Focus on: Smart Maintenance Maintenance Matters October/November 2025 www.pwemag.co.uk Plant & Works Engineering | 13 NIS2 sets out a minimum set of cybersecurity measures that all in-scope organizations must implement. These include asset management, incident handling, business continuity, supply chain security, and the use of encryption and multi-factor authentication. Importantly, supply chain security is no longer optional. Companies must actively assess the cybersecurity practices of their suppliers, monitor for vulnerabilities, and document mitigation measures. Reporting obligations are also far stricter than before. Organisations must provide an early warning of a severe incident within 24 hours, submit a more detailed incident notification within 72 hours, and deliver a final report within one month. Failure to comply can result in severe fines: up to 2% of global turnover or €10 million for essential entities. Beyond financial penalties, senior management can also be held personally liable for failures to comply with the directive. Why OT security Is a priority For manufacturers, one of the most significant changes under NIS2 is the explicit inclusion of OT systems. These systems manage essential industrial functions, from assembly lines to energy management. Unlike IT systems, OT environments are often designed for reliability and safety rather than cybersecurity. Many run on outdated software, making them easy targets for attackers. The European Union Agency for Cybersecurity (ENISA) has repeatedly warned that ransomware remains the most serious threat to industrial operations. Its reports show that attackers are increasingly exploiting unpatched OT systems and moving laterally from IT to OT networks once they gain a foothold. By bringing OT into the scope of NIS2, regulators are making clear that manufacturers can no longer treat it as separate or immune from cyberattacks. Comparing the UK and EU Approaches While the UK Bill and NIS2 share many similarities, there are important differences. Both emphasise accountability at the executive level, but the EU goes further by making senior managers personally liable for compliance failures. Both require organisations to manage supply chain risks, but NIS2 mandates specific processes and coordinated risk assessments. The UK framework is likely to be more flexible, giving regulators discretion in how requirements are applied across different industries. The EU framework, in contrast, is more prescriptive, aiming to harmonize cybersecurity standards across all member states. For manufacturers operating in both regions, this means navigating overlapping but distinct obligations, which will require careful coordination of compliance strategies. The Ransomware challenge Ransomware is a unifying theme across both sets of regulations. Manufacturing is particularly vulnerable because downtime translates directly into financial loss. Attackers know that production stoppages create pressure to pay ransoms quickly, making manufacturers attractive targets. Both the UK Bill and NIS2 encourage organisations to adopt a defence-in-depth approach to ransomware resilience. This includes network segmentation to separate IT and OT, secure remote access controls for suppliers, regular patching where possible, and robust backup and recovery strategies. Organisations must also test these measures in realistic scenarios, ensuring they can respond quickly under pressure. Preparing for compliance For manufacturers, preparing for these regulations is not just about avoiding fines; it is about safeguarding business continuity. Specific Cybersecurity OT Policies and Procedures are a fundamental part of NIS2 and will define the organisations approach to securing the OT environment. The following steps are critical: Conduct a thorough inventory of IT and OT assets, identifying those critical to operations. Implement a Cyber Security Management System and establish a risk management strategy. Map supply chains and evaluate the cybersecurity maturity of key partners. Establish and test incident response procedures, ensuring OT scenarios are included. Invest in scalable OT security technologies, such as asset and vulnerability management, industrial intrusion detection and secure remote access tools. Provide regular cybersecurity training for staff at all levels, from engineers on the factory floor to executives in the boardroom. By taking these steps now, manufacturers can build resilience that meets regulatory requirements while also protecting their reputation, customer trust, and long-term competitiveness. The UK Cyber Security and Resilience Bill and the EU’s NIS2 Directive represent a significant shift in the cybersecurity landscape for manufacturers. Both frameworks underline the growing importance of protecting operational technology, managing supply chain risks, and building resilience against ransomware. The consequences of noncompliance are severe, but the potential benefits of compliance such as greater operational resilience, stronger customer trust, and reduced exposure to cyber threats are just as significant. For manufacturers, the message is clear. Cybersecurity is no longer a matter for the IT department alone. It is a board-level priority and a critical element of business resilience. At its core, cybersecurity is about more than protecting factories or supply chains—it is about safeguarding our everyday lives, ensuring the safety of workers, communities, and the essential services we all depend on. Those who act now to strengthen their defences will not only comply with new laws but also gain a competitive advantage in a digital-first industrial era. For further information please visit: https://www.rockwellautomation.com/engb.html
RkJQdWJsaXNoZXIy MjQ0NzM=