When is a brewery subject to NIS2?

A brewery falls under NIS2 Annex II No. 5 (food production) when it meets an industrial production structure and medium-enterprise size per SME Recommendation 2003/361/EC Art. 2. The minimum size is 50 employees or 10 million Euro annual turnover. Craft breweries with annual output below 5,000 hectoliters and purely direct-to-consumer sales are generally not covered.

What is the difference between NIS2 and KRITIS for breweries?

NIS2 Annex II No. 5 applies to medium and large breweries with industrial structure. KRITIS under BSI-KritisV § 4 Annex 3 requires annual production of over 434,500 tonnes in the food sector; this threshold is factually out of reach for all German breweries. Breweries therefore fall, if at all, under NIS2 only, not KRITIS.

Which size thresholds apply for NIS2 in the brewing sector?

Important Entities are medium enterprises: 50 to 249 employees or annual turnover of 10 to 50 million Euro (SME Recommendation 2003/361/EC Art. 2). Essential Entities are large enterprises: 250 or more employees or turnover above 50 million Euro. Both thresholds must be exceeded in two consecutive fiscal years to trigger applicability.

What fines do breweries face for NIS2 violations?

For Important Entities (medium breweries), § 65 BSIG-neu provides fines of up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large breweries) can be fined up to 10 million Euro or 2 percent of group turnover. Management is personally liable under § 38 BSIG-neu if organizational obligations are demonstrably breached.

What do NIS2 supply-chain obligations mean for breweries?

§ 30 Para. 2 No. 4 BSIG-neu requires breweries to impose cybersecurity requirements on key suppliers. In the brewing sector this primarily affects suppliers of brewery management software, ERP systems, filling and labeling automation, and cold-chain logistics. Contracts with these partners should include a security clause and an audit right.

When must a brewery register with the BSI?

The registration obligation arises under § 33 BSIG-neu within three months of the operator determining it qualifies as an Important or Essential Entity. Registration is electronic via the BSI reporting portal, requiring sector classification, contact details, and entity category declaration.

Are brewery managing directors personally liable for NIS2 compliance?

Yes. § 38 BSIG-neu requires management to approve, supervise, and train on risk management measures. Culpable neglect of these obligations can create personal liability, which may not be fully covered by D&O insurance. Breweries should archive resolutions, training records, and implementation documentation in an audit-proof manner.

Does NIS2 apply to contract brewers or licensed breweries?

Decisive is the economic and operational control over production. A contract brewer producing on behalf of third parties while operating its own IT systems (brewery control, ERP) can fall under NIS2 as an independent entity, provided the size thresholds are met. Licensed breweries producing third-party brands are assessed under the same criteria as conventional industrial breweries.

Industry-specific Self-Check

Is my brewery affected by NIS2?

Craft brewery, regional brewery, brewpub, industrial brewery - NIS2 classification hinges on production structure and size, not the 'craft' label.

Step 1 / 2

Production and distribution structure

NIS2 targets 'industrial production' — an EU term, not the craft registry. Check what applies to your operation.

Central brewery / filling operation supplies multiple customersOne production site supplies retail, foodservice, other customersAutomated brewhouses and filling systemsLauter tuns, fermentation tanks, filling lines, automated CIP cleaningSupply to external B2B customersSpecialist beverage wholesalers, food retail, restaurants, exportAnnual production above 1,000 tonnes or 10,000 hl of beveragesIndicator of industrial brewing scale (hl = hectolitre)

Step 2 / 2

Company size

Brewery: The Complete NIS2 Guide

Breweries with more than 50 employees or EUR 10 million in annual revenue are potentially in scope under NIS2 Annex II No. 5 as food manufacturers. NIS2 is especially relevant for breweries with highly automated brewhouses and networked filling lines, because IT failures there directly halt production. This guide is written for brewmasters, managing directors, and IT managers who need clarity on their NIS2 obligations.

Who is affected?

Breweries fall under NIS2 Annex II No. 5 (Food, NACE C.11 Beverage Production) when they exceed the SME thresholds from EU Recommendation 2003/361/EC Art. 2: at least 50 employees or at least EUR 10 million in annual revenue. Craft breweries below these thresholds are exempt.

If you reach the KRITIS threshold under BSI-KritisV for food supply (434,500 t/a beverage equivalent), you are an Essential Entity under NIS2 Annex I. In practice, this affects large breweries with national distribution.

A mid-sized brewery with 120 employees, a fully automated brewhouse, and its own logistics ERP is clearly above the thresholds and qualifies as an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new defines seven mandatory areas you must address for your brewery:

Risk analysis and management: Brewery control systems (brewhouse automation, fermentation cellar climate control, filling lines) and their connection to your IT network must be included in the risk analysis.
Incident handling: Incidents in the OT area (production failure from control system failure) and in the IT area (ERP failure, email compromise) must be handled equally.
Business continuity: What happens if the brewhouse control system fails? A documented contingency plan with manual fallback processes is mandatory.
Supply chain security: Ingredient suppliers (malt, hops), packaging suppliers, and software vendors (ERP, MES) must be assessed for security standards. Contracts must account for § 30 Para. 2 No. 4 BSIG-new.
Access control and MFA: Access to production IT, ERP, and external services must be secured by MFA. Remote access by service technicians to production equipment requires special attention.
Encryption: Business data, recipes, and customer data must be stored and transmitted in encrypted form.
Training and awareness: Brewery technicians and administrative staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration must occur within three months of becoming aware of your obligations under § 33 BSIG-new. For security incidents, § 32 BSIG-new requires: an initial report within 24 hours, a full report within 72 hours, and a final report within 30 days.

A cyberattack that shuts down the filling line and impairs delivery capability for more than 24 hours is reportable. You must submit the initial report even while the attack is still ongoing.

Fines and personal liability

For Important Entities (Annex II): up to EUR 7 million or 1.4% of annual turnover. For Essential Entities (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new introduces personal liability for management. Managing directors can be held personally liable if they negligently neglect NIS2 obligations. In family breweries where the owner is also the managing director, this is particularly relevant.

Automated brewhouse and filling line controls: IT/OT security in breweries

Modern breweries closely integrate OT and IT. Brewhouse automation (PLC/SCADA systems, process control) is connected to ERP over internal networks. This connection is an attack vector that is underestimated in many NIS2 analyses.

Concrete risks: an attacker who breaches the office network (e.g., through phishing) can reach production control systems through poorly segmented networks. A ransomware-induced shutdown of the filling line means: no output, perishable semi-finished products, and delivery failures.

What § 30 BSIG-new requires here: network segmentation between OT and IT, documented access concepts for remote maintenance, and regular security reviews of control software. Remote maintenance access from equipment manufacturers (e.g., Krones, GEA) must be explicitly addressed in the security concept and protected by VPN with MFA.

First steps

Clarify your headcount and revenue. Over 50 employees or EUR 10 million means you are likely an Important Entity.
Create a complete inventory of all networked systems: brewhouse controls, fermentation cellar, filling line, cooling systems, ERP, WMS.
Review all remote maintenance access points. Which suppliers access your systems remotely? Are these connections secured with VPN and MFA?
Conduct a network segmentation analysis: are OT networks separated from the office network?
Create a contingency plan for production failure due to IT disruption. Who decides? What are the manual fallback processes?
Assess your most critical IT suppliers against security standards.
Register with the BSI.

Common pitfalls

Excluding OT systems from scope: Brewhouse controls and filling line software are NIS2-relevant if they are connected to the company network. They belong in your risk analysis.

Forgetting remote maintenance access: Service technicians from equipment manufacturers often access production systems through poorly documented entry points. These access paths frequently lack MFA protection.

Treating recipe data as non-sensitive: Brewing recipes are trade secrets. Their theft is a security incident that may be reportable under NIS2.

Mid-sized breweries not taking themselves seriously: "We are too small for cyberattacks" is a common misconception. Breweries are specifically targeted because time-critical production processes make ransom payments more likely.

Use the industry-specific NIS2 calculator for breweries to quickly assess your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my brewery affected by NIS2?

Brewery: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Automated brewhouse and filling line controls: IT/OT security in breweries

First steps

Common pitfalls

Frequently asked questions

01When is a brewery subject to NIS2?

02What is the difference between NIS2 and KRITIS for breweries?

03Which size thresholds apply for NIS2 in the brewing sector?

04What fines do breweries face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for breweries?

06When must a brewery register with the BSI?

07Are brewery managing directors personally liable for NIS2 compliance?

08Does NIS2 apply to contract brewers or licensed breweries?