Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete

Eight days in May 2026 turned a regulator argument into an operational one. A medical-device manufacturer disclosed an encryption-plus-exfiltration event on the 7th; Foxconn confirmed a Nitrogen ransomware breach on the 12th, with 8 TB and ~11 million files claimed on the leak site. Both companies now face the same auditor question — what controls were active, and can you prove it? — at a moment when the European Commission has spent the prior twelve months turning NIS2 from text into infringement procedures. The evidence gap, the thing every CISO deck has called "a risk we are addressing", is the part of the response that costs the most when it is not already in place.

The eight-day timeline

• 2026-05-04 — West Pharmaceutical detects an intrusion on its global IT estate.
• 2026-05-07 — West Pharmaceutical discloses via SEC filing that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted". Systems are taken offline globally for containment. Palo Alto Networks Unit 42 is engaged for incident response. No ransomware crew claims it at the time of publication.
• 2026-05-11 — Nitrogen posts Foxconn on its dark-web leak site.
• 2026-05-12 — Foxconn confirms the cyberattack on North American facilities. The Mount Pleasant, Wisconsin plant is among the impacted sites. The leak claims 8 TB and "millions of files that include technical information from several prominent tech firms" — references to Apple, Google, Intel, Nvidia and Dell project files appear in the leak descriptions.

Neither company is an outlier. The Arctic Wolf 2026 Threat Report — published February 2026, drawn from the November 2024 – November 2025 caseload — put manufacturing at the top of the ransomware target list, ~70% more incidents than the next sector (construction), with data-only extortion growing eleven-fold year over year and 65% of non-BEC intrusions abusing RDP, VPN or RMM access. The pattern matches both incidents in May: a remote-access foothold, lateral movement to file shares, exfiltration first, encryption second.

The regulator runs a different clock

The European Commission opened infringement procedures against 23 member states in November 2024 for failing to fully transpose NIS2. On 7 May 2025 it sent reasoned opinions to 19 of them — Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden. The reasoned opinion is the last formal step before referral to the Court of Justice of the European Union. Two months to respond — that window closed in July 2025, and the CJEU pipeline is now the part of the procedure that matters operationally in 2026.

Italy is not on that list. D.Lgs. 138/2024 transposed NIS2 last year, ACN's notification cycle is active, and the regime is moving from "are you on the list" to "show us your controls". That is the part that is the same everywhere, list or no list.

So the calendar an affected manufacturer is now reading has two columns:

1. Their own incident timeline. From compromise to disclosure to forensic reconstruction.
2. The regulator's enforcement timeline. From "you said you have controls" to "demonstrate that you had them on the day".

Most incident playbooks are built for column 1. The thing that is broken — and what May 2026 made visible — is column 2.

What NIS2 actually asks for, plainly

NIS2's body of requirements is broad, but the post-incident interaction with an auditor or competent authority reduces to a short list of questions. The interesting column is the right one:

Requirement (Art. 21 family)	What the auditor will ask
Risk-based controls	What was your exposure inventory on the day of compromise, and how do we know?
Vulnerability management	Show the last 12 months of validated findings and the remediation timestamps.
Incident handling	24-hour significant-incident notification — was the data in place to file it?
Supply-chain security	Mapping of third-party access and the security posture of each one.
Cryptography and access control	Demonstrable, not described.

Three of the five rows are evidence-shaped: not "do you have a policy", but "show me the artefact". The post-incident moment is the wrong time to construct that artefact. It is also the moment most organisations discover that their pentest report from Q4 is a screenshot from a tool nobody runs anymore, against a network that no longer exists.

The operational mechanics that make the evidence gap worse

Both May incidents follow a now-canonical sequence. It is worth describing it specifically, because every step in it is producing evidence that the defender is in a position to either capture or lose forever:

• Foothold. Remote-access surface — VPN, RDP, RMM — abused with valid credentials or a known appliance vulnerability. Arctic Wolf attributes 65% of non-BEC intrusions in their 2025 caseload to this class. The evidence here is whether the defender had an inventory of which appliances were exposed and which had been validated in the last 30 days.
• Lateral movement and discovery. The intruder maps file shares and identity infrastructure. The evidence here is whether anything was watching east-west traffic for the staging signature — first a few unusual SMB queries from a host that historically only ingests, then a long tail of read operations.
• Exfiltration. Nitrogen's playbook is exfiltrate-first: the 8 TB figure on the Foxconn leak is the exfiltrated set, not the encrypted set. The evidence here is whether outbound flow analytics flagged the long sustained egress to an ASN the host had no historical reason to talk to.
• Encryption. Rapid SMB/NFS writes to file shares from a host that should not be writing to them, fanned out across the lateral graph. The evidence here is whether the network saw the in-progress signature in time to cut the host off, instead of finding out from the ransom note.

