DIRECTIVE (EU) 2022/2555 · ANNEX II · IMPORTANT ENTITY

NIS2 in Manufacturing: OT/ICS Cybersecurity & 24-Hour Reporting.

NIS2 classifies manufacturing as an Annex II important entity, with OT/ICS cybersecurity obligations distinct from traditional IT. IgeraIndustria answers which measure applies and by when an incident must be reported.

Directive 2022/2555 indexed OT/ICS cybersecurity <3s response

NIS2 in three key numbers for manufacturing

NIS2 introduces strict reporting deadlines and specific penalty thresholds for important entities in the manufacturing sector.

24 hours

Maximum deadline for the early warning of a significant incident from the moment it becomes known.

€7M / 1.4%

Maximum fine for important entities: €7 million or 1.4% of global turnover.

Annex II

Manufacturing of medical devices, computers, vehicles and machinery classified as an important entity.

OT/ICS cybersecurity: different from IT security

NIS2 requires risk-management measures tailored to industrial control systems, with priorities different from traditional information security.

Availability before confidentiality

In OT, the priority is keeping the production line running safely. A standard IT security patch may not be applicable without stopping production.

Plant/office network segmentation

NIS2 requires separating the corporate IT network from the industrial control OT network to prevent an office incident from spreading to PLCs and SCADA.

Industrial asset inventory

A practical prerequisite for any risk management: cataloguing PLCs, HMIs, SCADA systems and their connectivity, including legacy equipment without security support.

Control system suppliers

Art. 21 requires assessing the security of PLC, SCADA and plant software vendors, including their remote access to the OT network.

Continuity and crisis management

Production-specific continuity plans: what to do if a cyberattack forces a plant shutdown, with procedures for safe return to operation.

Cyber hygiene and operator training

Training tailored to plant operators, not just IT staff, on threat recognition and escalation procedures.

Related resource: critical manufacturers

If your company manufactures products with special relevance to critical infrastructure, see our dedicated analysis.

FAQ: NIS2 for critical manufacturers

Specific criteria that elevate a manufacturer to essential entity status and reinforced supervision obligations.

Frequently asked questions — NIS2 for manufacturing

Why is manufacturing an "important entity" rather than an "essential entity" under NIS2?

The NIS2 Directive (EU 2022/2555) sorts sectors into Annex I (essential entities: energy, transport, banking, health, water, digital infrastructure) and Annex II (important entities: manufacturing, postal services, waste management, chemicals, food). Manufacturing of certain products — medical devices, computers, motor vehicles, machinery, among others — falls under Annex II. The practical difference: essential entities are subject to proactive supervision by authorities, while important entities are only supervised reactively, after an incident or complaint, although the security obligations are substantially the same.

What employee or turnover threshold determines whether a factory is subject to NIS2?

As a general rule, NIS2 applies to medium and large companies: more than 50 employees or more than €10 million in annual turnover or balance sheet total, within the sectors covered by Annexes I and II. There are exceptions: some entities are covered regardless of size if they provide specific critical services (for example, the sole provider of an essential service in a Member State), and Member States can extend the scope in their national transposition.

What is the difference between IT cybersecurity and OT/ICS cybersecurity on a factory floor?

IT cybersecurity protects traditional information systems (ERP, email, corporate networks). OT (Operational Technology) and ICS (Industrial Control Systems) cybersecurity protects the systems that control physical processes: PLCs, SCADA, distributed control systems, and plant sensors. The priorities differ: IT prioritises data confidentiality; OT prioritises availability and physical safety, because a cybersecurity failure can halt production or cause an accident. NIS2 requires technical and organisational measures tailored to this difference, rather than applying generic IT controls directly to OT systems.

How quickly must I report a cybersecurity incident under NIS2?

NIS2 sets a three-stage reporting process: an early warning within 24 hours of becoming aware of a significant incident, a full incident notification within 72 hours including an initial assessment of severity and impact, and a final report within one month, with a detailed description, root cause, and mitigation measures applied. An incident is considered "significant" when it causes or is capable of causing severe operational disruption or considerable financial loss, or affects other persons causing significant material or non-material loss.

What supply chain security obligations does NIS2 impose?

Article 21 of NIS2 requires assessing and managing the cybersecurity risks of direct suppliers and service providers, including the quality of secure-development practices from OT/ICS system vendors (PLCs, SCADA, plant control software). This is especially relevant in manufacturing, where many high-impact incidents have entered through equipment or industrial software vendors with remote access to the plant network.

What penalties does NIS2 impose on important entities that fail to comply?

For important entities, the maximum administrative fine is €7 million or 1.4% of global annual turnover, whichever is higher (for essential entities, the maximum is €10 million or 2% of global turnover). Beyond fines, national authorities can impose mandatory corrective measures, security audits, and, in serious cases, temporarily suspend relevant certifications or authorisations, or even temporarily bar responsible managers.

What minimum risk-management measures does Article 21 of NIS2 require?

Article 21(2) lists ten minimum areas: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in system acquisition/development/maintenance, policies to assess the effectiveness of measures, basic cyber hygiene and training, cryptography and encryption, human resources security and access control, and the use of multi-factor authentication and secure communications.

How does IgeraIndustria help prepare NIS2 compliance on the shop floor?

IgeraIndustria indexes the full NIS2 Directive alongside your internal OT/ICS cybersecurity documentation — network segmentation policies, industrial asset inventories, incident response plans — letting your security lead ask in plain language which Article 21 measure applies to a specific scenario and what reporting deadline applies. For a deeper look at critical manufacturers, see our FAQ on critical manufacturers under NIS2.

Is your plant ready for NIS2?

  • Free 14-day trial — no credit card required
  • Full NIS2 Directive preindexed from day one
  • Upload your OT/ICS policies, asset inventory and response plans
  • Answers cite the exact article and applicable reporting deadline
Start free trial