NIS2 for Manufacturing Companies
Manufacturing of medical devices, electronics, electrical equipment, machinery, and vehicles is in scope under NIS2 Annex II. If your company has 50+ employees, here is what the BSIG requires and how to handle the OT/IT challenge.
Why Does NIS2 Apply to Manufacturing?
Modern manufacturing depends on the convergence of IT and OT (operational technology). ERP systems drive production scheduling. MES platforms manage shop floor execution. SCADA systems control machinery and process automation. CAD/CAM systems define what gets built. When these systems are interconnected – and in most factories they are – a cyberattack on one can cascade across the entire production chain. A ransomware infection in the office network that reaches the MES can shut down production lines.
The EU classified manufacturing under Annex II of the NIS2 Directive, covering: medical device manufacturing, computer and electronics manufacturing, electrical equipment manufacturing, machinery and equipment manufacturing, motor vehicle manufacturing, and other transport equipment manufacturing. Companies meeting the size threshold (50+ employees or over 10 million euros annual revenue) are 'wichtige Einrichtungen' (important entities) under Section 28(2) BSIG.
Manufacturing has a unique challenge that most other NIS2 sectors do not face at the same scale: OT security. Production equipment often runs specialized operating systems, uses proprietary protocols, and has lifecycle constraints that make patching difficult. A CNC machine from 2015 may run Windows 7 Embedded and cannot be updated without the manufacturer's involvement. NIS2 does not ignore this reality – Section 30 BSIG requires measures that are 'proportionate' to the risk. But you must document the risks and the compensating controls.
Manufacturing Execution System (MES)
The system that manages shop floor operations: production scheduling, work order execution, quality tracking, and performance monitoring. Common systems include SAP ME, MPDV HYDRA, Forcam, or custom solutions. MES sits between ERP and the production floor. If it goes down, you lose production visibility and scheduling. One asset entry per facility.
SCADA and industrial controls
Supervisory Control and Data Acquisition systems, PLCs (programmable logic controllers), HMIs (human-machine interfaces), and CNC controllers. These directly control physical production processes. Often running older operating systems with limited security capabilities. They represent the highest-impact risk because compromise can damage equipment or cause safety incidents. Group per production line or cell.
ERP system
The core business system for order management, procurement, inventory, finance, and production planning. Commonly SAP, proALPHA, Microsoft Dynamics, or abas. ERP drives what gets produced and when. Compromise stops order processing, supplier payments, and customer deliveries. One asset entry.
CAD/CAM and engineering
Computer-Aided Design and Computer-Aided Manufacturing systems: SolidWorks, AutoCAD, Siemens NX, CATIA, or similar. These contain your intellectual property – product designs, manufacturing processes, tolerances. A breach here can mean loss of trade secrets. Also includes PLM (Product Lifecycle Management) if used. One grouped entry.
Network infrastructure
The network connecting office IT, engineering, and the production floor. Critically includes the IT/OT boundary: firewalls, DMZ segments, and data diodes between the office network and the shop floor network. If your IT and OT networks are flat (no segmentation), this is your highest-priority risk. Include VPN and remote access for supplier maintenance.
Endpoints and office IT
Laptops, desktops, and mobile devices for office staff, engineering, and production management. Standard office applications, email, collaboration tools. Grundschutz allows grouping: '80 standard Windows laptops' is one entry. Also include servers (file, print, application) as a separate grouped entry if significant.
1. Register with the BSI
Complete your Section 33 BSIG registration via muk.bsi.bund.de. This takes 30 to 60 minutes and puts you on record. The penalty for non-registration is up to 500,000 euros. If the deadline has passed, register immediately.
2. Build your asset inventory (IT and OT)
This is where manufacturing differs from other sectors. You need to inventory both IT systems (ERP, email, engineering) and OT systems (MES, SCADA, PLCs, CNC machines). For OT assets, document the operating system, firmware version, network connectivity, and whether the manufacturer provides security updates. This inventory is the foundation for everything that follows.
3. Assess and segment your OT network
The single most impactful technical measure for manufacturers. If your office IT and production OT share a flat network, a ransomware infection in the office can reach your production controllers. Implement network segmentation: separate IT and OT into distinct network zones with a firewall between them. This is Grundschutz requirement IND.1 and the BSI's top recommendation for industrial environments.
4. Set up incident reporting
Define what a significant incident means for your manufacturing operations. A ransomware attack that stops production lines is clearly significant. An attempted phishing email that was blocked is not. Establish the reporting chain, including who has authority to file the BSI report and how to reach them outside business hours. Test the process with a tabletop exercise.
5. Document supplier relationships
Manufacturing companies often have multiple OT suppliers with remote access to production systems for maintenance and updates. Document every supplier with access to your network, what they can reach, and what security measures they commit to. Remote maintenance connections to SCADA systems are a common attack vector – ensure these are properly secured and monitored.
The IT/OT convergence challenge defines manufacturing NIS2 compliance. Your office IT team understands patching, access controls, and network security. But production equipment operates on different rules: you cannot reboot a CNC machine during a production run to apply patches. PLCs may run firmware that has not been updated in years because the manufacturer has not released an update. SCADA systems may use proprietary protocols that standard IT security tools do not understand.
The solution is not to force IT security practices onto OT. It is to build a security model that respects the constraints. Network segmentation isolates OT from IT risks. Monitoring detects anomalies without requiring agents on controllers. Compensating controls (restricted physical access, dedicated maintenance networks, logging) provide protection where traditional IT controls are not feasible. Document everything – the BSI expects 'proportionate' measures, and documenting why you chose compensating controls over direct patching is a valid approach.
Manufacturing companies also face intellectual property risk that other sectors may not. CAD files, production processes, tolerances, and supplier specifications are valuable trade secrets. A breach that exposes these does not just create a compliance issue – it creates a competitive disadvantage. Access controls on engineering systems and encryption for design files should be prioritized alongside the OT segmentation work.
Frequently Asked Questions
Our production machines run Windows 7 or older. Does NIS2 require us to upgrade?
NIS2 does not mandate specific operating system versions. It requires 'appropriate and proportionate' risk management. For older OT systems, this means: document the risk (unsupported OS, no patches), implement compensating controls (network isolation, restricted access, monitoring), and plan for lifecycle replacement. The BSI expects you to acknowledge the risk and manage it, not to perform impossible upgrades on equipment that cannot be updated.
Do we need to separate our IT and OT networks?
Network segmentation between IT and OT is the single most impactful security measure for manufacturers, and it is strongly recommended by both the BSI (Grundschutz IND.1) and the CIR 2024/2690. If your networks are currently flat, this should be your top technical priority. At minimum, deploy a firewall between the office network and the production network, restrict traffic to only what is necessary, and log all cross-zone connections.
Our machine supplier has remote access for maintenance. Is that a problem?
Remote maintenance access is common and necessary, but it is a significant risk vector. Under NIS2, you must document this access, include security requirements in the supplier contract, and implement controls: dedicated VPN connections (not open ports), time-limited access (enabled only when needed), logging of all remote sessions, and multi-factor authentication. The supplier becomes part of your supply chain security assessment under Section 30(2)(4) BSIG.
We are a Tier 2 automotive supplier. Does NIS2 apply even if our OEM has not asked about it?
If you manufacture motor vehicles, parts, or transport equipment and have 50+ employees, NIS2 applies to you regardless of what your OEM customer requires. Manufacturing of motor vehicles and other transport equipment is explicitly listed in Annex II. In practice, automotive OEMs will increasingly require NIS2 compliance from their supply chain – TISAX already covers similar ground. Getting ahead of this requirement is strategically smart.