Are manufacturers essential or important entities under NIS2?

Most manufacturers fall under Annex II, which classifies them as important entities. Important entities face reactive supervision and fines up to 7 million euro or 1.4 percent of global annual turnover. Some manufacturers may be reclassified as essential if their disruption would have significant cross border impact, or if a member state designates them as critical.

Does NIS2 cover OT and SCADA systems on the factory floor?

Yes. Article 21 applies to the security of network and information systems used in operations, which includes industrial control systems, SCADA, MES, historians, and safety instrumented systems. If a production incident is caused by or propagates through these systems and disrupts service, it falls inside NIS2 risk management and reporting obligations.

How does NIS2 change supplier contracts for manufacturers?

Article 21 paragraph 2 point d introduces supply chain security as a mandatory control area. Manufacturers need to assess the cybersecurity practices of direct suppliers, particularly machine vendors, remote maintenance providers, MSPs, and cloud providers, and reflect these requirements in contracts through security clauses, audit rights, and incident notification terms.

Do we need ISO 27001 to comply with NIS2?

ISO 27001 is not mandatory under NIS2, but it is the most efficient baseline. Manufacturers with ISO 27001 typically meet a large share of Article 21 controls and only need to close gaps around mandatory reporting timelines, management accountability, supply chain obligations, and OT specific risk treatment. IEC 62443 is a strong complement on the OT side.

How long does NIS2 implementation take for a mid-sized manufacturer?

For a mid-sized manufacturer without an existing ISMS, a realistic implementation plan spans nine to twelve months from gap assessment to audit readiness. Plants with ISO 27001 or a mature IT security program can reach readiness in four to six months by focusing on OT risk, supply chain, and incident reporting.

Who is personally liable if our factory fails NIS2?

Article 20 places direct accountability on the management body. Board members and executives must approve cybersecurity risk measures, oversee their implementation, and follow cybersecurity training. Member states may impose personal fines, suspension from management functions, and other sanctions on executives when serious breaches are linked to a failure to exercise oversight.

NIS2 for Manufacturing: Scope, Risks, and Roadmap

Key facts for manufacturers

Manufacturing sits under Annex II of NIS2, meaning most in-scope manufacturers are classified as important entities.
Size thresholds apply: 50+ staff or 10M+ euro turnover for medium, 250+ staff or 50M+ euro turnover for large.
Article 21 controls apply equally to IT and OT, including ICS, SCADA, MES, and safety systems.
Incidents that halt production, corrupt quality data, or involve ransomware frequently meet the significant incident threshold in Article 23.
Board members carry personal accountability under Article 20, including mandatory cybersecurity training.

Which manufacturing sub-sectors are in scope

NIS2 Annex II lists the manufacturing sub-sectors that fall inside the directive. The list is narrower than most manufacturers assume, but broad enough to cover the engine rooms of the European industrial base. If your primary NACE activity sits inside one of the following, and you meet the size thresholds, NIS2 applies to you.

Manufacture of medical devices and in vitro diagnostic medical devices, including implants, imaging equipment, and point of care diagnostics. Expect overlap with MDR and IVDR obligations.
Manufacture of computer, electronic and optical products, such as semiconductors, industrial electronics, measuring instruments, and optical components.
Manufacture of electrical equipment, including motors, generators, transformers, batteries, and distribution and control apparatus.
Manufacture of machinery and equipment not elsewhere classified, covering general purpose machinery, agricultural, metal forming, and special purpose machinery.
Manufacture of motor vehicles, trailers and semi-trailers. Tier one automotive suppliers often cluster here or in machinery.
Manufacture of other transport equipment, including rail, aerospace, and shipbuilding.

Food production, chemicals, pharmaceuticals, and waste sit in separate Annex I or II entries. If your group spans several NACE codes, scope is assessed per legal entity, so intra-group transfers do not automatically drag every subsidiary under NIS2.

Top cyber risks for manufacturing

OT and IT convergence

Modern plants connect PLCs, robots, and SCADA to the same networks that carry email and ERP traffic. A single flat network, a misconfigured jump host, or an unpatched engineering workstation is often all it takes for an IT incident to cross into the production zone. NIS2 does not single out OT, but Article 21 requires a risk based approach, and for manufacturers the highest inherent risk almost always sits on the OT side.

Ransomware on production lines

Ransomware groups specifically target manufacturers because downtime costs are high and insurers often pay. Encrypting historians, MES, or engineering stations can halt a site within hours. The financial case for paying is tempting, which is why ransomware actors prioritise production environments over, for example, professional services firms.

Supply chain attacks

Machine vendors, remote maintenance providers, and managed service providers have deep access to production networks. A compromised vendor VPN or a poisoned software update from a machine builder is one of the most likely vectors for a serious incident. Article 21 puts supply chain security on equal footing with internal controls.

Insider and physical access

Contractors, temporary staff, and third party engineers rotate through plants continuously. Shared accounts on HMIs, USB drives carrying engineering data, and unlocked control cabinets remain common. These are some of the easiest findings for an auditor to raise and some of the cheapest to fix.

Legacy systems with long lifecycles

Unlike enterprise IT, a CNC machine or a press line is expected to run for 15 to 25 years. Windows XP and Windows 7 are still common on the shop floor, and patching windows are constrained by production schedules. NIS2 does not forbid legacy, but it does require compensating controls and documented risk acceptance.

Article 21 controls, mapped to the factory

Article 21 lists ten minimum risk management measures. Below is how each one lands inside a typical manufacturing environment. This is not an exhaustive implementation guide, but it is the framing Burak uses to translate legal text into site-level action.

