NIS 2 marks a step change in the way the manufacturing sector addresses cybersecurity. The European Directive has introduced stricter obligations and greater responsibility in a sector that is a cornerstone of the national economy, as well as one of the most exposed to cyberattacks.
In this article, we will explore why NIS 2 represents a turning point for the manufacturing sector, what challenges lie within the compliance journey, and how to address it in a concrete and effective way.
Key Points
-
Manufacturing is among the sectors most affected by cybercrime, accounting for 12.6% of incidents in Italy and facing increasingly impactful attacks on operational continuity.
-
The NIS 2 Directive introduces stringent obligations on governance, risk management, and incident response, transforming cybersecurity into a continuous and structural process.
-
Protection against cyber threats is complex due to the presence of integrated IT/OT environments, legacy systems, and extended supply chains. This makes the support of specialized expertise essential.
Manufacturing under attack: in Italy it is the second most affected sector
According to the latest Clusit report, the manufacturing sector remains firmly among the most targeted by cyber activities. At a global level, in 2025, attacks against manufacturing increased by 79% compared to the previous year, with a significant rise in their severity: those classified as critical and extreme grew from 20% to 30% of the total.
The data carries even more weight in the Italian context. In a country with a strong industrial vocation, where production represents a pillar of the economy, manufacturing is the second most affected sector, accounting for 12.6% of total incidents recorded. But why is it so exposed?
-
High strategic importance of the sector
Targeting a manufacturing company means directly impacting production, the supply chain, and, in some cases, entire industrial ecosystems. -
Extremely high costs of downtime
Even a few hours of downtime can generate significant economic losses, making companies more exposed to blackmail and ransomware. -
Complex IT and OT ecosystems
The coexistence of traditional IT systems and operational technologies (OT) creates large and difficult-to-manage attack surfaces. -
Presence of legacy technologies
Many production environments rely on outdated systems that are now difficult to update or replace.
NIS 2 in manufacturing: the 5 key areas to address
The NIS 2 Directive imposes a continuous approach to cybersecurity management. It is not enough to adopt individual technical measures: it is necessary to build an organizational model capable of governing risk in a systemic way, involving processes, technologies, and people.
Governance and risk management
With NIS 2, cybersecurity becomes a permanent item on the top management agenda, which assumes direct responsibility for defining policies and supervising their effectiveness. This does not imply operational technical expertise, but rather the ability to guide, decide, and verify, defining priorities, allocating resources, and assessing risks and results. In this way, security moves beyond the exclusive domain of IT and becomes a lever of corporate governance.
Alongside this, another central element emerges: the need to adopt a structured cyber risk management system, meaning a continuous process of identifying critical assets, analyzing vulnerabilities, assessing potential impacts, and defining consistent mitigation measures
IT/OT convergence and security of production environment
One of the key elements of digitalization in manufacturing is the convergence between IT and OT (Operational Technology), where OT refers to systems that directly control production, from PLCs to SCADA systems, including individual actuators and fully automated production lines. This is a distinctive feature of the manufacturing sector compared to many others and, at the same time, one of the most complex to manage.
OT environments were not originally designed to be exposed to cyber threats. They were built in closed contexts, with absolute priority given to operational continuity, stability, and (physical) safety, rather than protection against external attacks. However, with the increasing integration with IT systems and Industry 4.0 paradigms, these environments become part of an interconnected ecosystem, significantly increasing the attack surface.
Models such as the Purdue Model help structure this complexity by defining levels and proposing segregation between IT and OT environments. In practice, however, the issue is not only architectural: it concerns the concrete management of interactions between systems with different logics, priorities, and life cycles.
NIS 2 does not explicitly address OT, but by imposing a 360-degree approach to security, it inevitably involves it. This is where one of the most relevant challenges for manufacturing emerges: protecting critical environments without compromising their functioning and, consequently, the physical safety of operators. A delicate balance that requires specific industrial security expertise, well beyond traditional IT cybersecurity.
Supply chain security
NIS 2 extends the scope of security by introducing a key principle: responsibility does not end with one’s own cyber posture, but also extends to the entities with which the organization is interconnected.
For the manufacturing sector, the challenge is complex because companies operate within structured, often global supply chains, composed of suppliers, logistics partners, subcontractors, and technology integrators. Each of these actors can represent a potential entry point and vulnerability for a cyberattack.
The EU Directive requires mapping, assessing, and managing risk across the entire supply chain, introducing security criteria into supplier selection and management processes: defining minimum security standards, verifying adopted measures, and monitoring potential issues over time.
Continous training and security culture
NIS 2 recognizes the human factor as one of the main sources of risk and, at the same time, a lever to strengthen the security posture. For this reason, the Directive requires companies to structure continuous training programs, not limited to sporadic initiatives, but integrated into business processes.
Incident response e notification obligations
Another pillar of NIS 2 is the ability to manage incidents promptly and effectively. The Directive introduces strict notification obligations: a significant attack must be reported to the competent authorities within 24 hours of its identification.
This requirement implies a change of approach. It is no longer sufficient to react in an ad hoc manner: it is necessary to have structured incident response processes, with defined roles, codified procedures, and the ability to quickly detect anomalous events.
For manufacturing companies, the challenge is twofold: on the one hand, ensuring visibility across complex and distributed environments; on the other, intervening without compromising operational continuity.
NIS 2 in manufacturing: how to address compliance effectively
The path toward NIS 2 compliance is now operational. The organizations involved must implement all required technical and organizational measures by October 1, 2026, making this a priority for many of them.
Beyond the individual milestones, NIS 2 introduces a continuous security management model. For this reason, in manufacturing it is essential to adopt a gradual and progressive approach that takes into account the complexity of production environments and real business priorities. Here are some recommendations.
-
Start from risk, not from the checklist
A purely compliance-driven approach can lead to inefficient investments. It is more effective to start by mapping critical processes, assets, and potential business impacts, defining clear priorities and progressive actions. Subsequently, a gap analysis will identify deviations from Directive requirements and enable the creation of a consistent remediation plan. -
Involve the business early, not just IT
NIS 2 requires decisions that impact production, supply chain, and organization. Without direct and immediate involvement of business functions and management, there is a risk of creating models that are difficult to apply in practice and not fully compliant with European regulations. -
Assess current cyber capabilities
In addition to mapping processes and assets, it is essential to objectively analyze existing security measures. Significant imbalances may emerge: organizations strong in prevention but weak in detection or incident response, or lacking properly tested business continuity and disaster recovery plans -
Build skills and choose the right partners
The complexity of NIS 2, especially in the manufacturing context, makes it difficult to address the journey exclusively with internal resources. For this reason, relying on partners with specific experience in the industrial sector becomes a key factor.
NIS 2 and manufacturing: our support for stronger and more productive companies
At Kirey, we help companies strengthen their security posture and ensure compliance with both general and sector-specific regulations. In the case of NIS 2, our goal is not only to meet regulatory requirements, but to build solid, resilient, and aware organizations, capable of addressing the risks of digitalization and turning them into a competitive advantage.
Contact us to find out how we can support your company toward more mature, effective, and sustainable security over time.
