NIS2 manufacturing compliance — OT and IT network security convergence in industrial environment

NIS2 Manufacturing Compliance: The 10-Measure Roadmap for Annex II Entities

ByMichael Rewers

The October 2024 transposition deadline for NIS2 has passed. Enforcement is rolling out across EU Member States — and for most manufacturing compliance teams, the first question is still the same: does this actually apply to us?

Manufacturing was not covered by NIS1. NIS2 changes that entirely, adding six specific NACE manufacturing divisions — from electronics and machinery to motor vehicles and medical devices — as Important entities under Annex II. Any manufacturing company with 50 or more employees or €10 million or more in annual turnover, operating in one of those divisions in a Member State where NIS2 has been transposed, is now in scope.

The obligations are the same ten Article 21 cybersecurity measures that apply across all in-scope entities. What makes them harder for manufacturing is the OT environment: legacy PLCs that cannot be patched, shared accounts on production HMIs, and operational technology where a firewall misconfiguration can halt a production line. The directive says nothing about any of this — applying it to a factory floor is the compliance work.

This guide covers all of it: scope determination, each of the ten Article 21 measures in an OT context, the management liability provisions under Article 20, how enforcement works for Important entities, and a 12-month implementation roadmap. The framework draws on the primary directive text, ENISA’s June 2025 Technical Implementation Guidance, and the IEC 62443-2-1 standard for OT security programmes.

Free Download

Get the NIS2 Article 21 Compliance Checklist

90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.

✓ Check your inbox — the PDF is on its way.

Does NIS2 Apply to Your Manufacturing Company?

Manufacturing under NIS2 is not a blanket obligation. Three conditions must all be met before compliance obligations begin: your activities fall within one of six defined NACE divisions, your company meets the size threshold, and your Member State has transposed the directive into national law.

Which Manufacturing Subsectors Are in Scope?

NIS2 Annex II, Section 5 lists six manufacturing subsectors as “other critical sectors” subject to the directive:

Subsector NACE Rev. 2 Division Examples
Medical devices and IVD medical devices Per Regulation (EU) 2017/745 Surgical instruments, diagnostic equipment
Computers, electronic and optical products Section C, Division 26 Semiconductors, telecom equipment, measurement instruments
Electrical equipment Section C, Division 27 Motors, transformers, batteries, lighting
Machinery and equipment n.e.c. Section C, Division 28 Engines, pumps, industrial machinery, agricultural equipment
Motor vehicles, trailers and semi-trailers Section C, Division 29 Cars, commercial vehicles, parts
Other transport equipment Section C, Division 30 Ships, aircraft, railway rolling stock

The directive defines scope by economic activity, not company identity. A company primarily classified outside these divisions may still be in scope if a material part of its operations falls within them.

Size Threshold: Who Qualifies?

Article 2 applies NIS2 to entities qualifying as medium-sized enterprises under EU Recommendation 2003/361/EC or exceeding those ceilings. In practice, either of the following thresholds triggers applicability:

Criterion Threshold
Employees 50 or more
Annual turnover €10 million or more
Annual balance sheet total €43 million or more (medium enterprise ceiling)

A company with 55 employees and €8M turnover is in scope based on headcount alone. Micro-enterprises (under 10 employees and under €2M) and small enterprises (under 50 employees and under €10M turnover) are generally exempt unless a Member State has extended coverage or the entity is a critical sole provider.

Essential or Important? Always Important for Manufacturing

Manufacturing entities in Annex II are classified as Important entities by default. Unlike Annex I sectors (energy, banking, health), manufacturing cannot be reclassified as Essential unless a Member State makes a specific national determination. This distinction determines your supervision regime — see the Enforcement section below. For a detailed breakdown of how the classification works operationally, see Essential vs Important Entities.

Decision tree: NACE Division 26–30 or medical devices manufacturing AND 50+ employees or €10M+ annual turnover AND Member State has transposed NIS2 → you are an Important entity with full Article 21 obligations.

What Changed: Manufacturing Was Not Covered Under NIS1

This is the part that catches many manufacturing compliance teams off guard: none of the six Annex II manufacturing subsectors appeared in NIS1 (Directive 2016/1148). The previous framework covered energy, transport, banking, health, water, and digital infrastructure. Manufacturing was absent entirely.

NIS2 expands the scope because manufacturing facilities — with their operational technology, industrial control systems, and increasingly internet-connected production lines — represent critical infrastructure targets. Industrial cybersecurity incidents including the Triton/TRISIS malware attack on a petrochemical facility’s safety systems and NotPetya’s widespread impact on global manufacturers were among the real-world events that shaped the NIS2 scope expansion.

Medical device manufacturers are a particularly new addition. The sector was not in NIS1 and is now explicitly listed in Annex II, covering entities manufacturing medical devices as defined in Article 2(1) of Regulation (EU) 2017/745.

National transposition timelines add an important variable: while the directive’s transposition deadline was 17 October 2024, enforcement is rolling out unevenly across Member States. Registration procedures and enforcement timelines vary — Germany’s BSIG reform, France’s ANSSI-administered transposition, and the Dutch implementing legislation each carry their own registration and notification procedures. Waiting for full national-level certainty is not a safe strategy: the Article 23 incident reporting obligations, in particular, can be triggered as soon as a Member State’s law is live.

The 10 Article 21 Measures in a Manufacturing OT Environment

Article 21 of NIS2 mandates ten categories of cybersecurity risk management measures for all in-scope entities. The directive’s text is sector-neutral — it says nothing about PLCs, SCADA, or Purdue model architecture. Applying it to an OT-heavy manufacturing environment is the compliance work that matters.

The foundational reframe: standard IT security operates on a CIA hierarchy — Confidentiality first, Integrity, then Availability. Manufacturing OT inverts this. A momentary loss of availability on a production line costs real money and can cause safety failures. Most OT practitioners apply an Availability-first hierarchy for operational technology, even where the underlying NIS2 obligations are identical across sectors.

ENISA’s June 2025 Technical Implementation Guidance (v1.0) is a non-binding companion to Commission Implementing Regulation (EU) 2024/2690. It references IEC 62443 alongside ISO 27001 and NIST CSF 2.0 as applicable frameworks and is expected to become the practical benchmark national competent authorities use when assessing Article 21 compliance.

Article Measure OT-Specific Interpretation Key Evidence Document
21(2)(a) Risk analysis and security policies All-hazards approach must include OT threat scenarios; review triggers include incidents and infrastructure changes Information Security Policy + Risk Assessment Methodology
21(2)(b) Incident handling Joint IT/OT incident procedures; pre-written playbooks for production line disruption scenarios Incident Handling Policy + Playbooks
21(2)(c) Business continuity, backup, disaster recovery Availability-first RTOs/RPOs; 3-2-1 backup rule with OT-safe immutable copies Business Continuity Plan + Backup Register
21(2)(d) Supply chain security (direct suppliers) Firmware and component suppliers included; tiered criticality classification required Supplier Classification Register + Security Clauses
21(2)(e) Secure development, vulnerability handling Legacy PLCs cannot run agents — requires documented compensating controls Patch Register + Compensating Controls Log
21(2)(f) Effectiveness assessment Regular testing; ENISA recommends annual tabletop exercises minimum Measurement Report
21(2)(g) Cyber hygiene and training Role-based matrix covering OT operators, engineers, SCADA administrators Training Register + Phishing Simulation Records
21(2)(h) Cryptography and encryption “Where appropriate” qualifier means OT protocols (Modbus, Profinet) are assessed for applicability, not blanket-encrypted Cryptography Policy
21(2)(i) HR security, access control, asset management Complete OT asset inventory; access control policy addressing shared HMI accounts Asset Register + Access Control Policy
21(2)(j) MFA and secure communications MFA required on all remote and administrative OT access paths Authentication Policy + Remote Access Register

IEC 62443-2-1 (Security program requirements for IACS asset owners) provides a systematic methodology for implementing these measures in OT environments. National competent authorities in Germany, France, and the Netherlands have embedded IEC 62443 requirements in their sector-specific NIS2 guidance alongside the ENISA framework.

