New compliance requirements: What manufacturers need to know

The updates to the Network and Information Security (NIS) Directive shouldn’t take EU businesses by surprise. But as a refresher, the NIS Directive was originally created to enhance cybersecurity, reduce cyber risk and ensure continuity in the wake of a cyber incident across EU organizations. You’ll remember that on October 17, 2024, the regulations expanded to European organizations of “essential” and “important” industries — paving way to a new version of the NIS Directive that’s now known as NIS 2. 

What types of businesses are deemed “essential” and important”? This all depends on the sector, size and criticality of the organization. Businesses categorized as “essential” include energy, health, digital infrastructure, and drinking and wastewater entities, whereas organizations identified as “important” include food, chemical, waste management, postal and courier services, and manufacturing. 

With the October 17 compliance deadline looming, the pressure to meet strict requirements was a tall order that affected millions of businesses subjected to new hard and fast rules. Many of these businesses raced to iron out cybersecurity and backup strategies before the cutoff. 

Fast forward to today and NIS 2 is live and enforceable by EU legislation. The implications are widespread but are particularly unique for manufacturers that are tasked with protecting both IT and operational technology (OT) environments.  

In this blog, we explore what these implications are, how they differ from traditional businesses, and ways manufacturers can address their cybersecurity gaps to adhere to the NIS 2 Directive. 

For starters, NIS 2 is intended to harmonize and standardize cyber protection rules, practices and measures for organizations in the EU. For the manufacturing industry, this presented obstacles. 

Up until now, it was possible for manufacturers to skirt the regulations by following the same processes and procedures as they did in years prior. You’ve heard of the old saying, “If it ain’t broke, don’t fix it.” It’s a phrase that’s often used by someone who is resistant to change or believes there’s more risk in trying to improve something that’s currently working.  

In any case, keeping with tradition has proven problematic for many manufacturers amid the NIS 2 rollout. As these organizations modernize and their factory floor environments evolve, it creates a sudden clash between new and legacy infrastructure and workflows — becoming more complex and less standardized over time.  

Manufacturers with diverse systems, processes and sites aren’t new to these challenges and recognize how they may increase their risk of downtime. So, what should manufacturers focus on when addressing the NIS 2 Directive?  

Businesses in the manufacturing sector should concentrate, above all, on standardization and consistency of security processes. Defining these strategies will be especially critical to backup, disaster recovery, incident response and business continuity planning. 

Virtual event

Building OT cyber resilience in an evolving regulatory environment

Book a spot

We took a poll during our webinar and asked our audience: “What causes the most downtime in your production environment?” Unsurprisingly, scheduled maintenance was the biggest source of downtime, cited by 27% of webinar attendees. Downtime costs manufacturers an estimated $260,000 (€247,188.23) per hour, which is why they go to great lengths to ensure that the PCs used to configure, monitor and manage OT remain up and running and can be restored quickly if they fail for any reason. 

Protecting these systems in production environments is a major challenge for multiple reasons, starting with the fact that they tend to run on ancient hardware and operating systems that have passed end of support. These PCs are vulnerable to malware but too old to run modern security measures, an issue made worse by the fact that the OS vendor has stopped making new patches to close known vulnerabilities.  

Most backup vendors have abandoned support for these old systems, leaving companies to rely on manual processes that are complex, error prone and too slow to fit within very narrow scheduled downtime windows. Air gapping, a common security measure in these environments, means that central IT staff cannot use remote management tools to help, and so they must travel to the site in the event of an outage, extending the costly downtime by hours or days.

The need for stability in these environments also weighs heavily on manufacturers, which explains why most are apprehensive about tinkering with OT infrastructure and processes. Yet, the NIS 2 Directive calls upon all EU businesses to make fundamental improvements. These include: 

• A greater focus on business continuity with regular incident response plan testing, proper implementation of backups and redundancy systems, and frequent security awareness training (SAT). 

• Proactive cybersecurity measures that include continuously updating security policies, practices and technologies to address emerging cyberthreats. 

• Tougher requirements for risk management, access controls, data encryption and network security. 

• Heftier penalties and more corporate liability for businesses that fail to comply with NIS 2, including financial and even criminal penalties for company executives. 

• Mandatory incident reporting to ensure businesses notify authorities of cybersecurity incidents within 24 hours, and their customers and partners within 72 hours. 

