Cyber risk has moved from IT to the plant floor. UK manufacturers are seeing disruptive attacks that halt production and ripple through supply chains. This is a resilience issue: protecting uptime, safety and OEE It's not just a tick-box exercise.
Regulation is catching up. While the UK is outside the EU, many UK manufacturers sell into the EU or operate EU subsidiaries. NIS2 widened scope and raised expectations across the bloc; Member States were due to transpose it by 17 October 2024, and even where local laws lag, EU customers are already pushing suppliers to prove equivalent controls.
In parallel, the EU Cyber Resilience Act (CRA) introduces cybersecurity requirements for “products with digital elements”—hardware, software and connected services. It entered into force in December 2024 and applies from 11 December 2027, which will influence your procurement specifications, supplier assurance and lifecycle plans.
At home, the UK Cyber Security and Resilience Bill is expected to be published by the end of 2025, with the aim of bringing UK NIS Regulations closer to NIS2. Directors should plan for tighter duties around OT risk management, incident reporting and supplier assurance, while monitoring the Bill’s passage.
Finally, the EU Data Act began applying from 12 September 2025. It governs access to and use of data generated by connected products and related services—think machines, sensors and vendor portals—so it has practical implications for contracts, data rights and switching providers.
Stabilise losses first: robust backups, immutable logging and rehearsed recovery for OT and IT to contain blast radius.
Instrument before capex: establish asset and traffic visibility; risk-rank lines/cells; target spend where it protects throughput.
Design for skills scarcity: standardised HMI/recipes and maintenance workflows to reduce error and speed recovery.
Phased obsolescence: prioritise legacy PLCs, drives and HMIs; bake security into migrations.
Secure by design: segmentation, least privilege, MFA for remote/vendor access, and role-based access to engineering tools.
Where legislation is unsettled, evidence of alignment to recognised frameworks—NCSC CAF outcomes for governance, IEC 62443 for OT controls, plus ISO 27001/NIST CSF where applicable—helps satisfy auditor and customer requirements while improving uptime..
NIS2 pressure via customers/EU sites: expect requests for OT risk assessments, quick-turn incident reporting, governance evidence and supplier due-diligence.
Prepare evidence packs: asset inventories, risk registers, vulnerability handling, incident playbooks tied to named roles and rehearsed exercises.
CRA impact on procurement and engineering: introduce cyber clauses now (secure development, update commitments, SBOM, vulnerability disclosure, support lifetime).
From Dec 2027, many digital products placed on the EU market must meet CRA requirements—plan CE-marking checks and supplier attestations.
UK Bill trajectory: anticipate stronger oversight and modernised UK NIS Regulations; align early to CAF so you can demonstrate due diligence regardless of final text.
Data & contracts: update manufacturing and service agreements to reflect EU Data Act data-sharing rights for connected products (including access, switching and use restrictions) and to account for evolving UK data requirements cited by Addleshaw Goddard.
iconsys’ Cyber Assessment (Known as the GUARD Framework) is purpose-built for manufacturers. It is aligned to the NCSC Cyber Assessment Framework and mapped to ISA/IEC 62443, giving you one programme that meets regulatory expectations while improving OEE, uptime and safety.
We design around OT realities: legacy assets, vendor access, maintenance windows and safety interlocks.
What you get:
We also provide contractual clauses and buyer checklists for OT and connected products to reflect CRA-ready procurement language and EU Data Act expectations—so engineering, procurement and legal move in step.
Visibility & detection: passive OT network monitoring to baseline “normal” and flag deviations; log collection into an industrial-aware SOC.
Identity & access: role-based access for engineers and vendors; MFA for remote access; just-in-time credentials for maintenance windows.
Network controls: pragmatic zoning/segmentation, secure jump-hosts, and application-layer filtering for critical cells.
Resilient recovery: offline and immutable backups for controllers and historian; rehearsal of restores on a test bench; clear RTO/RPO per line.
Lifecycle & obsolescence: plan controller migrations with security-ready templates; specify CRA-aware requirements for new equipment.
Directors need consistent metrics:
iconsys provides a live dashboard tied to CAF outcomes and line performance so you can evidence progress to auditors and the Board.
In short, the next 24 months are about proving control as much as passing audits.
NIS2 pressure, the UK Cyber Security and Resilience Bill, the EU Data Act and the CRA applying from December 2027 will all raise expectations on how UK manufacturers govern OT risk, segment networks, manage suppliers and recover fast.
The most resilient plants will instrument first, contain blast radius, harden legacy assets and evidence CAF- and IEC 62443-aligned practice.
If you want a pragmatic start that protects uptime while satisfying auditors, begin with the iconsys GUARD cyber assessment and turn compliance into measurable resilience.