The Impact of the NIS 2 Directive on Manufacturing Supply Chains

The NIS 2 Directive (Network and Information Security Directive) significantly expands cybersecurity obligations across key sectors, including manufacturing. This article examines how the regulation affects supply chains, requiring manufacturers to implement enhanced cyber risk management, incident reporting procedures, and third-party oversight. 

As digital threats become more sophisticated, NIS 2 prompts manufacturers to view cybersecurity as a core operational issue, rather than just an IT concern. This article examines the implications of NIS 2 for the manufacturing sector, the growing importance of supply chain resilience as a strategic imperative, and the role of leadership in meeting the regulatory and operational demands of a digitally secure future.

This article was written by Herman Annink ([email protected]) and Marius Ungureanu ([email protected]). Marius and Herman are part of RSM Netherlands Business Consulting Services, specifically focusing on International Trade and Strategy.    

Complexity of modern supply chains

The NIS 2 Directive places an unprecedented emphasis on the security of supply chains, recognizing them as a critical vector for cyber threats and a key area for increasing overall resilience within the EU. For manufacturing entities, this translates into a significant expansion of responsibility, extending beyond their own digital borders to encompass the cybersecurity posture of their direct and indirect suppliers and service providers.

In modern manufacturing, supply chains are increasingly complex and despite their global nature, few manufacturers maintain good relationships with their suppliers and insight further than Tier 1 suppliers. In essence, this leaves them open to crucial vulnerabilities as they are required to vouch for a final product in which the manufacturer themselves does not have full visibility. This issue compounds as the products they deliver become ever more complex. To comply with NIS 2, manufacturers will need visibility through their Tier 2 and Tier 3 suppliers, regardless of their geographical location. Illustrating how difficult it can be, are the revelations made in a journalistic investigation where unidentified electronic components were found in imported equipment for Denmark’s energy supply network.  

A crucial aspect of NIS 2 is its classification of entities into two main categories: Essential Entities (Annex I), and Important Entities (Annex II). The manufacturing sector is included under "Other critical sectors" in Annex II. The primary criteria for classification hinge on an entity's size. Generally, medium-sized enterprises (defined as having 50 or more employees or an annual turnover exceeding EUR 10 million) and large enterprises (250 or more employees, an annual turnover exceeding EUR 50 million) fall within the scope of NIS 2 if they operate in the specified sectors. However, exceptions exist where entities can be deemed in-scope regardless of their size. This applies if they are the sole provider of a critical service within a Member State, if their disruption could have a significant impact on public safety, security, or health, or if they pose systemic risks, particularly with cross-border implications.

Annex II of the NIS 2 Directive specifically enumerates several manufacturing sub-sectors:  

• Manufacture of medical devices and in vitro diagnostic medical devices;  
• Manufacture of computer, electronic and optical products;  
• Manufacture of electrical equipment;
• Manufacture of machinery and equipment not elsewhere classified;  
• Manufacture of motor vehicles, trailers and semi-trailers;  
• Manufacture of other transport equipment (e.g., aerospace, railway, shipbuilding)

Key components of the NIS 2 directive  

Article 21 requires entities to adopt an "all-hazards approach" to risk management. In the context of supply chains, this implies that manufacturers must consider a broad spectrum of potential threats. This extends beyond direct cyberattacks targeting suppliers to include risks such as the introduction of counterfeit or tampered hardware components, the physical security of a supplier's facilities, and even geopolitical instability affecting a supplier's operational integrity or trustworthiness.  

Effectively addressing these comprehensive supply chain security requirements will necessitate a significant shift in how manufacturing organizations operate. The traditional silos between cybersecurity, procurement, and legal departments are no longer practicable. Article 21(2)(d) mandates the assessment of supplier vulnerabilities and the quality of their cybersecurity practices, a task requiring deep collaboration between parties. Simultaneously, Article 20 places accountability for compliance on management bodies. The implementation of these requirements will inevitably involve including specific clauses into supplier contracts, while the selection, vetting and management of suppliers remain core procurement responsibilities. Therefore, a cohesive, integrated approach involving close collaboration between departments is crucial for achieving holistic supply chain risk management under NIS 2.