OT Implementation Priorities: Where to Focus First

All ten Article 21 measures are mandatory. For a manufacturing entity deploying NIS2 for the first time, five areas generate the most compliance work — and the most common audit findings.

Risk analysis (Article 21(2)(a)): The directive requires an “all-hazards approach,” which in manufacturing means documented OT threat scenarios alongside standard IT risks. ENISA’s June 2025 guidance recommends integrating threat intelligence and reviewing the risk register on triggers including cybersecurity incidents and significant infrastructure changes. For OT environments, MITRE ATT&CK for ICS provides a structured threat catalogue aligned with these requirements. The outcome: a written Risk Assessment Methodology specific to your plant environment and a living Risk Register with named ownership. See NIS2 Risk Assessment for a detailed implementation guide.

Vulnerability management (Article 21(2)(e)): This is the hardest Article 21 measure to implement in manufacturing. Legacy PLCs, HMIs, and SCADA components often run firmware that cannot be patched without taking production offline — sometimes for days. The directive does not require patching every legacy device; it requires proportionate “vulnerability handling.” In practice, this means a compensating controls approach: network segmentation to isolate the device, intrusion detection monitoring at the zone perimeter, and a documented Risk Acceptance record explaining why the unpatched asset is acceptable given its network position. IEC 62443-2-1 Section 4.2.3 provides a methodology for security assessments of existing systems that maps directly to this requirement. For related Article 21(2)(c) business continuity planning in manufacturing, see NIS2 Article 21(2)(c) in Manufacturing.

Supply chain security (Article 21(2)(d)): NACE C-28 (machinery and equipment) manufacturers face particularly complex supply chains, with firmware components, specialist subcontractors, and proprietary PLC software all representing potential attack vectors. Article 21(2)(d) requires addressing “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers.” ENISA recommends a tiered supplier classification system with right-to-audit clauses for critical-tier suppliers and continuous monitoring. For a full implementation guide, see NIS2 Supply Chain Security.

Business continuity (Article 21(2)(c)): RTOs and RPOs for OT environments must account for production availability, not just IT system restore times. ENISA recommends BIA-driven RTOs/RPOs, a 3-2-1 backup rule with immutable copies, and annual tabletop exercises. For a manufacturing line where unplanned downtime costs tens of thousands of euros per hour, the BCP must address both the cybersecurity incident scenario and the production restart sequence — with documented decision authority for who calls a line shutdown.

Access control and MFA (Articles 21(2)(i) and (j)): Manufacturing OT environments frequently rely on shared accounts on legacy HMIs — a pattern incompatible with Article 21(2)(i) access control requirements. ENISA mandates MFA on all remote and administrative access paths. Where shared accounts cannot be eliminated immediately, a compensating control register documenting the risk acceptance rationale, combined with a network-layer access log, is the minimum expected evidence. Remote access to OT networks — including vendor remote maintenance sessions — must be gated behind MFA and session recording. See also NIS2 Incident Reporting for the Article 23 obligations that run in parallel.

Article 20: Your Board’s Personal Liability

Article 20 of NIS2 places governance obligations directly on management bodies — not the IT team, not the CISO, and not external consultants. The provision establishes three requirements for every essential and important entity, including manufacturing companies in Annex II.

1. Approve cybersecurity risk-management measures. Management bodies must formally approve the measures taken under Article 21. This is not a rubber-stamp: it means reviewing, understanding, and signing off on the organisation’s cybersecurity risk management framework as a documented board action.

2. Oversee implementation. Approval is not sufficient. Management bodies are required to oversee the implementation of approved measures — which means ongoing governance through board-level cybersecurity reporting, documented management reviews, and a clear escalation path for material risks.

