Annex.II.3 NIS2

NIS2 Annex.II.3: Manufacturing Sector Cybersecurity Requirements

What This Control Requires

Annex II identifies the manufacturing sector including manufacture of medical devices and in vitro diagnostic medical devices, manufacture of computer, electronic and optical products, manufacture of electrical equipment, manufacture of machinery and equipment, manufacture of motor vehicles, and manufacture of other transport equipment.

In Plain Language

Industry 4.0 has connected the factory floor to the internet, and with that connection comes real cybersecurity risk. NIS2 includes specific manufacturing sub-sectors in Annex II as important entities, focusing on those whose products or disruption could have significant societal or economic impact.

The modern manufacturing environment blends corporate IT with industrial control systems, robotics, IoT sensors, and cloud-connected manufacturing execution systems. The attack surface runs from the corporate network through engineering workstations all the way down to PLCs on the factory floor. Successful attacks can cause product defects, production downtime, safety hazards, intellectual property theft, and supply chain disruption.

NIS2 specifically includes medical device and automotive manufacturers because a compromised manufacturing process could introduce vulnerabilities or defects into products that directly affect end-user safety. Cybersecurity responsibility here extends beyond protecting your own operations - it includes ensuring the integrity and security of what you produce.

How to Implement

Map all connections between corporate IT, engineering networks, and the factory floor. Apply the ISA/IEC 62443 security model with defined security zones and controlled conduits between them.

Secure the industrial control systems that run your production: PLCs, HMIs, SCADA systems, and manufacturing execution systems (MES). Enforce access controls on engineering and maintenance interfaces, monitor control system traffic for anomalies, implement change management for PLC programme modifications, and harden the engineering workstations that bridge IT and OT.

Protect the intellectual property embedded in your manufacturing processes. Product designs, CAD files, manufacturing recipes, quality control procedures, and supply chain information all need data loss prevention controls, proper access restrictions, and encryption.

Address product security across the manufacturing lifecycle. If you make medical devices, vehicles, or electronic equipment, integrate security into product design from the start. Use secure development practices for embedded systems, protect the software supply chain for product components, ensure your manufacturing processes do not introduce vulnerabilities, and maintain the ability to push security updates to deployed products.

Write incident response procedures tailored to manufacturing. Cover production line disruption scenarios, quality impact assessment when manufacturing systems are compromised, coordination with product safety authorities if product integrity is at risk, communication with customers and supply chain partners, and safe restart procedures for manufacturing systems.

Control remote access for equipment vendors and integrators tightly. Use dedicated remote access infrastructure with MFA, record and monitor all sessions, provision access on a just-in-time basis, and restrict vendor connectivity to specific systems only.

Do not overlook sector-specific product security regulations beyond NIS2: MDR for medical devices, UNECE R155/R156 for vehicles, and the Cyber Resilience Act for digital products.

Evidence Your Auditor Will Request

IT/OT security architecture following ISA/IEC 62443 or equivalent
Industrial control system security assessment
Intellectual property protection measures documentation
Product security programme for manufactured goods
Manufacturing-specific incident response procedures

Common Mistakes

No segmentation between factory floor OT and corporate IT networks
Engineering workstations dual-homed between IT and OT without adequate controls
Remote vendor access to manufacturing systems unmonitored and always-on
Product security not addressed during manufacturing; focus only on operational security
Legacy manufacturing equipment with decades-old firmware and no security updates

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.8.22	Related

Frequently Asked Questions

Which manufacturing sub-sectors are included in NIS2?

Annex II specifically covers medical devices, computer/electronic/optical products, electrical equipment, machinery and equipment, motor vehicles, and other transport equipment. If your manufacturing sector is not on this list, you may still be in scope through national implementation provisions, so check your local transposition.

How does the Cyber Resilience Act (CRA) interact with NIS2 for manufacturers?

They address different sides of the same coin. NIS2 focuses on securing your manufacturing operations. The CRA focuses on ensuring the products you put on the EU market meet cybersecurity requirements. If you are subject to both, you need to make sure your factory is secure (NIS2) and your products are secure (CRA). The two are designed to complement each other.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment