NIS2 and the Manufacturing Sector
Manufacturers of medical devices, computers, electronics, machinery, motor vehicles and transport equipment are covered under NIS2 Annex II. OT environments and supply-chain dependencies create broad attack surfaces.
Key cyber risks in Manufacturing
- ▸IP theft via industrial espionage
- ▸OT/IT convergence vulnerabilities in smart factories
- ▸Supply-chain attacks via firmware or components
- ▸Ransomware disrupting production lines
Focus obligations for Manufacturing
- ✓OT network security and segmentation
- ✓Software bill of materials (SBOM) for embedded systems
- ✓72-hour incident reporting
- ✓Vendor risk management across the supply chain
Who is covered?
Examples of in-scope organisation types:
- ·Medical device manufacturers
- ·Computer and electronics manufacturers
- ·Automotive OEMs and tier-1 suppliers
- ·Industrial machinery manufacturers
- ·Aerospace component manufacturers
Is your Manufacturing organisation in scope?
Answer 5 questions and get a personalised NIS2 scope assessment, obligation checklist and readiness score — free.
Check your scope →Manufacturing NIS2 compliance by country
See how national transpositions affect Manufacturing obligations in each EU member state:
Frequently asked questions
Is the Manufacturing sector covered by NIS2?
Yes. The Manufacturing sector is listed in NIS2 Annex II (other critical sectors). Medium and large organisations in this sector must comply with NIS2 obligations. Manufacturers of medical devices, computers, electronics, machinery, motor vehicles and transport equipment are covered under NIS2 Annex II. OT environments and supply-chain dependencies create broad attack surfaces.
Are Manufacturing organisations Essential or Important Entities?
Under NIS2, large Manufacturing organisations are typically Important Entities. Medium-sized Manufacturing organisations are Important. The distinction affects supervisory intensity and fine levels.
What are the key NIS2 obligations for the Manufacturing sector?
OT network security and segmentation; Software bill of materials (SBOM) for embedded systems; 72-hour incident reporting; Vendor risk management across the supply chain. Obligations apply under NIS2 Articles 21 (security measures) and 23 (incident reporting).
Which national authorities supervise NIS2 for Manufacturing in each EU country?
Each EU member state designates a national competent authority for NIS2. Visit any country page on NISDESK to see the specific authority and CSIRT for the Manufacturing sector in that country.
For decision-support purposes only. Exact scope depends on national transposition.