update : jan. 2026
European NIS-2 Directive: strengthening cybersecurity for industrial players
In a context where digital security has become a major issue, the new NIS–2 Directive represents a decisive turning point. Its aim is to strengthen cybersecurity within the EU and it will come into force in our country in October. 2,400 companies are affected in Belgium and 66% of manufacturers surveyed by B2C Engineering have no idea what implications this will have for their business.
Background and objectives of the NIS-2 Directive
In Liège, Belgium, and across Europe, the situation is the same: many companies are now faced with obsolete infrastructure and systems marked by critical vulnerabilities. This urgency is further accentuated by the emergence of Industry 4.0, which relies, among other things, on the interconnection and complete digitisation of industrial processes. In this context of increasing digitalisation, equipment not originally designed for external use is now exposed on the internet, increasing the risk of loss of control.
Cybersecurity is therefore becoming a priority not only for the protection of systems and production tools, but also for the safeguarding of sensitive data belonging to companies, their employees and their customers. Faced with the increased risk of data leaks, companies must comply with rigorous standards to prevent any breaches that could expose them to major legal and financial risks.
A response to cybercrime for 2,400 Belgian companies
The NIS–2 Directive significantly broadens the scope of organisations subject to cybersecurity obligations, particularly in the industrial sector.
‘Cybercriminals act for a variety of reasons,’ explains Benjamin Beaurang, administrator of B2C Engineering, based in Fexhe–le–Haut–Clocher in the Liège region, but also operating in France, Luxembourg and Switzerland.
‘The lure of financial gain is one of the main motivations, particularly through ransom demands in exchange for the return of stolen data or the restoration of IT systems. For others, hacking is a technical challenge and a source of entertainment, a way to test and demonstrate their skills.’
Gregory Putman, Sales Specialist Industrial Networks & Security at SIEMENS, adds: ‘Other cybercriminals are hired by companies to sabotage the competition. And then there are terrorist motives, where cyberattacks aim to cause significant damage, such as altering the water supply to harm the population.’
The new European NIS–2 Directive on Network and Information System Security must be transposed into the national legislation of each European Union member state by 17 October 2024. It was already passed in Belgium in April 2024. It is intended to be an effective response to cybercrime, which is very prevalent in Europe.
Which industrial companies are affected by the NIS-2 Directive?
Targeted industrial sectors and activities
The new directive will now apply to a wider range of companies. It will cover almost all medium–sized and large enterprises. In Belgium, more than 2,400 companies are affected by the implementation of the NIS–2 directive.
This includes the energy, water, transport, health, chemical, pharmaceutical and agri-food sectors, as well as manufacturers operating critical infrastructure or systems.
The directive distinguishes between essential entities and important entities. This classification determines the level of regulatory requirements, the frequency of inspections and the severity of penalties in the event of non–compliance.
What are the obligations imposed by the NIS-2 Directive?
The new directive will now apply to a wider range of companies. It will cover almost all medium–sized and large enterprises. In Belgium, more than 2,400 companies are affected by the implementation of the NIS–2 directive.
‘Currently, many manufacturers are reluctant to report cyberattacks for fear of losing their customers‘ trust. This reluctance often leads them to pay the ransoms demanded by cybercriminals in order to avoid bad publicity and preserve their image,’ adds Charles Costa, director at B2C Engineering and cybersecurity advisor.
Risk management, resilience and business continuity
With the entry into force of the NIS–2 Directive in October, specific and operational cybersecurity obligations apply to both IT systems and industrial OT environments.
These include:
- securing access,
- segmenting industrial networks,
- protecting supervision and control systems.
The directive requires a structured approach to cyber risk management, incorporating threat identification, prevention, system resilience and the ability to maintain operations in the event of an incident.
Detection, reporting and management of cybersecurity incidents
In addition, manufacturers will now be required to report any cyber attacks they suffer. This will be the first time that a law will require companies to inform the authorities of such incidents, thereby enhancing transparency and security in the sector.
