Are You Truly in Scope for NIS 2-and What Does That Mean for Your Manufacturing Operation?
For manufacturers in the NACE C26–C30 codes (electronics, machinery, vehicles, battery, and advanced equipment producers), NIS 2 compliance is an operational reality-if not today, then within your next major contract cycle. The threshold isn’t just company size or turnover (≥50 staff, €10m+ revenue); it’s the sector’s role in Europe’s critical economic and societal infrastructure. If your entity or group touches any regulated category-semiconductors, critical vehicle systems, batteries, robotics, or industrial automation-the “important entity” bar likely applies with full effect. This brings oversight obligations, supply chain due diligence, detailed incident reporting, and extends beyond classic “cyber” events to include any operational disruption with a digital origin.
How Do Group Structures, Subsidiaries, or Pan-European Supply Chains Shape Your Responsibilities?
Regulators care about the totality of your group, not just what your local office or individual subsidiary reports. Aggregated headcount, revenue, and group-wide activities are tested, targeting any organisation that might attempt to “carve out” bits to fall below the threshold. If you operate across multiple EU member states or within a global parent, expect regulatory expectations to default to the highest standard across the group. Suppliers and partner choices pull risk into your zone with equal strength: ENISA notes that no amount of paperwork will shield you from fault if an in-scope supplier fails or cuts corners.
Why Fast-Track Readiness Now?
Speed isn’t only about “box ticking.” Buyers in automotive, energy, and electronics procurement increasingly demand NIS 2-ready evidence before signing you on, prioritising pre-qualified, confidently compliant partners. This becomes a commercial accelerator, not only a risk mitigator.
Why the Cyber Threat Landscape Is Escalating for Manufacturing-and Why a Clean Record Isn’t Enough
Unlike less integrated sectors, manufacturers confront adversaries determined to disrupt entire supply chains, extort high-value victims, or leverage compromised systems for larger geopolitical gains. Legacy OT environments, unpatched automation, orphaned developer laptops, and global supplier integrations create unknown terrain for both defenders and attackers. The reality: attackers use advanced reconnaissance, living-off-the-land tactics, and patience-often lurking undetected for months before triggering a breach.
Why Is Third-Party Risk No Longer “Their Problem”?
A compromised supplier can now force your downtime, regulatory investigation, or even mandatory production stops. NIS 2 demands you prove not only that you follow best practise internally, but that critical suppliers and service providers do too-with written records, audit trails, and escalation paths. Failure in one plant or partner can rapidly propagate, carrying legal, financial, and reputational fallout across markets and borders.
Why Are Brownfield, Mixed-Tech Plants in the Crosshairs?
Older factories, “tech stack soup,” and rushed digital upgrades increase exposure: incompatible patching, hard-to-inventory devices, staff developing their own “workarounds,” and high reliance on human procedures. These weaknesses aren’t a death sentence if they’re managed, staged, and escalated with proof. NIS 2 will accept incremental improvement-so long as every risk has a documented owner and closure plan.
Bottom line: Promise less comfort from a blank incident record. What counts is live identification, documentation, and management of risk paths.
Audit-Ready Traceability Table
| Trigger | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| Supplier breach | Add to risk register | 5.19 | Incident notice, contract review |
| Unpatched firmware | OT vulnerability update | 8.8 | Patch tracker, risk justification |
| Suspected phishing | Internal incident review | 5.25 | SIEM alert, action log |
| Brownfield IP leak | Asset inventory/categor. | 8.1, 8.22 | Map, owner, closure deadline |
True resilience is less about the absence of headlines-more about visible, real-time management, and live-recorded, staged risk reduction.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
What Has Changed in NIS 2 Risk Management and Incident Response for Manufacturing?
Static compliance is obsolete. NIS 2 requires manufacturers to maintain living, role-assigned, and dynamically documented risk management and incident response systems. Board approval, regular scenario rehearsals, and real-time reporting have replaced end-of-year tick-box reviews. Significant incidents-any event that threatens production, contracts, legal obligations, or safety-must now be notified, in evidence-backed, regulator-accessible form, within 24 or 72 hours.
Key Shifts in Practise
- Continuous risk register: Updated with every production, supplier, or tech change. The register must reflect current and emerging risks, underpinned by board approval and regular review.
