With the NIS2 Directive now in force across much of the EU, energy and manufacturing organisations are dealing with the reality of a more stringent cyber security regime. Most Member States have transposed the directive into national law, but with varying definitions, reporting timelines and audit expectations. This patchwork means companies operating in multiple jurisdictions must navigate different obligations at once — a challenge that has already caught some businesses off guard.
Under NIS2, both “essential” and “important” entities face tighter requirements for risk management, supply chain security, incident reporting and board-level accountability. For energy and manufacturing firms, whose systems underpin daily life and critical supply chains, this is no longer a box-ticking exercise but a strategic issue of resilience and reputation.
The new reality for energy operators
Energy networks are a prime target for cybercriminals and state-sponsored actors. The directive expects operators to harden their systems, vet suppliers and implement robust detection and response capabilities.
Take for example if a regional electricity transmission operator is running substations and grid balancing platforms across two EU countries. Because each country has implemented NIS2 differently, the operator must track two sets of rules and ensure its controls, processes and reporting match the stricter of the two regimes. It also needs to enforce multi-factor authentication (MFA) for remote access and contractor logins, segment critical networks, and document all changes.
If a ransomware group were to compromise a contractor’s credentials and interfere with a substation’s control logic, the operator would be obliged to submit an early warning within 24 hours and a detailed report within 72 hours — while simultaneously restoring operations and managing public fallout. Without a rehearsed incident response plan, these parallel obligations could overwhelm internal teams.
The manufacturing challenge
Manufacturers producing critical components for aerospace, automotive or chemicals now qualify as “important entities” under NIS2. This brings mandatory cyber security and reporting obligations across both IT and operational technology (OT).
Imagine a multi-site manufacturer with hundreds of IoT sensors, robotics and a complex supply chain. Under NIS2 it must:
- Segregate OT and IT networks and deploy intrusion detection within industrial systems.
- Enforce patching and change-control, or document compensating measures where patches are not feasible.
- Require suppliers to meet defined security standards, with contract clauses and audit rights.
- Maintain and regularly test incident response and business continuity plans.
If a supplier is breached and sends a malicious firmware update to one of the manufacturer’s robotics controllers, triggering a production halt, the manufacturer must isolate the affected lines, notify authorities promptly, and evidence that it had “appropriate and proportionate” controls in place. Senior managers are accountable for ensuring this framework exists and is tested.
Management accountability under NIS2
One of the most significant changes NIS2 brings is management accountability. Article 20 of the directive (Governance) sets out clear obligations for company directors and senior managers, making cyber security no longer just a technical issue but a leadership responsibility.
Management bodies now face three main obligations:
- Approve risk management measures – Directors must formally approve the organisation’s cyber security risk management framework and ensure it aligns with the company’s risk appetite and regulatory duties. This can no longer be delegated entirely to IT or security teams.
- Oversee implementation – Senior leaders are expected to actively oversee how the cyber security framework is put into practice. That means requesting regular reporting, monitoring performance against KPIs, and holding teams accountable for progress.
- Attend and promote training – Board members must themselves participate in cyber security training and promote a culture of security awareness throughout the workforce. This represents a cultural shift, where leadership must “walk the talk” by leading from the front.
For many businesses where cyber risk has traditionally been seen as a technical rather than board-level issue these governance obligations represent a real change in mindset. Fines and liability can be applied not only to the organisation but, in certain cases, to management personnel if these duties are neglected.
Where integrity360 helps
Because NIS2 is not just a technical challenge but also a governance and supply-chain challenge, organisations benefit from external expertise that spans both. At Integrity360, we work with energy providers and manufacturers across Europe to:
- Map and classify systems subject to NIS2, including cross-border operations.
- Assess gaps in current controls versus national NIS2 requirements.
- Design and implement security improvements such as MFA, network segmentation, endpoint detection, and vulnerability management across IT and OT environments.
- Enhance incident response readiness with playbooks, tabletop exercises and 24/7 monitoring.
- Manage third-party risk through due diligence, contract support and ongoing supplier assessments.
- Provide board-level reporting so senior leaders can demonstrate accountability.
By combining consultancy, managed services and hands-on technical expertise, we help organisations move beyond basic compliance to real-world resilience — reducing the chance and impact of disruptive incidents.
If your organisation operates in energy, manufacturing or any other sector covered by NIS2, the time to act is now. Even where national transposition is delayed, regulators expect companies to be on a path to compliance. A single incident or missed reporting deadline can bring fines, reputational damage and operational disruption.
Start by mapping your obligations across all jurisdictions, assessing your controls and supply chain, and ensuring your board is engaged. Then test your plans before you need them. With the right approach and the right partner you can turn NIS2 from a compliance headache into a catalyst for stronger, more resilient operations.
To learn how Integrity360 can support your NIS2 compliance journey, speak to one of our specialists today.