CloudSoul
Resources · Blog · NIS2

NIS2 for Manufacturing: Cars, Electronics, and Machinery

Understand NIS2 requirements for manufacturers of vehicles, electronics, and machinery. Learn what 'important entities' must implement under Annex II.

Daniel Grigorovich
Daniel Grigorovich
Founder · 27 May 2026 · 8 min read
NIS2
NIS2 for Manufacturing: Cars, Electronics, and Machinery

Who should read this: Manufacturing Directors, Supply Chain Managers, Operations Officers, Manufacturing CISOs.

The NIS2 Directive has brought manufacturing into the regulatory spotlight in a way that previous cybersecurity frameworks have not. Manufacturing was largely absent from the NIS Directive (2016), and the sudden inclusion of automotive, electronics, and machinery manufacturers in Annex II of NIS2 has created significant compliance obligations for organisations that previously operated without sector-specific cybersecurity mandates at the EU level. If your manufacturing organisation produces vehicles, electronic components, electrical equipment, or machinery, NIS2 affects you. Understanding the scope and implementing appropriate measures require clear thinking about which of your operations are in scope and what “important entity” status means for your sector.

Manufacturing has become a priority for NIS2 for practical reasons. Modern vehicles, electronic devices, and industrial machinery contain embedded network and information systems that control safety-critical functions. A vulnerability in an automotive supply chain could affect vehicles on roads across Europe. A compromise in electronics manufacturing could propagate compromised components into downstream products. Industrial machinery that fails could disrupt production across multiple sectors. The Directive recognises that manufacturing is no longer separable from digitalisation and cybersecurity. Your manufacturing security posture is critical infrastructure security.

Scope: Which Manufacturers Are In Scope?

Annex II, Sector 5 of NIS2 identifies six categories of manufacturing entities, each defined by specific economic activities under NACE (Nomenclature of Economic Activities).

Subsector 5(a) covers the manufacture of medical devices and in vitro diagnostic devices: entities classified under NACE Rev. 2 divisions that cover these products. This is a defined scope with specific regulatory links to EU medical device regulation, so entities in this space are likely already aware of cybersecurity requirements.

Subsector 5(b) covers the manufacture of computer, electronic and optical products: any undertaking carrying out economic activities under NACE Rev. 2 section C division 26. This is broad and captures semiconductor manufacturers, computer assemblers, optics manufacturers, and electronic component makers. If your organisation makes CPUs, storage devices, displays, or optical equipment, you fall under this provision.

Subsector 5(c) covers the manufacture of electrical equipment under NACE Rev. 2 section C division 27. This includes manufacturers of generators, transformers, distribution equipment, installation equipment, and household appliances with electronic components. Many organisations in this space have historically thought of themselves as hardware manufacturers with limited software involvement; NIS2 disabuses them of that notion.

Subsector 5(d) covers the manufacture of machinery and equipment: any economic activity under NACE Rev. 2 section C division 28. This is expansive and includes manufacturers of general-purpose machinery, special-purpose machinery, and machinery for specific industries. Industrial machinery increasingly embeds network-connected controls and monitoring systems.

Subsector 5(e) covers the manufacture of motor vehicles, trailers and semi-trailers (NACE Rev. 2 section C division 29). This includes automotive original equipment manufacturers (OEMs), commercial vehicle manufacturers, and trailer manufacturers. The automotive sector has substantial pre-existing cybersecurity requirements under ISO 26262 and emerging standards around SOTIF; NIS2 adds EU regulatory obligations.

Subsector 5(f) covers the manufacture of other transport equipment (NACE Rev. 2 section C division 30). This includes aircraft, rail, and ship manufacturing. Like automotive, these sectors have safety-critical systems and pre-existing cybersecurity frameworks; NIS2 creates additional regulatory obligations.

The critical question for each manufacturing organisation is: does your primary economic activity fall under one of these divisions? If yes, and if your organisation is not already identified as an essential entity in Annex I (which is unlikely for most manufacturers), then you are an important entity under NIS2, and Article 21 requirements apply to you.

Important Entity Status: What It Means for Manufacturers

Important entities under NIS2 must implement the cybersecurity risk-management measures set out in Article 21(1) and (2). These measures are not theoretical; they are mandatory, comprehensive, and enforceable. Unlike the previous NIS Directive, which applied only to essential entities, NIS2’s extension to important entities means that regulators can now supervise your compliance and impose administrative fines for non-compliance.

The measures you must implement include at least the following: policies on risk analysis and information system security; incident handling procedures; business continuity and disaster recovery planning; supply chain security measures; secure development practices including vulnerability handling; procedures to assess the effectiveness of your cybersecurity measures; basic cyber hygiene and cybersecurity training; cryptography and encryption policies; human resources security and access controls; and multi-factor authentication or continuous authentication where appropriate.

For manufacturing organisations, several of these measures have particular implications. Supply chain security is critical because manufacturing relies on complex global supply chains. Your suppliers provide raw materials, components, sub-assemblies, and services. Each introduces potential cybersecurity risk. Article 21(3) requires that you “take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.” This means you cannot treat supply chain security as a simple due diligence checkbox; you must systematically evaluate the cybersecurity practices of your suppliers and integrate that assessment into your risk-management framework.

Secure development practices are equally critical. If your manufacturing organisation produces hardware with embedded software, or machinery with control systems, the security of those systems depends on how they are designed, developed, and maintained. Article 21(2)(e) requires “security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.” For manufacturing, this is not merely about IT systems; it extends to the systems embedded in your products.

Incident handling and business continuity take on particular weight in manufacturing. If your production systems are compromised, the consequences can include not only operational disruption to your organisation, but disruption to downstream customers, supply chains, and potentially critical infrastructure depending on what you manufacture. Your incident response plan must account for the cascading effects of manufacturing system compromise.

Supply Chain Security in Manufacturing

The manufacturing sector is uniquely vulnerable to supply chain compromise. Your organisation depends on suppliers for materials, components, and services. Some of those suppliers are themselves critical to European critical infrastructure. NIS2 requires you to assess and manage the cybersecurity risk introduced by your suppliers.

This assessment should address several dimensions. First, identify your critical suppliers: those whose failure, compromise, or disruption would most significantly impact your operations. Second, assess their cybersecurity maturity. You might use frameworks like CMMC (Cybersecurity Maturity Model Certification) if you work with defence suppliers, ISO 27001 certification if available, or custom assessments based on your risk appetite. Third, integrate supplier cybersecurity requirements into your contracts. Specify what security measures you expect, what incidents they must report to you, and what audit rights you require.

Fourth, establish monitoring. Do not treat supplier assessment as a one-time activity. Monitor your suppliers for public disclosures of breaches, monitor for changes in their security posture, and maintain regular communication with supplier security teams. Fifth, have a supplier incident response protocol. If a critical supplier experiences a breach, what is your organisation’s response? What data or products might be affected? How quickly can you identify compromise in materials or components you have received?

Notably, Article 21(3) also references results of coordinated security risk assessments of critical supply chains carried out under Article 22. The Commission and the Cooperation Group are conducting or will conduct coordinated assessments of specific critical ICT services, systems, and product supply chains. When these assessments are published, your organisation should integrate the findings into your supply chain security programme.

Incident Reporting and Coordination

As an important entity, you fall within the scope of Article 23 reporting obligations. You must report significant incidents to your national CSIRT (computer security incident response team) without undue delay. An incident is significant if it has caused or is capable of causing severe operational disruption or financial loss, affects the quality or security of services provided, affects multiple Member States, or affects the health or safety of persons.

For manufacturers, the threshold for significance should be interpreted carefully. A cyberattack that disrupts your production system may not immediately appear to affect customer services, but if your production disruption cascades to customers (automotive dealers unable to order vehicles, for example), the incident has significant cross-border impact. You should establish clear incident reporting criteria within your organisation and train incident response teams to recognise when the significance threshold is met.

You must also report without undue delay, typically within 24 hours of becoming aware of a significant incident. This is a very tight timeline and requires that your incident detection and initial triage processes are capable of identifying incidents and escalating them to senior management quickly.

Governance and Management Accountability

Article 20 adds a governance dimension to NIS2 compliance that manufacturing organisations sometimes underestimate. Management bodies (boards of directors or equivalent) must approve the cybersecurity risk-management measures their organisation implements, oversee implementation, and can be held liable for infringements. This is not a delegation to IT or security teams; it is a direct board responsibility.

Management bodies and their members must also follow cybersecurity training to develop sufficient knowledge and skills to identify risks and assess cybersecurity practices. For manufacturing organisations with legacy board compositions where directors have limited technology experience, this can be challenging. It requires either recruiting directors with cybersecurity expertise or providing extensive training to existing directors.

This governance requirement signals something important: cybersecurity in manufacturing is no longer a technical issue exclusively. It is a strategic, business, and legal matter that boards must understand and own.

Key Takeaways

  • Manufacturing organisations under NACE Rev. 2 sections C divisions 26-30 are classified as important entities under NIS2 Annex II and must implement Article 21 cybersecurity risk-management measures.

  • Supply chain security is a mandatory element of your NIS2 programme. Systematically assess supplier cybersecurity maturity, integrate security requirements into supplier contracts, and monitor supplier security posture on an ongoing basis.

  • Incident reporting obligations apply to you. Significant incidents affecting operational continuity or quality of service must be reported to your national CSIRT without undue delay, typically within 24 hours.

  • Management bodies are directly responsible for approving cybersecurity measures, overseeing implementation, and maintaining sufficient knowledge to assess cybersecurity practices. Board-level cybersecurity governance is mandatory.

  • Your embedded systems and product security are in scope. If you manufacture products with network-connected or software-controlled systems, secure development practices and vulnerability handling are not optional.

Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.

Related reading

More from the blog.

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive
NIS2 · 31 May 2026

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive

Luxembourg transposed NIS2 through the Law of 5 May 2026, designating ILR, HCPN and CIRCL as the institutional pillars. What every essential and important entity needs to know.
Coordinated Vulnerability Disclosure: A New Framework for Researchers
NIS2 · 29 May 2026

Coordinated Vulnerability Disclosure: A New Framework for Researchers

Understand NIS2 Article 12 coordinated vulnerability disclosure framework. Learn how researchers, vendors, and CSIRTs interact in Europe's new CVD process.
Proportionality in Practice: Right-Sizing Your NIS2 Measures
NIS2 · 25 May 2026

Proportionality in Practice: Right-Sizing Your NIS2 Measures

Master NIS2 proportionality requirements. Learn how to assess, scale, and justify cybersecurity measures for essential and important entities.