3. Accept liability for non-compliance. Management body members can be held personally accountable if the entity fails to meet its Article 21 obligations. For manufacturing companies, this is a material shift: the CEO, plant director, and relevant board members now carry direct legal exposure for cybersecurity failures.

Training is mandatory. Article 20 further states that members of management bodies are required to follow regular cybersecurity training to develop sufficient capability to identify risks and evaluate cybersecurity practices and their operational impact. This is a directive obligation, not guidance.

The practical audit implication: a board resolution approving the cybersecurity risk management framework is one of the first documents a national competent authority will request on inspection. Without it, the organisation has no documented evidence of Article 20 compliance regardless of how strong its technical controls are. For more on board-level NIS2 obligations, see NIS2 and Board Directors.

How Enforcement Works for Manufacturing Important Entities

Article 33 establishes a reactive (ex-post) supervision regime for Important entities — national competent authorities do not conduct routine proactive audits of Important entities the way they do for Essential ones. This is the key practical difference between Annex I and Annex II classification.

What triggers an investigation: Competent authorities may exercise supervisory powers when provided with “evidence, indication or information” that an Important entity allegedly does not comply with the directive, particularly Articles 21 and 23. In practice, the three most common triggers are: a significant cybersecurity incident reported under Article 23 that reveals inadequate risk management measures; a complaint or referral from another authority; or information from a third party — including a supplier, customer, or security researcher — indicating a breach of Article 21 obligations.

Once triggered, the authority has broad powers: on-site and off-site inspections by trained professionals, security audits by independent bodies, binding remediation orders, and administrative fines. The maximum fine for Important entities is €7 million or 1.4% of total global annual turnover — whichever is higher. For country-specific fine levels and enforcement authority contacts, see NIS2 Penalties.

Escalation to executive suspension: If initial enforcement measures prove insufficient, authorities may temporarily prohibit persons exercising managerial responsibilities from carrying out those responsibilities until compliance is demonstrated. This is the enforcement equivalent of Article 20’s personal liability provision. See also Article 23 Incident Notification for the reporting obligations that most frequently trigger Article 33 investigations.

Your 12-Month NIS2 Compliance Roadmap

This roadmap assumes a manufacturing entity starting from a moderate IT security baseline with limited OT-specific NIS2 documentation. Adjust timelines based on your gap assessment findings.

Quarter 1: Scope Confirmation and Gap Assessment

  • Confirm NACE classification for all relevant business units
  • Determine whether your Member State’s transposition law is in force and registration is open
  • Register with the national competent authority if required
  • Conduct an initial gap assessment against Article 21 measures using the ENISA June 2025 Technical Implementation Guidance as the baseline framework

Deliverable: Gap assessment report with prioritised remediation list; board presentation noting Article 20 approval and training obligations.

Quarter 2: Risk Foundation and Policy Framework

  • Complete Risk Assessment Methodology and initial Risk Register (all-hazards approach, including OT threat scenarios)
  • Draft or update Information Security Policy, Access Control Policy, and OT Asset Register
  • Establish Incident Handling Policy with joint IT/OT procedures and 24/72-hour Article 23 notification readiness
  • Submit core policy set to management body for formal approval (Article 20 governance documentation)

Deliverable: Core policy set approved by board. Risk Register version 1.0.

Quarter 3: OT-Specific Controls and Training

  • Document compensating controls for legacy devices that cannot be patched; complete network segmentation between IT and OT zones
  • Deploy or configure MFA on all remote access paths to OT environments
  • Complete Business Continuity Plan with OT-specific RTOs/RPOs and production restart decision authority
  • Roll out role-based cybersecurity training; management-specific NIS2 training completed

Deliverable: Technical control implementation record. Training records. BCP version 1.0.

