must comply with more extensive security testing, vulnerability disclosures, and pre-market certification than standard digital products.
How CRA and NIS2 Interact for Manufacturers of Core and Critical Electrical Products
For manufacturers of industrial control devices, microprocessors, and critical electrical products, the CRA and NIS2 create a dual compliance framework:
- NIS2 regulates the security of organizations and their IT/OT infrastructure, meaning manufacturers supplying critical industries (energy, healthcare, transport, defence, etc.) must meet cyber risk management obligations at the enterprise level.
- CRA mandates that manufacturers implement cybersecurity measures within their actual products, ensuring that hardware, firmware, and software components are secure throughout their lifecycle.
For manufacturers operating in industrial automation, electrical equipment, and critical components, the CRA introduces significant cybersecurity compliance obligations that directly affect product design, supply chain security, and lifecycle management. As both the CRA and NIS2 reshape the regulatory landscape, manufacturers must ensure that their products are built with cybersecurity resilience while also meeting the incident management and governance obligations required by NIS2.
Those who proactively align their cybersecurity strategies with both frameworks will be better positioned to navigate compliance requirements, mitigate cyber risks, and maintain a competitive edge in the evolving European regulatory environment.
We have ISO27001 – do we need to do anything?
In short – yes.
While it is true that both NIS2 and ISO 27001 (and other information security management frameworks such as ISO 22301) aim to enhance an organisation’s cybersecurity and resiliency, NIS2 is fundamentally different in its scope.
The mandatory controls required under NIS2 are more granular in nature and will apply to a wider part of an organisation (including entities that would typically be segregated under ISO 27001).
In addition, due to the stringent requirements around incident management, reporting and audit, it is highly unlikely an organisation will be able to simply rely on its ISO 27001 certification to achieve NIS2 compliance.
However, those organisations with ISO 27001 (particularly the 2022 version) will already have in place a strong governance framework and an ISMS onto which NIS2 controls can be added.
What you need to do now
- Familiarise yourself with the key requirements of NIS2 – you can read our more in-depth article here as a starting point.
- Conduct a detailed scoping assessment to determine whether your business falls within the scope of NIS2. Consider key factors such as company size, sector, business activities, and the Member States where you operate or provide services. For manufacturing companies, a more in-depth assessment is recommended due to the complex criteria that determine when organizations in these sectors are subject to NIS2 compliance requirements.
- Keep track of the specific NIS2 implementation timeline for your home country – very few Member States were able to implement national implementing laws before the 17 October deadline.
- Determine and complete registration requirements – noting that for large manufacturing entities, multiple registrations may be required.
- Conduct a gap analysis between NIS2 measures (specifically those required in your home country), against your current cybersecurity posture and implement a rectification and improvement plan.
- Review and update existing incident management handling processes – you can read more about some of the changes to incident classification here.
- Start your vendor management process now, given the significant time it often takes to cascade compliance throughout the supply chain.
- Consider whether key customers are likely to be impacted, and how this should be reflected in key contracts (particularly in B2B settings)
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.