Digital transformation, automation, and the Industrial Internet of Things (IIoT) are driving unprecedented efficiency and innovation. However, as manufacturers become more reliant on interconnected systems and data exchange, they also become more vulnerable to cyber threats. Recent developments, including the European Unions NIS 2.0 Directive and the proposed Cyber Resilience Act (CRA), reflect the growing urgency of bolstering cybersecurity across supply chains and critical industries.
Both NIS 2.0 and the CRA are designed to address the evolving cyber threat landscape. Their implications for manufacturers and their supply chains are profound, signalling a new era of regulation, accountability, and security. Manufacturers must now not only focus on physical production processes but also ensure that their digital infrastructure is resilient and compliant with these new regulatory standards.
The Growing Importance of Cybersecurity in Manufacturing
Manufacturing, traditionally seen as a physical and operational industry, has embraced digital transformation at scale. From predictive maintenance powered by AI to real-time production monitoring through IIoT sensors, digital solutions have transformed how factories operate. These advancements offer manufacturers competitive advantages in efficiency, cost control, and product quality.
However, the increasing digitalisation of manufacturing operations has also exposed new vulnerabilities. Cyberattacks such as ransomware, intellectual property theft, and supply chain disruptions have demonstrated the risks of an insecure digital infrastructure. For example, the NotPetya cyberattack in 2017, which targeted multiple sectors, including manufacturing, led to billions of dollars in losses due to production stoppages and supply chain failures. Such attacks have underscored the need for stronger cybersecurity measures.
This is where NIS 2.0 and the Cyber Resilience Act come into play. These regulations aim to protect not just individual companies but the entire ecosystem of critical infrastructure, including supply chains that are integral to manufacturing operations.
NIS 2.0: Extending Cybersecurity Responsibility
The NIS 2.0 Directive is an evolution of the original NIS Directive, which was the first EU-wide legislation on cybersecurity. NIS 2.0 expands the scope to include a broader range of sectors, including manufacturing, and imposes stricter requirements on businesses that are deemed critical to the economy and society.
One of the key changes in NIS 2.0 is its focus on ensuring that supply chain security is an integral part of any company’s cybersecurity strategy. Under this directive, manufacturers must take steps to ensure that their suppliers, partners, and service providers adhere to robust cybersecurity standards. This is a critical change, as supply chain attacks—where hackers infiltrate a company through its third-party vendors—are on the rise.
NIS 2.0 also introduces mandatory incident reporting requirements. Manufacturing companies will need to notify authorities of significant cyber incidents, such as data breaches or disruptions in production systems, within a specific timeframe. This enhances transparency and ensures that cybersecurity issues are addressed swiftly.
For manufacturing leaders, this means a more proactive approach to cybersecurity. Companies must now assess and continuously monitor the cybersecurity posture of their entire supply chain, from software vendors to logistics providers. A weak link in the chain could expose the entire operation to risk.
The Cyber Resilience Act: Security by Design
Complementing NIS 2.0, the Cyber Resilience Act (CRA) takes aim at the security of hardware and software products themselves. The CRA imposes obligations on manufacturers of digital products, ensuring that cybersecurity is considered from the design phase through the entire product lifecycle. In essence, this regulation seeks to ensure that all products used within critical industries, including manufacturing, are secure by design.
The Cyber Resilience Act targets the root of many cybersecurity issues—poorly designed or inadequately secured products. By enforcing stringent cybersecurity standards on the developers and manufacturers of digital products, the CRA aims to close gaps that could be exploited by cybercriminals. This is particularly relevant for manufacturing, where interconnected systems such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution Systems), and IIoT devices are integral to daily operations.
For manufacturers, compliance with the CRA means working closely with technology providers to ensure that all software and hardware meet the required security standards. This includes ongoing security updates, patch management, and ensuring that any vulnerabilities are addressed promptly. For companies developing their own in-house digital solutions, it will be essential to embed security considerations into every stage of development, from the initial design to post-deployment maintenance.
Supply Chain Implications: A New Era of Accountability
As manufacturers grapple with NIS 2.0 and the Cyber Resilience Act, the role of the supply chain becomes a central focus. Supply chains are no longer just a matter of logistics and production efficiency; they are now a key component of an organisation’s cybersecurity posture.
Consider the example of a manufacturer using IIoT devices to track real-time performance across multiple factories. These devices, often produced by third-party vendors, are connected to the manufacturer’s central IT systems. A vulnerability in just one of these devices could provide a hacker with a gateway to the manufacturer’s entire network, disrupting operations or stealing sensitive data. Under NIS 2.0 and the CRA, manufacturers would be held accountable for ensuring that such devices meet stringent cybersecurity standards.
Moreover, supply chain attacks have become increasingly sophisticated. Hackers now target weaker third-party vendors—such as software suppliers or logistics providers—knowing that these companies may not have the same level of cybersecurity as larger manufacturers. Once inside a vendor’s system, they can pivot to attack the manufacturer itself. By enforcing strict cybersecurity standards across the entire supply chain, NIS 2.0 and the CRA aim to close these gaps and prevent attacks that could cause widespread disruption.
The Path Forward: Building a Cyber-Resilient Supply Chain
For manufacturing leaders, navigating these new regulations will require a multi-faceted approach. Cyber resilience must become a core pillar of both operational strategy and supply chain management. Here are some key steps manufacturers should consider:
1. Supply Chain Audits: Manufacturers must assess the cybersecurity posture of their suppliers and partners. This involves regular audits, contract negotiations that include cybersecurity clauses, and continuous monitoring of third-party risks.
2. Collaboration with Technology Providers: To comply with the Cyber Resilience Act, manufacturers should work closely with their technology providers to ensure that all digital products and systems meet the required security standards.
3. Incident Response Planning: Under NIS 2.0, incident reporting is mandatory. Manufacturers must have a clear incident response plan in place, ensuring that they can quickly identify and mitigate cyber incidents while meeting regulatory reporting requirements.
4. Employee Training: Cyber resilience starts with people. Manufacturers must invest in training their workforce to recognise potential cyber threats and follow best practices for cybersecurity.
5. Continuous Improvement: Cyber threats evolve constantly. Manufacturers must adopt a mindset of continuous improvement, regularly updating their security measures and adapting to new threats.
Conclusion: Cybersecurity as a Competitive Advantage
In today’s interconnected world, cybersecurity is no longer just an IT issue—it is a business imperative. For manufacturers, compliance with NIS 2.0 and the Cyber Resilience Act is not just about avoiding fines or meeting regulatory requirements. It is about ensuring the resilience of their entire operation and the supply chains that support it.
By taking a proactive approach to cyber resilience, manufacturers can safeguard their operations, protect their intellectual property, and build trust with customers and partners. In the long run, a secure and resilient supply chain will become a competitive advantage in a world where the digital and physical realms are inextricably linked.
Manufacturing leaders who embrace these changes and invest in robust cybersecurity practices will be well-positioned to thrive in an increasingly digital and interconnected industry.