Each of those four steps produces a traffic and control trace. The question is whether the trace is captured and signed at the moment it happens, or reconstructed later from logs the attacker may have tampered with.

"Show me the validated exposure inventory for the West Pharmaceutical IT estate on 2026-05-04 at 09:00 CET."

Most manufacturers cannot answer that today. The ones who can will be in a different room next year.

Why screenshots don't survive cross-examination

There is a quiet shift happening on what "evidence" means in a regulated cyber incident, and it affects the value of every audit artefact a CISO is sitting on:

• Screenshots and PDFs degrade. They cannot be cryptographically tied to a moment in time, the rendering tool that produced them, or the scope of the scan behind them. A determined opposing party in an insurance claim or a class action can reproduce them, alter them, or cast doubt on which run they came from.
• Spreadsheets of findings are summaries, not chains of custody. They aggregate. The aggregation is the point — and the problem. You cannot reconstruct from a spreadsheet whether finding 47 was validated on a sandbox, what payload was used, what the response looked like.
• What stands up. Cryptographically signed records — one per finding, one per scan run, one per remediation — tied to scan IDs, exploit artefacts, and timestamps from a key that lives on the appliance. The same hash, the same signature, queryable months later, mappable to whichever framework the auditor needs.

The shift in the insurance market is reinforcing this. Post-incident payouts are increasingly conditioned on demonstrable, contemporaneous pre-incident controls — not the controls described in the proposal, but the artefacts that prove the controls were running on the day the intruder arrived. That is the same evidence the NIS2 competent authority is going to ask for, in a slightly different room, with the same answer either available or not.

What the 2026 calendar pushes toward

The trajectory through the rest of the year is unambiguous:

• NIS2 fines are administrative, scale with revenue, and reach board-level personal liability for the worst non-compliance.
• DORA's TLPT RTS, finalised in 2025, is now the operational reference for threat-led testing across financial entities, with the threat-led pentest itself being the part that gets evidenced and signed — not the management-summary on top.
• Insurance underwriting at renewal is going to want the same evidence chain. The cheapest manufacturers to insure in 2027 will be the ones who can produce a signed history of their controls in 2026.
• The 2026 ransomware caseload — Arctic Wolf's data, plus everything visible week to week on CISA KEV, CERT-EU and ACN — is converging on the same operational pattern. The defender's blind spot is not finding the intruder. It is being able to prove what was in place when the intruder got in.

The two May incidents are not interesting because they happened — by Arctic Wolf's count, similar manufacturers are being hit every week. They are interesting because they happened publicly, named, and during the same fortnight the regulator was signalling that the demonstration step is the part being graded.

Closing — where Zero Hunt fits the scenario

The article above is a regulatory and operational read of two events. The cross-reference, briefly:

The audit gap is not solved by better PDFs. It is solved by treating every finding, every scan, every exploit attempt and every remediation as a record that is hashed and signed at the moment it is produced, queryable months later, and mappable across 32 frameworks simultaneously. That is what Zero Hunt's compliance pillar does: continuous mapping against NIS2 (including Title 13), DORA (including the TLPT RTS), ISO 27001, GDPR, SOC 2, PCI-DSS, NIST CSF/800-53 and 24 more, severity-weighted, with cross-framework control mapping so a single validated finding satisfies the equivalent controls in every framework it touches. ECDSA signing at write time means the artefact carries its own chain-of-custody. The Trust Center bundle is what an auditor sees — not a screenshot, the signed record.

In parallel, the in-progress signature of the encryption phase — the rapid SMB/NFS writes from the wrong host — is what the 4-head deep-learning traffic model on the appliance is trained to catch live, at 2.7+ Gbit/s baseline, locally on the GPU. That is the Pillar 2 layer underneath the compliance one: the file-share writes get seen while they are happening, not in next morning's SIEM digest.

The point is not that any single product turns West Pharmaceutical's or Foxconn's bad week into a good one. The point is that the auditor question — show me what was in place — has a defensible answer when the evidence chain was built before the incident, and very few defensible answers when it is constructed afterwards. The 2026 enforcement calendar is going to make that asymmetry expensive.

If you run a manufacturing estate of any size — see how the platform pieces fit together on the platform overview or how this compares to legacy approaches on the comparison page. The technical questions are the easy part. The hard part is the calendar.