Quarter 4: Supply Chain, Incident Readiness, and Internal Audit

  • Classify direct suppliers by criticality tier; issue updated security clauses or agreements to critical-tier suppliers
  • Conduct a tabletop exercise simulating a significant OT incident, including Article 23 notification rehearsal
  • Perform first internal NIS2 compliance audit against ENISA TIG measures
  • Obtain board sign-off on updated cybersecurity risk management framework

Deliverable: Supplier classification register. Tabletop exercise report. Internal audit report with board resolution.

Role-Responsibility Summary

Activity CISO / IT OT / Engineering Legal / Compliance Board
Risk Assessment Own Input (OT threats) Review Approve
OT Controls Own Own Oversight
Training Deliver Participate Ensure compliance Complete (mandatory)
Supplier Contracts Input Input Draft / review
Internal Audit Support Support Own Review
NCA Registration Execute Ensure Authorise

For a full NIS2 compliance checklist mapped to all ten Article 21 measures, see NIS2 Compliance Checklist.

Key Takeaways

Manufacturing was not in NIS1 — it is fully in scope under NIS2 Annex II, covering six NACE divisions plus medical device manufacturers, affecting any entity with 50 or more employees or €10 million or more in annual turnover.

The compliance obligation is the same ten Article 21 measures for all Important entities. The OT environment requires availability-first thinking, compensating controls for legacy devices, and joint IT/OT incident response procedures that generic IT templates don’t provide.

Article 20 makes board approval and oversight of cybersecurity measures a legal obligation — not a best practice. The board resolution approving your Article 21 framework is an audit document. Management body members carry personal liability for compliance failures.

Enforcement for Important entities is reactive, but the triggers are broad: an incident, a complaint, or information from any source is sufficient. ENISA’s June 2025 Technical Implementation Guidance is the practical benchmark auditors will use. Building your compliance documentation against it now is the lowest-risk path forward.

Frequently Asked Questions

Is manufacturing under NIS2 classified as essential or important?
Manufacturing entities in Annex II are always classified as Important entities by default. Annex I (Essential entities) covers energy, transport, banking, health, water, and digital infrastructure. Manufacturing does not appear in Annex I. Member States may upgrade specific manufacturers to Essential entity status by national determination, but this is exceptional rather than standard practice.

What size manufacturing company falls under NIS2?
The directive applies to companies qualifying as medium-sized enterprises or larger — meaning 50 or more employees or €10 million or more in annual turnover. Small enterprises (under 50 employees and under €10M turnover) and micro-enterprises (under 10 employees) are generally exempt unless a Member State has extended coverage or the entity is a critical sole provider.

Can ISO 27001 certification satisfy NIS2 compliance?
ISO 27001 provides strong evidence of controls across many Article 21 requirements and is explicitly referenced in ENISA’s June 2025 Technical Implementation Guidance alongside IEC 62443. However, it does not automatically satisfy NIS2 obligations. The directive requires documented measures against all ten Article 21 measures, including OT-specific elements that a generic ISMS may not fully address. ISO 27001 is a strong starting point, not a substitute for full NIS2 compliance documentation.

What is the difference between NIS2 and IEC 62443 for manufacturing?
NIS2 is a legal compliance framework establishing what outcomes are required — the ten Article 21 measures. IEC 62443 is a technical standard providing an engineering methodology for how to achieve secure OT environments, including zone/conduit modelling, security level assignments, and security programme requirements for asset owners (IEC 62443-2-1) and service providers (IEC 62443-2-4). ENISA explicitly references IEC 62443 in its implementation guidance. Manufacturing entities can use it as the implementation methodology that satisfies Article 21’s technical requirements.

When must I register with my national competent authority?
Article 3(3) of NIS2 required Member States to establish lists of essential and important entities by 17 April 2025. Registration procedures vary by country — check your national competent authority’s website for current requirements. Most are actively requesting registration from Annex II entities now that the April 2025 deadline has passed.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

Free Download

Get the NIS2 Article 21 Compliance Checklist

90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.

✓ Check your inbox — the PDF is on its way.

Don't miss: