In 2022, the European Union (E.U.) launched the Network and Information Security Directive 2 (NIS2) to enhance cybersecurity protocols and compliance measures across a range of industries of varying sizes, as well as criticality and importance to Member States. These sectors include energy, transport, digital infrastructure, healthcare, and manufacturing entities. As a directive, NIS2 serves as a foundational regulatory framework for each Member State to implement according to the individualized needs of the State. Although the deadline for NIS2 implementation has passed, only 14 out of the 27 Member States have adopted national legislation. To date, there are no carveouts in the reporting requirements for corporations that operate in multiple states nor one for foreign nations like the U.S. It raises the question: how can American defense manufacturers operating within the E.U. comply with the strict cybersecurity incident reporting requirements of the U.S. and the E.U. Member States, given statutory protections over confidential information?

NIS2 covers corporations that have a significant impact on societal or economic activities, public safety, or security, which includes out-of-country corporations that fit the criteria for regulation. Compared to the original NIS directive, NIS2 adopted stronger enforcement powers, high administrative fines, and criminal penalties depending on the severity of the violation. In the event of a cybersecurity incident, NIS2 requires covered corporations to file a series of reports to a respective Member States’ computer security incident response team. These reports contain information like indications of unlawful or malicious activity, severity evaluations, detailed descriptions, mitigation measures, and cross-border impacts. One of the largest concerns with the individualized implementation of NIS2 is the sharing of such cybersecurity risk management frameworks.

American defense manufacturers, who are also cleared defense contractors, are required to report cyber incidents to the Department of Defense (DOD). The majority of these reports are classified due to their sensitive nature with confidential business information and national security matters. Because there is no present exceptions for these manufacturers, they face a problem that can only be solved through foreign information sharing partnerships between Member States and DOD.

Without diplomatic intervention, American defense manufacturers may be unable to maintain the required confidentiality to comply with U.S. cyber incident reporting at the expense of compliance with NIS2 requirements. If the mere existence of a cyber incident makes the event confidential, then the U.S. will need to negotiate a cybersecurity information sharing agreement for impacted manufacturers to comply with NIS2. However, a cyber incident report to the U.S. government is what makes the incident confidential, it follows that a manufacturer may comply with the reporting requirements of Member States as well as the U.S. government. As Member State regulations continue to be signed into law, how this conversation plays out in American and European courts will provide more insight into defense manufacturing contract relationships within the U.S.

Article Written by Rebecca Lee

Sources:

DIRECTIVE 2022/2555, OF EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 14 DECEMBER 2022 ON MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY ACROSS THE UNION, AMENDING REGULATION (EU) NO 910/2014 AND DIRECTIVE (EU) 2018/1972, AND REPEALING DIRECTIVE (EU) 2016/1148 (NIS 2 DIRECTIVE, 2022 O.J. (L 333) 80, 108-10 [hereinafter NIS2].

NIS2, supra note 1, at 148.

NIS2, supra note 1, at 108.

VISIOLA PULA, HOW ARE EU MEMBER STATES TRANSPOSING NIS2? (JUL. 14, 2025), available at https://www.cullen-international.com/news/2025/06/How-are-EU-member-states-transposing-NIS2-.html (last visited Sep. 7, 2025).

NIS2, supra note 1, at 108.

PHILIP RADLANSKI ET AL., EU NIS 2 DIRECTION: EXPANDED CYBERSECURITY OBLIGATIONS FOR KEY SECTORS (Aug. 28, 2025), available at https://natlawreview.com/article/eu-nis-2-directive-expanded-cybersecurity-obligations-key-sectors (last visited Sep. 7, 2025).

NIS2, supra note 1, at 128.

32 C.F.R. § 236.4 (2025).

32 C.F.R. § 117.8(f) (2025).