All significant incidents must be reported in three stages:
- An early warning within 24 hours (if the incident is likely to spread)
- A full incident report within 72 hours (as with the GDPR)
- A final report within one month
What penalties apply for non-compliance with NIS-2?
NIS–2 does not simply continue the efforts initiated previously by NIS–1, namely: the obligation for national authorities to devote more capacity to cybersecurity, the strengthening of European cooperation between cybersecurity authorities, and the increase in the number of important operators and critical sectors in our society.
It breaks new ground by promoting the implementation of training programmes, consolidating access and imposing greater responsibility on company management.
Companies will have to adopt proportionate technical and organisational measures to manage risks.
In the event of non-compliance with this directive, a warning will be issued to the manufacturer. Then, if no improvement is observed, the fine may be up to €10 million or 2% of total annual turnover for essential entities and up to €7 million for important entities.
In addition, if an attack occurs and the company is not compliant with NIS-2, the director(s) will be held liable.
66% of manufacturers* are completely unclear about the new NIS-2 directive
While our teams are pioneers in helping manufacturers comply with this regulation, our Liège-based group did not wait for the new European directive to make cybersecurity a priority.
Every year, we support more than fifteen companies in the field of cybersecurity. Either because they have been the target of a cyberattack, or to secure their sometimes highly confidential data, as in the pharmaceutical sector.
‘Our clients are expressing a growing need for industrial cybersecurity, an area that has been neglected for too long,’ emphasises Charles Costa. ‘We are therefore called upon to develop tailor-made compliance strategies, offering cutting-edge solutions. But our ambition is to intervene upstream, preventing cyberattacks rather than simply reacting to their consequences. Fortunately, our clients don’t limit themselves to crisis situations!’
Last May, B2C organised its Solutions Days 2024, a triple event held in Namur, Valenciennes and Lyon. An event reserved for manufacturers. Among the panel of speakers and/or guests were big names such as Arcelormittal, Groupe Spadel, Orange, Siemens, Aveva, Micromedia, Wallix, KEB, Valfrance Semences, BT4DM, UCB, Auvesy, Sonaca, Prayon, SWDE and GSK.
An opportunity to take stock of the latest technological innovations and ask companies about the new European regulations.
- Question asked to the 80 participants: ‘How aware are you of the implementation of the NIS-2 directive in October 2024?’
- Answer: 66% of the manufacturers surveyed admit to having no idea or only a vague knowledge of the subject. This is an alarming figure, given that the new directive is due to come into force very soon.
B2C Engineering supports manufacturers
Rely on specialised support
‘Cyberattacks don’t just happen to other people,’ warns Benjamin Beaurang, administrator at B2C Group. “Some of our customers almost went out of business after losing all their backups. Other companies found themselves shut down for several months or were subjected to ransom demands. Fortunately, our engineers were able to work small miracles… But with the adoption of the European directive, all companies will now be required to strengthen their security measures.”
At B2C, our engineers are tasked with designing and securing industrial networks using firewalls or updating existing infrastructure to eliminate vulnerabilities. To do this, they integrate tailor-made solutions based on products from partners such as Siemens, Stormshield, Auvesy, Wallix and Darktrace.
The aim is to meet immediate requirements, but also to anticipate future developments, thus ensuring lasting and effective protection.
Assessing your level of industrial cybersecurity
We also assist manufacturers with regulatory compliance:
- Conducting a comprehensive audit in this area
- Proposing a multi–year plan
- Implementing compliance measures, including policies and procedures
- Restructuring the network and its equipment
- Installing a network monitoring system
NIS-2 Directive: key points for manufacturers to remember
Key obligations
NIS–2 requires enhanced cybersecurity measures, structured risk management, incident response capabilities and increased accountability for senior management.
Regulatory and strategic challenges
For manufacturers, the NIS–2 directive is a lever for securing operations, regulatory compliance and credibility with partners and authorities.
*According to a survey conducted during the Solutions Days 2024 events organised by B2C Engineering in Namur, Valenciennes and Lyon, based on 80 people interviewed.