Navigating NIS2: A Strategic Operational Priority

Executive Summary

The European Union’s new cybersecurity regulations, the Network and Information Systems Directive 2 (NIS2) and the Cyber Resilience Act (CRA), together mark a turning point for connected device manufacturers.

In this duo, NIS2 Directive strengthens the resilience of essential and important entities by addressing both cybersecurity and operational continuity at an organisational level. It requires organisations to implement risk-based technical, operational, and organisational measures covering incident prevention, detection, response, and recovery, while ensuring the continuity of critical services.

Take the next step

Companies are doing great things with AIoT, you can too

Learn what’s possible on Cumulocity, a leading global, low-code, self-service AIoT platform.

Book a demo

So, while complementary initiatives such as the Cyber Resilience Act (CRA) address product-level security, NIS2 remains focused on the resilience and continuity of the organisation as a whole.

NIS2 does not only affect your customers — it may apply directly to your organization as well. The directive expands cybersecurity and risk management obligations across a wide range of sectors, including manufacturers operating within the EU or serving EU markets.

Even where you are not directly in scope, your products, services, and processes may fall within your customers’ risk management and reporting obligations. This means your cybersecurity practices, operational resilience, and incident response capabilities can directly influence your customers’ compliance.

Keeping NIS2 requirements in mind helps you strengthen your own compliance posture, align with customer expectations, maintain trust, and ensure smooth operations across the entire supply chain.

In short, for  equipment manufacturers, NIS2 isn’t just a compliance exercise, it’s an opportunity to differentiate. Customers, partners, and regulators increasingly expect security and resilience to be built in, not added on. Manufacturers who adopt NIS2 and CRA principles early, through secure development, transparent vulnerability management, and real-time device visibility, will not only meet regulatory requirements but also strengthen trust and gain a competitive advantage.

This paper explores how these two EU regulations complement each other to raise the bar for security and accountability. It outlines what they mean for  equipment manufacturers, the key challenges in achieving compliance, and how Cumulocity helps build secure, compliant, and future-ready AIoT ecosystems, where security is not a burden, but a business advantage.

Introduction

Smart manufacturing increasingly relies on connected devices for monitoring, analytics, and automation, making cybersecurity a critical priority that extends beyond traditional IT networks to the devices and operations that power them. The NIS2 Directive, which replaces the original NIS Directive, and the Cyber Resilience Act (CRA) address this challenge in complementary ways. NIS2 focuses on organisational resilience, enforcing risk management, incident reporting, and executive accountability, while the CRA ensures products are secure by design and maintained throughout their lifecycle.\

While these regulations might seem like just another compliance requirement, companies face significant and potentially costly risks if security is not implemented across IT, operational technology (OT), and connected industrial IoT systems. In today’s environment, cybersecurity is not a luxury—it is essential to protect operations, maintain trust, and ensure business continuity. 

With its broader scope and stricter enforcement, NIS2 requires manufacturers to treat cybersecurity with the same urgency as operational emergencies, embedding security across operations and supply chains, responding rapidly to incidents, and integrating audits and device management into daily operations. 

Together, NIS2 and CRA provide a framework that not only ensures compliance but also supports resilience, trust, and long-term competitiveness in smart manufacturing.

Understanding NIS2

Scope and Objectives For organisations operating in the EU that provide key services, NIS2 is a piece of legislation that must be understood and addressed. It promotes a unified approach to cybersecurity that extends beyond the manufacturer to the entire supply chain. As demonstrated by numerous high-profile incidents, extended supply chains are fragile and vulnerable to abuse. NIS2 focuses on strengthening both organisational and operational resilience, ensuring that companies can prevent, withstand, respond to, and recover from cyber incidents across their operations and supply chains.

One notable requirement is the mandated 24-hour limit for reporting a breach, significantly shorter than the 72-hour reporting window under GDPR. NIS2 also updates executive accountability for cybersecurity failures, fostering a culture of continual security improvement, innovation, and responsibility across organisations.

The regulation’s primary objectives are thus to enhance cybersecurity, organisational, and operational resilience across critical sectors, reduce incident response times through rapid breach reporting, strengthen supply chain risk management, and embed executive accountability and a culture of continuous security improvement throughout the organisation.

Timeline and Enforcement NIS2 came into force in October 2024, and enforcement is already underway across EU member states. As a directive, it sets a common framework, but implementation may vary between countries, meaning organisations must navigate both EU-level requirements and national legislation. Non-compliance carries significant risks, including fines of up to 2% of global turnover, potential legal disputes, and possible exclusion from the European market.

Key Considerations for NIS2 Compliance

Rapid Incident Reporting Under NIS2, manufacturers must detect, assess, and report significant cybersecurity incidents within 24 hours. This demands real-time monitoring of connected devices and networks, automated detection and alerting systems, and clearly defined internal workflows for incident assessment and escalation. Secure and timely communication with regulators is critical to meeting reporting obligations.