Risk analysis and information system security policies. One policy set covering IT and OT, with an OT risk register that references IEC 62443 zones and conduits.
Incident handling. Runbooks for ransomware on MES, ICS intrusion, and loss of engineering station, with production-aware escalation to plant managers, not only CISO.
Business continuity and crisis management. Clear fallback modes per line, offline backups of recipes and PLC programs, and tested manual production procedures.
Supply chain security. Vendor inventory, tiered risk assessment for machine vendors and MSPs, and standard security clauses in purchase contracts.
Security in acquisition, development and maintenance. Cybersecurity acceptance tests for new machines, change control for PLC firmware, and secure remote maintenance gateways.
Policies for assessing effectiveness. Periodic internal audits, OT-aware penetration tests, and tabletop exercises with production staff.
Basic cyber hygiene and training. Phishing simulations for office staff, role specific OT training for engineers and operators, and onboarding for temporary workers.
Cryptography and encryption. Encryption for data at rest and in transit where feasible, with documented exceptions for legacy protocols such as Modbus TCP.
Human resources security and access control. Unique accounts per person, MFA for remote access, and strict joiners, movers, and leavers processes including contractors.
Multi-factor authentication and secured communications. MFA on VPN, remote desktop, email, and privileged administrator accounts, plus hardened jump servers for OT access.

Typical gap areas in manufacturing

Legacy OT without documented risk acceptance

Assessors expect to see an asset inventory of OT systems, the risks each legacy system introduces, the compensating controls in place, and a signed-off risk acceptance from an accountable owner. Verbal acceptance and unwritten practice are not enough.

Vendor remote access without oversight

Always-on VPN tunnels to machine vendors, shared credentials, and unmonitored remote sessions are consistently among the first issues raised during a gap assessment. Expect to move to brokered, session-recorded, just-in-time access.

Incident reporting mismatched to production reality

The 24 hour early warning and 72 hour notification windows in Article 23 assume a functioning incident response process. Many manufacturers discover during a tabletop exercise that their plant managers, IT, legal, and communications teams do not have a shared definition of a significant incident.

Segmentation that looks good on paper

Purdue-style diagrams are common, but firewall rules and actual traffic flows often tell a different story. An honest segmentation review, including east-west traffic between plants, is usually one of the highest-value early steps.

A 30-day, 90-day, and 12-month roadmap

First 30 days: clarity

Confirm NIS2 scope per legal entity and register with the national competent authority if not already done.
Establish a steering committee with production, IT, OT engineering, legal, and an accountable board sponsor.
Kick off a gap assessment against Article 21 across a reference site, covering both IT and OT.
Identify the top five incident scenarios per site and confirm who decides and who reports.

Days 30 to 90: stabilise

Publish an IT and OT aware information security policy approved by the management body.
Close the highest-risk quick wins: MFA on remote access, removal of shared accounts, offline backups of PLC programs, and brokered vendor access.
Run a first tabletop exercise on a ransomware scenario that hits MES and a production line.
Deliver mandatory cybersecurity training for the management body under Article 20.

Months 4 to 12: sustain

Roll out the target operating model across all in-scope plants, with local champions.
Implement supply chain security: vendor inventory, tiered assessments, and revised contract clauses.
Mature OT monitoring: passive network monitoring, asset discovery, and alert routing to the SOC.
Conduct an internal audit against Article 21 and Article 23 and remediate open findings before the first external supervisory review.

Frequently asked questions

Is my manufacturing company in scope of NIS2?

Annex II manufacturers are in scope when they meet the medium or large size thresholds. The short test: at least 50 staff or 10 million euro turnover for medium, and 250 staff or 50 million euro turnover for large, combined with a primary activity inside the listed sub-sectors.

Are manufacturers essential or important entities?

Most manufacturers are classified as important entities under Annex II. A small number may be escalated to essential status by a member state, typically when their disruption would have cross border impact or when they are designated as critical under other legislation.

Does NIS2 cover OT and SCADA systems?

Yes. NIS2 speaks about network and information systems, which includes industrial control systems, SCADA, MES, historians, and safety systems. If a production incident traverses or originates in those systems and disrupts service, it is inside scope for both risk management and reporting.

How does NIS2 change supplier contracts?

Article 21 requires supply chain security. Expect to add cybersecurity clauses, audit rights, and incident notification duties to contracts with machine vendors, remote maintenance providers, MSPs, and cloud providers, and to refresh vendor risk assessments on a regular cycle.

What counts as a significant incident for a manufacturer?

Under Article 23, a significant incident is one causing or capable of causing severe operational disruption, significant financial loss, or material harm to third parties. For manufacturers this typically includes ransomware that stops production, confirmed intrusion into ICS or MES, tampering with safety or quality systems, and material data loss involving customers or suppliers.

Do we need ISO 27001 or IEC 62443?

Neither is mandatory. ISO 27001 is a strong baseline for the management system and covers a large share of Article 21 on the IT side. IEC 62443 is the natural companion for OT. Manufacturers that already run both tend to reach NIS2 readiness faster and at lower cost.

How long does implementation take?

For a mid-sized manufacturer without an existing ISMS, nine to twelve months is realistic from gap assessment to audit readiness. Sites with ISO 27001 or a mature IT security function can reach readiness in four to six months by focusing on OT, supply chain, and incident reporting.

Who is personally liable if we fail?

Article 20 places direct accountability on the management body. Board members must approve risk measures, oversee implementation, and complete cybersecurity training. Member states may impose personal fines and, in some cases, suspend executives from management functions when serious breaches are tied to a failure of oversight.

NIS2 for Manufacturing