NIS2 for Manufacturing and Production


Sectors Manufacturing

Essential Entity

NIS2 for Manufacturing and Production

How the NIS2 Directive applies to manufacturing organisations with operational technology (OT) environments — and what your compliance programme must address.

What NIS2 Means for Manufacturing

NACE Code Classification

Under NIS2 Annex I and II, manufacturing entities fall under NACE codes C26 (computer, electronic, and optical products), C27 (electrical equipment), and C28 (machinery and equipment). If your organisation operates in these sectors with 50+ employees or €10M+ turnover, NIS2 applies to you.

What Makes Manufacturing Different

Manufacturing environments operate systems that generic IT frameworks were never designed for. PLCs, CNC machines, SCADA, and MES form the backbone of production — many running on equipment with 10–30 year lifecycles that cannot be patched, replaced, or taken offline without halting production.

The convergence of IT and OT networks creates unique risk. A ransomware attack that encrypts CAD files can halt engineering. A compromised PLC can cause defective output or, in safety-critical environments, physical harm. The $71M Norsk Hydro attack and $375M Toyota/Kojima supply chain shutdown demonstrate these are not theoretical risks.

Why Generic Templates Fail

Generic NIS2 templates mention servers, laptops, and cloud services. They do not address:

  • PLC firmware patches that require vendor approval and safety recertification
  • Safety-instrumented systems with fundamentally different risk profiles
  • Incident response for production lines you cannot “shut down and restore from backup”
  • 30-year equipment lifecycles where “upgrade to latest version” is not an option
  • Manual production fallback and restart sequencing

Key Article 21 Measures for Manufacturing

Each NIS2 Article 21 measure requires specific adaptations for manufacturing OT environments. Here is what your competent authority will expect.

Art. 21(2)(a)

Risk Management

OT risk matrices must include a safety severity dimension alongside standard likelihood and impact. Production downtime costs thousands per minute. Risk treatment must account for systems that cannot be replaced, upgraded, or easily patched. Asset classification follows the Purdue Model — Level 0 sensors through Level 5 cloud.

Art. 21(2)(b)

Incident Handling

Production-line incidents and safety events require fundamentally different response. OT systems often cannot be “shut down and reimaged.” Response must balance containment with production continuity and worker safety. P1 incidents include production-halting or safety-threatening events. NIS2 requires 24h early warning and 72h full notification.

Art. 21(2)(c)

Business Continuity

Manufacturing BCP must include manual production fallback procedures, safety system startup sequences (SIS verified operational before any process restart), and specific restart ordering: safety systems first, then basic control (PLCs), then supervisory (SCADA/HMI), then execution (MES), then business (ERP). JIT supply chain communication is critical.

Art. 21(2)(d)

Supply Chain Security

Vendor remote maintenance requires dedicated VPN, MFA, session recording, and time-limited access windows — no persistent connections. PLC firmware integrity must be verified before deployment. System integrators who configure your OT systems need contractual security requirements with flow-down to sub-tier suppliers.

Art. 21(2)(e)

Patch & Vulnerability Management

OT patching operates on fundamentally different timelines. Critical IT patches deploy in 72 hours; OT critical patches deploy at the next maintenance window — averaging 34 working days. Compensating controls are essential: network segmentation (IDMZ at Purdue Level 3.5), intrusion detection for industrial protocols, application whitelisting, and read-only PLC monitoring.

Art. 21(2)(i)

Access Control

Manufacturing requires both physical and logical access controls for PLCs and HMIs. Engineering workstation access must be strictly managed — only authorised personnel can modify ladder logic. Legacy shared HMI accounts need compensating controls (physical access control, camera monitoring, activity logging). Emergency break-glass procedures are pre-authorised and audited.

Classification Thresholds

NIS2 classifies manufacturing entities as Essential or Important based on size. Both categories must comply with Article 21, but Essential entities face stricter supervision and higher penalties.

Classification Employees Turnover / Balance Sheet Supervision
Essential 250+ €50M+ turnover or €43M+ balance sheet Proactive (audits at any time)
Important 50–249 €10M–50M turnover or €10M–43M balance sheet Reactive (after incidents)

Penalties: Essential entities face fines up to €10M or 2% of global turnover. Important entities face up to €7M or 1.4% of turnover. Under Article 20, management body members bear personal liability for non-compliance.

Get Compliance-Ready for Manufacturing

12 sector-specific policy templates built for OT environments — PLCs, SCADA, MES, and production-line realities in every document.