Supply Chain Risk Management The directive requires manufacturers to maintain comprehensive oversight of their entire supply chain. This includes evaluating the cybersecurity practices of all partners, integrating risk controls into procurement and contracts, continuously monitoring third-party compliance, and preparing contingency plans for incidents originating from suppliers or subcontractors.

Executive Accountability Cybersecurity responsibility is elevated to the boardroom. Executives must have a clear understanding of the organization’s risk posture, ensure sufficient investment in security measures, oversee compliance and audit processes, and face personal liability in cases of negligence or failure.

Integrated Cybersecurity Operations Achieving compliance means embedding cybersecurity into everyday operations. This involves routine security audits that align with manufacturing quality checks, staff training and awareness programs, regular incident response planning and testing, and continuous vulnerability management including patching.

How Cumulocity Supports NIS2 Compliance

Cumulocity delivers an AIoT platform designed to address the operational and cybersecurity challenges posed by NIS2. It offers continuous, real-time visibility into device status and security across your entire fleet, paired with automated incident detection and reporting to streamline breach notification workflows. Secure over-the-air updates enable rapid vulnerability patching, minimizing exposure windows.

Granular access control, using role-based permissions and multi-factor authentication, protects both data and device operations. Comprehensive audit trails ensure accountability and simplify regulatory reporting.

Equally critical under NIS2 is supply chain security. The directive makes manufacturers accountable not only for their own systems but also for the cybersecurity practices of their partners and suppliers. Capabilities such as partner whitelisting, credential management, and risk segmentation enable continuous oversight of who and what connects to production environments. By extending visibility and control across the entire value chain, manufacturers can reduce third-party risk, demonstrate compliance, and build a more resilient operational ecosystem.

By integrating these capabilities within a unified platform, Cumulocity enables manufacturers to operationalize these NIS2 principles — turning compliance from a regulatory burden into a competitive advantage, reducing operational risk while building lasting trust with customers and partners.

A device manufacturer should first put themselves in the shoes of their customers; understanding what customers need to do to comply with NIS2 and CRA?and then facilitate compliance wherever possible.

Best Practices for Building NIS2-Ready Operations

• Operational Elements

  From the customer’s perspective, manufacturers should provide devices and platforms that simplify compliance and resilience. Best practices include implementing IoT and device management platforms with built-in security and monitoring for rapid incident detection and response, ensuring all partners in the supply chain comply with CRA requirements and share the same security principles, conducting regular penetration testing, aligning IT and OT incident response plans, and maintaining robust business continuity measures.

• Organisational Elements

  Manufacturers should help their customers by embedding cybersecurity accountability into governance and reporting structures. Best practices include providing tools, documentation, and audit trails that simplify compliance, implementing staff training and awareness programs, and applying security-by-design principles in product development. These measures foster a culture of continuous improvement and proactive security across both the manufacturer and their customers.

By thinking from the customer’s perspective and following these best practices, organisations not only support NIS2 and CRA compliance but also build trust, resilience, and competitive advantage throughout the supply chain.

What  Equipment Manufacturers Need to Do Next

To build NIS2-ready operations, manufacturers should approach their journey from the perspective of their customers—understanding what is needed to comply with NIS2 and CRA, and facilitating compliance wherever possible.

Key priorities include:

1. Assess Your own Risk and Readiness Identify critical assets, connected devices, and existing security controls. Evaluate incident detection, reporting capabilities, and both operational and organisational resilience.
2. Map and Manage Your Supply Chain Document suppliers and partners, assess their security maturity, and ensure CRA compliance extends across the supply chain. Select partners who follow the same security principles and implement continuous monitoring protocols.
3. Upgrade IoT and Device Management Deploy platforms, like Cumulocity, that provide real-time monitoring, secure patching, granular access control, and visibility into device health. These platforms should simplify compliance for your customers while maintaining operational resilience.
4. Engage Leadership and Compliance Teams Embed cybersecurity into governance and reporting structures, ensuring executive accountability. Provide clear roles, audit trails, and documentation to foster a culture of continuous improvement and security.
5. Prepare Incident Response and Continuity Plans Define workflows for rapid detection, reporting, and recovery aligned with NIS2 timelines. Include IT and OT systems, and ensure plans cover the entire supply chain to maintain both operational and organisational resilience.

Conclusion

NIS2 raises the standard for cybersecurity across Europe’s industrial landscape, requiring manufacturers to strengthen both organisational and operational resilience. While customers and manufacturers face challenges in aligning with these requirements, the directive provides a clear opportunity to enhance supply chain security, embed executive accountability, and build trust.

Those who adopt best practices, such as real-time device visibility, robust supply chain risk management, and security-by-design principles, will not only achieve compliance but also gain a competitive advantage in a security-conscious market.

Take the Next Step

The path to compliance starts with visibility and control. Equip your teams with the tools to manage, secure, and respond to cybersecurity risks proactively.

Talk to our experts. Explore how Cumulocity can help you meet NIS2 obligations and build a roadmap for secure, future-ready operations.