• Encouragement of businesses to cooperate with each other and the EU to promote cyber resilience best practices, including touting their investments in compliance as a potential competitive differentiator to their customers and partners. 

• Increased awareness and consideration of supply chain security. 

What takes the original NIS Directive up a notch to NIS 2 is that these requirements are expanded to a broader range of industries and company sizes. Particularly, the number of employees and annual turnover play an even more critical role for businesses falling under “essential” and “important” industry segments. The bar is set higher in terms of requirements and penalties imposed on these organizations with larger entities under heavier scrutiny.  

Failure to achieve proper cybersecurity and data protection in adherence with NIS 2 can result in greater financial consequences. “Essential” organizations face fines of up to €10 million ($10.5 million) or 2% of their turnover, and “important” organizations can endure penalties of up to €7 million ($7.33 million) or 1.4% of their turnover. 

If you examine NIS 2, you’ll notice that supply chain security is specifically called out in European Union law. NIS 2 mandates that businesses should create and follow a supply chain security policy to reduce risk to network and information systems. This policy governs relations between businesses, direct suppliers and service providers.  

It also sets criteria for choosing suppliers. These criteria cover cybersecurity practices and product quality. And businesses need to review their supply chain security policy regularly. The law encourages every organization to do their due diligence by monitoring changes in cybersecurity practices of suppliers and service providers. This includes checking reports, reviewing incidents, assessing risk and reducing cyber risk. 

Manufacturing leaders need to ask themselves two questions: 

1. Are you secure enough that you don’t pose a risk to the suppliers you work with and the customers to whom you are a supplier? 
2. How do you successfully vet your own suppliers to ensure they aren’t a risk to you and, by extension, your customers? 

 The NIS 2 Directive won't let manufacturers off the hook if they fall victim to a supply chain attack. Now, manufacturers share some of the responsibility to ensure that their suppliers are following security best practices. 

So, how can manufacturers improve standardization and consistency of cybersecurity and data protection while maintaining uptime? 

Acronis Cyber Protect helps thousands of organizations across the EU enhance their cyber resilience to the level they need to address NIS 2 Directive requirements. Acronis Cyber Protect natively integrates cybersecurity, backup, disaster recovery and endpoint management into a single, easy-to-use solution.  

Ease of use is essential for manufacturers and businesses operating in remote areas with lean or absent IT personnel. For example, Acronis addresses this challenge with capabilities such as One-Click Recovery, which enables local workers of any skill level or experience background to initiate the process of rebuilding a failed PC, using a process called bare-metal recovery and a local backup image of the system. 

Here are eight other ways Acronis Cyber Protect helps manufacturers adhere to NIS 2: 

1. Advanced security solutions, including artificial intelligence (AI)- and machine learning (ML)-based behavioral detection, patch management, device control, email security, security configuration management, anti-malware and anti-ransomware.
2. Incident response and recovery, including rapid incident prioritizations, analysis, workload remediation with isolation, forensic backups, remote access for investigation, rapid rollback of attacks, self-recovery, backup and disaster recovery integration.
3. Audits and assessments, including software and hardware inventory, discovery of unprotected endpoints, content discovery, data classification and vulnerability assessments.
4. Leadership and governance, including centralized policy management, role-based management, information-rich, centralized dashboard, and scheduled reporting.
5. Cloud security that uses highly secure Acronis data centers that support EU data sovereignty requirements.
6. Reduced need for cybersecurity experts by provisioning protection via a single agent and management console that enables swift staff onboarding and efficient, uninterrupted operations.
7. Robust encryption of data at rest and in transit.
8. Network security advantages such as URL filtering.

The implementation of NIS 2 has highlighted the critical role of manufacturers in enhancing cyber resilience in both OT and IT environments. The value of empowering on-site workers with the right solutions, knowledge and resources to handle these tasks can help ensure a more resilient factory floor environment. This not only protects sensitive data but also minimizes downtime that could lead to financial losses.  

NIS 2 calls upon both “essential” and “important” industry segments to take a programmatic and policy-driven approach to their cyber defense, recovery and business continuity strategies. By impacting not only EU companies of over 50 employees or an annual turnover exceeding €10 million, but also non-EU entities with a substantial presence in the European markets, the NIS 2 Directive sets the standard for businesses on their ability to recover from incidents — especially those in remote areas that are frequently without local IT staff. 

Virtual event

Building OT cyber resilience in an evolving regulatory environment

Register today