- Living incident playbooks: No more generic crisis binders. Procedures must track actual play, staff rehearsals, drills, and lessons learned-timestamped and retrievable for audit.
- Documented roles for notification/escalation: Cover for holidays, night shifts, and staff turnover is mandatory.
Example: Traceability Table for Asset/Event Notification
| Asset/Event | Owner Role | Notification Duty | Escalation Path | Evidence Logged |
|---|---|---|---|---|
| SCADA OT downtime | Plant Manager | 24-hr to CSIRT | Ops > Board > CSIRT | Outage log, notif. |
| Supplier breach | Vendor Lead | Prompt review | Legal > CISO | Notification email |
| IT ransomware | Security Ops | IT escalation | CISO > Board | SIEM record, ticket |
| Severe incident | CISO | 72-hr to Regulator | Board > Regulator | Incident report |
What Is “Enough” for Audit-Ready Evidence?
- Risk register shows when, why, and by whom each change was made.
- Live-tested incident playbook (last exercise, scenario, participants).
- Audit-traceable logs for all incidents (including attempts), not just successful attacks.
Note: Attempted incidents are not formal notifications but must be logged, classified, and reviewed. Documentation is as vital as incident response.
Bridging Legacy OT and Modern IT for Real NIS 2 Compliance: Asset Inventory and Gap Management
Perfection is not the bar-credible, staged, and documented improvement is. Manufacturers can comply even with legacy assets and complex brownfield operations, so long as every critical asset is mapped, every exception is justified, and ownership for closure is assigned.
Digital Inventory: Needed, Not Impractical
A perfect database is not needed, but you must maintain a regularly updated critical asset map and risk register, annotating what cannot be digitised and why. Gap logs, paper controls, and staged upgrades are allowed for slow-to-modernise plants.
OT/IT Asset–Control Mapping Table
| Asset | Risk | Minimum Action | Annex A Ref |
|---|---|---|---|
| PLC | Malware/lock | Network zone, physical isolation | 8.20,8.22 |
| File Server | Ransomware/IP | MFA/logging | 8.5, 7.10 |
| Air-gap SCADA | Insider threat | Access logs, key control | 7.3, 7.4 |
| VPN Gateway | Supply chain | Supplier ISO check, MFA | 5.19,8.31 |
Can Physical Controls Stand in for Digital Gaps?
Until digital upgrades complete, physical controls (locked cabinets, paper visitor logs) are valid-if enforced and recorded. NIS 2 wants visibility, rationale, and improvement progression-not excuses.
Incremental, justified improvement, with built-in closures and accountability, will always outweigh perfect on paper but neglected in practise.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Why Supply Chain Due Diligence Is Now Operational-And How Much Proof Is Enough?
NIS 2 raises supply chain governance beyond traditional “tick-box” vendor reviews. Now, you must actively track, document, and escalate every critical supplier incident, status change, contract exception, or failed compliance response. Quarterly risk checks are a minimum for critical suppliers. Every instance of failed proof, process change, or incident must be registered, explain new risk exposure, and be linked to assigned owners for action or acceptance.
Supply Chain Due Diligence Trigger Table
| Trigger | Risk Register Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| Data breach in supplier | Risk entry, assessment | 5.19, 8.29 | Inc. log, notif. email |
| Failed contract | Escalation, re-contract | 5.20, 5.21 | Minutes, comms |
| Compliance refusal | Risk acceptance/mitigate | 2.1,8.2 | Board notes, file log |
| Supplier process change | Update risk/categorise | 6.1, A5 | Risk register |
| Status upgrade (to NIS 2) | Reclassification, notify | 5.22, 8.23 | Supplier file |
Track, assess, and document escalation for every failed check or process change-regulators now expect a living log of these exchanges, with no “audit by memory” gaps.
Which ISO/IEC Standards Map to NIS 2-and How Do You Close Cross-Standard Gaps in Manufacturing?
ISO 27001 and IEC 62443 do much of the heavy lifting-if your control system isn’t just a paper SoA but a digitised, versioned, and actively updated framework. The new EU sector guidance calls for continuous Statement of Applicability (SoA) updates: live mapping, role assignment, and all gaps tracked in real time.