Article 20 fundamentally reshapes the role and responsibility of leadership within manufacturing entities concerning cybersecurity. It mandates that Member States ensure the management bodies (e.g., boards of directors, C-suite executives) of both essential and important entities:    

• Approve the cybersecurity risk-management measures adopted by the entity to comply with the stringent requirements of Article 21;
• Oversee the effective implementation of these approved measures;
• Can be held personally liable for infringements of Article 21 committed by the entity;
• Are required to undergo training to acquire sufficient knowledge and skills to identify cyber risks, assess the adequacy of cybersecurity risk-management practices, and understand their impact on the services provided by the entity.    

This provision effectively shifts supply chain cybersecurity from a predominantly IT-department concern to a core duty of an organization’s management. The potential for personal liability for senior management, serves as a powerful reminder for ensuring that supply chain security receives the necessary attention, resources, and strategic oversight.  

Furthermore, the mandatory training requirement for management bodies (Article 20(2)) will necessitate the development and provision of specialized training programs. Given that Article 21 explicitly includes supply chain security as a core risk management area, such training must cover the unique cyber risks inherent in manufacturing supply chains. Generic cybersecurity awareness will likely prove insufficient. Instead, training tailored to the manufacturing sector will be required, addressing specific threats such as compromised Industrial Control Systems (ICS), risks associated with remote access by service providers, and strategies for overseeing effective mitigation measures.  

Article 21 is one of the crucial aspects of the NIS 2 Directive, compelling essential and important entities to implement "appropriate and proportionate technical, operational and organisational measures" to manage the risks posed to the security of their network and information systems. Crucially, these measures must explicitly address risks arising from their supply chains.    

The article outlines a minimum set of ten cybersecurity risk-management measures. Several of these have direct and profound implications for supply chain security. For instance, Article (21(2)(d)) is the most direct mandate concerning suppliers. Entities are required to consider the specific vulnerabilities of each direct supplier and service provider. They must also assess the overall quality of products and cybersecurity practices of their suppliers, including their secure development procedures. Furthermore, entities need to consider the results of any Union-level coordinated security risk assessments of critical supply chains conducted under Article 22.

While Article 21(2)(d) explicitly refers to "direct suppliers or service providers," the overarching "all-hazards approach" and the general risk management obligation could be interpreted by national competent authorities to necessitate an understanding and mitigation of critical indirect supplier risks (i.e., Tier 2, Tier 3 suppliers). This is particularly relevant if a direct supplier's ability to deliver a critical component or service is heavily dependent on a sub-supplier with known vulnerabilities. A failure to consider such foreseeable and high-impact indirect risks could be viewed as not taking "appropriate and proportionate" measures.  

What does it mean for businesses?

Firstly, manufacturers will be obligated to implement a baseline of security measures, including policies on risk analysis, incident handling, business continuity and crisis management, and the security of their information systems. The directive introduces stricter and more harmonized incident reporting obligations. Manufacturers must notify relevant national authorities of significant cybersecurity incidents without undue delay, typically within 24 hours of becoming aware of them, followed by more detailed reports. This aims to enable a faster and more coordinated response to large-scale cyber threats.  

Secondly, manufacturers will need to assess and address the cybersecurity practices of their direct suppliers and service providers. This involves incorporating cybersecurity considerations into contractual agreements and conducting due diligence to ensure their partners meet required security standards. The directive underscores that the security of the entire ecosystem is only as strong as its weakest link.  

Forward thinking

As digital transformation continues to integrate IT and OT (Operational Technology) systems within manufacturing, the attack surface for cyber threats expands. NIS 2 compels manufacturers to adopt a holistic view of cybersecurity, embedding it into their operational strategies and fostering a culture of security awareness across all levels of the organization and its supply network. This proactive approach is essential not only for compliance but also for ensuring operational resilience, protecting intellectual property, and maintaining trust with customers and partners in an increasingly interconnected and hostile digital landscape. The transition to NIS 2 compliance will require significant effort and investment but ultimately aims to bolster the overall cybersecurity posture of a critical sector for the EU economy.

RSM is a thought leader in the field of Strategy and International Trade consulting. We provide frequent insights through training and the sharing of thought leadership, based on a detailed understanding of industry developments and practical applications gained from working closely with our customers. For more information, please contact one of our consultants.