ISO/NIS 2 Bridge Table (Compact)
| NIS 2 Article | What You Must Show | ISO/Annex A Ref |
|---|---|---|
| Article 21 | Risk register, update log, evidence | 6.1, A5.7, A8.2 |
| Article 23 | Set roles, notify, track response | A5.24, A5.26 |
| Supply Chain | Prove due diligence trails | 5.19–5.21, 8.29 |
| Asset Inventory | Map OT/IT, explain legacy gaps | 8.9, 8.10, A8.1 |
| Audit/Evidence | Test trails, link records to events | 9.2, 9.3, A8.15 |
Traceability Table: Example
| Trigger | Risk Register | Control/SoA | Evidence |
|---|---|---|---|
| Supplier incident | Yes | 5.19 | Incident log, board |
| OT asset not patchable | Yes | 8.8 | Justification, log |
| Process change in supply | Yes | 6.1 | Risk update, email |
Remember: an honest gap with planned closure is preferred by auditors to unsubstantiated claims of “full compliance.”
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
What Does Good-Enough, “Audit-Ready” Evidence Actually Look Like for a Manufacturer Under NIS 2?
Audit readiness is evolving from “well organised files” into a daily habit of evidence logging, role assignment, and version checking. Auditors and regulators now expect to see: living change and risk registers; versioned, retrievable incident and supply chain records; audit trails for every asserted control, approval, and remediation; and accessible, time-stamped logs-digital where possible, but physical is temporarily allowed for legacy assets.
What Satisfies External Review?
- Risk registers with who/what/when-and why changes were made.
- Live, version-controlled incident logs and playbooks.
- “Pull-ready” supporting records: policy packs, training logs, SoA trails.
- Scheduled and spot-check audit parity: readiness must be continuous.
Audit-ready isn’t a file-it’s a system. Living, cross-referenced, retrievable, and trusted by every role from the plant floor to the board.
Turning Compliance from Overhead Into Asset-How ISMS.online Powers Manufacturing Resilience
For manufacturers tackling fragmented spreadsheets, disjointed incident logs, and stitch-together risk registers, compliance can feel more like a drag than a competitive edge. However, with the right platform-unifying everything from policies and controls to asset mapping, risk register management, incident triage, and supply chain diligence-compliance shifts from a costly, reactive afterthought to a catalyst for growth.
With ISMS.online, manufacturers routinely cut audit preparation time by half, eliminate evidence silos, and build trust with buyers and regulators alike. Automated reminders, policy engagement, versioned evidence, and supplier tracking converge in a single, live operational workspace. This accelerates supply chain onboarding, shortens risk escalation cycles, and means your audit readiness is proven-not just promised-every day.
Identity CTA:
Set your team up to lead - not lag - in the new manufacturing compliance era: audit-ready, board-credible, and primed to win as NIS 2 cements its grip on the sector.
Book a demoFrequently Asked Questions
Who falls in-scope as an “important entity” under NIS 2 for manufacturing-and does NACE C26–C30 mean you’re always included?
Manufacturers are classified as an “important entity” under NIS 2 if their operations or headquarters fall within NACE codes C26–C30-which covers electronics, electrical equipment, machinery, vehicles, and transport equipment-and the group meets either of these criteria: at least 50 employees or annual turnover/exceeds €10 million. What changes under NIS 2: the test occurs at the group level across all EU subsidiaries, not just standalone legal entities. Even if each individual plant falls below the threshold, a multinational group with multiple small subs may tip into scope once aggregated. Your supply chain positioning matters just as much-if your operation provides components to regulated “essential entities” (think energy, health, or finance), contracts or RFPs may demand NIS 2 compliance even if your regulator hasn’t flagged you yet [EU Digital Strategy – NIS 2].
Every contract, supplier expansion, or acquisition can alter your compliance boundary. Treat it as flexible, not fixed.
Quick inclusion table for manufacturing
| Situation | In scope? | Rationale |
|---|---|---|
| Standalone plant, over 50 staff | Yes | NIS 2 direct, by size/turnover |
| Grouped subs, each under 50, total >50 | Yes | NIS 2 applies at EU group aggregate level |
| Major supplier to essential sector | Yes | Critical supply function triggers inclusion |
| Non-EU parent, EU subsidiary | Yes | Jurisdiction applies to EU-located operations |
If your group structure or customer base is dynamic, you should continually recheck your scope-regulators expect you to do so at least annually, or at every major business change.
Which cyber threats are manufacturers-especially brownfield and supply-driven-most exposed to under NIS 2?
Manufacturing is a top target for advanced threat actors, with brownfield sites (those blending legacy machinery with new digital OT/IT layers) and complex supply chains magnifying the risk. Key exposures include:
- Outdated ICS/PLC vulnerabilities: Unpatchable or unsupported control systems are frequent ransomware or remote exploit entry points, with real-world cases causing multi-day plant closures and production loss.
- Supply chain attacks: Compromised remote support tools, vendor laptops infecting shopfloor networks, and infected software updates can propagate malware-your supplier’s breach may quickly become your own regulatory incident.
- Ghost assets and poor visibility: Old computers or forgotten devices can offer undetected backdoors, especially when asset inventories lag behind reality.
- People risk-social engineering: Maintenance staff, contractors, or agency workers with rotating access can be phished, offering attackers lateral entry into the production environment.
Adversaries exploit the least-secure link; sometimes that's not your firewall, but a supplier laptop or overlooked device in the corner of the plant.
Incidents affecting your suppliers or customers, if they disrupt your continuity or data flow, now also count as your compliance problem under NIS 2 [].
What risk, incident response, and board reporting evidence must C26–C30 manufacturers maintain for NIS 2?
Risk management under NIS 2 is a living, not static, obligation. Your risk register is no longer an annual artefact: it must be updated when incidents happen, assets change, or significant supplier events occur. For each risk, document:
- Assigned owner (by name/role-not just “IT” or “compliance”)
- Date of last review/version
- Documented decision or closure (not just “closed,” but why/how)
- Stored record of each escalation and decision point (audit trail of notifications)
- Evidence of periodic board review and sign-off
Incident response plans now require concrete evidence: notification playbooks with 24-hour and 72-hour escalation timelines (Article 23), as well as logs that demonstrate the actual flow of an incident-from local escalation (plant to CISO), to board/advisor, to regulator if needed.
Example: Evidence required for board and regulator review
| Trigger | Owner | Escalation Path | Evidence Examples |
|---|---|---|---|
| Supplier incident | Vendor manager | CISO → Regulator | Risk register, comms log |
| Plant outage | Supv/manager | CSIRT → Board | SIEM alert, shift log |
| Ransomware event | Security/IT lead | CISO → Regulator/Board | Incident playbook, rota |
Always maintain real-time or near-real-time documentation. Static, annual filings are a regulatory risk [].
How do manufacturers with legacy OT reconcile NIS 2 compliance with practical realities (and regulator scrutiny)?
Regulators recognise legacy OT can’t be patched overnight. What auditors want: a credible, phased roadmap with honest exception handling and “stepping-stone” controls. Prove you:
- Maintain an up-to-date asset register: (including partial inventory for legacy)
- Implement compensating controls: where patching isn’t feasible-manual network segmentation, badge logs, access keys, scheduled checks
- Document written exceptions: For every unmitigated risk, detail why, for how long, and the planned closure/remediation date, with sign-off from CISO or board
- Review controls regularly: Quarterly/after material change-never just annually
A visible, versioned improvement plan outweighs promises of instant fixes. Transparency, not perfection, satisfies the audit.
By documenting intent and exceptions, and aligning your improvement roadmap with budget and board review, you retain control of your compliance journey [].
What supply chain due diligence and escalation records must manufacturers produce for a NIS 2 audit?
NIS 2 makes supplier risk a real-time, versioned data set-not a “tick-box” on onboarding forms. For every critical supplier, maintain:
- Signed cyber-security and incident notification clauses in contracts (with tracked negotiation if not accepted)
- Chain of custody for each contractual change, risk acceptance, or escalation (email, digital log, board record)
- Ongoing communications in the risk register: every reminder, missed deadline, or supplier-provided justification
- Documentation of board-level approval for any risk “accepted” due to lack of supplier cooperation
| Supplier Issue | Action (Who/What) | Update to Risk File | Audit Evidence |
|---|---|---|---|
| Contract clause refusal | Board/legal sign-off | Yes | Board note, email log |
| Missed certification | Procurement/CISO escalation | Yes | Email, risk register |
| Ongoing issues/incidents | Risk board review, action plan | Yes | Audit log, plan copy |
Every escalation or “risk accepted” decision must be owned-compliance here is cumulative and ongoing [].
Where do NIS 2, ISO 27001, and IEC 62443 requirements overlap-and where do manufacturing SoAs (Statements of Applicability) fail most at audit?
All three frameworks require risk management, asset registers, assigned controls, and supplier due diligence. What separates NIS 2: every control must be “live-linked”-that is, linked to a current risk, explicit owner, version/review cycle, and matched to proof of incidents handled and lessons applied. Typical Statement of Applicability (SoA) failures in audits:
- No owner or last review date for given controls
- Controls not mapped to supply chain risks/events
- Stale evidence: “Policy in place” but no update since last audit
- Absence of incident response playbooks with tested notification paths
Compact ISO 27001/NIS 2 Bridge Table
| NIS 2 Expectation | Operationalisation Action | ISO 27001 / Annex A Ref |
|---|---|---|
| Living risk register | Dynamic updates, board review | 6.1, A5.7 |
| Role-based escalation | Playbooks, staff coverage logs | A5.24, A5.26 |
| Supplier due diligence | Versioned contracts, risk logs | 5.19, 5.21, 8.29 |
| Board-ready dashboards | Real-time evidence reporting | 9.3, A5.35, A5.36 |
The most audit-ready manufacturers show live, digital mapping of who owns each risk/control and real-world evidence of review, escalation, and closure.
What defines “audit-ready evidence” for manufacturing, and how can you automate and centralise it for NIS 2?
Audit-ready evidence means every risk, asset, supply chain event, and incident is centralised, versioned, assigned an owner, and instantly retrievable for the board, auditors, or regulators. In practise, this looks like:
- Digital, dynamic registers: risks, assets, supplier compliance, incidents
- Board and management review dashboard, with owner assignment and last update logged
- Automated reminders for every policy, contract, or escalation step
- Time-stamped logs for every risk update or incident action
When executed via a platform such as ISMS.online, each action-risk register update, contract escalation, incident assignment-is version-controlled, role-linked, and flagged for management attention when overdue. This transforms compliance from a last-minute deadline stressor into a visible board-level strength [].
A compliance system that creates resilience capital: every digital action is a visible, reviewable signal to auditors, partners, and regulators.
Traceability workflow table (example)
| Trigger | Risk update | Control/SoA Ref | Evidence logged |
|---|---|---|---|
| Supplier breach | Registration, board note | A5.21 | Contract, comms log |
| Plant outage | Log update, root cause | A5.26, 8.13 | SIEM log, incident report |
| Staff turnover | Role update | 5.2 | Roster, shift logs |
How does using a unified platform like ISMS.online move manufacturing firms from compliance burden to competitive advantage under NIS 2?
Centralising your risk, asset, incident, and supplier management in a single, digitally linked environment turns NIS 2 compliance into an operational asset, not a check-box chore. Every real-world action-risk review, contract escalation, policy update, or incident management-gets time-stamped, owner-assigned, and versioned, providing leadership, regulators, and customers with immediate proof and oversight. Automating reminders, owner-tracking, and reporting ensures nothing slips through the cracks and audit readiness becomes routine.
Strategic advantages:
- On-demand, versioned evidence for board/regulator, cutting audit fatigue and speed-to-evidence from weeks to minutes.
- Real-time risk gap and escalation reporting: issues are visible and acted on, not buried.
- Each compliance cycle grows your “resilience capital”-making you the benchmark factory for customers and partners.
In a world of rising regulatory expectations, manufacturers who can show living, owner-assigned, fully-auditable compliance don’t just avoid penalties-they win contracts, build trust, and lead their sector.
Position your manufacturing team as industry leaders. With living risk registers, clear ownership, and end-to-end evidence trails, NIS 2 compliance becomes a mark of your operational strength and partnership value-not a hurdle.
