When is an electronics manufacturer subject to NIS2?

Electronics manufacturers fall under NIS2 Annex II No. 10 (manufacturing) once they meet medium enterprise size (50 employees or 10M EUR annual turnover per SME Recommendation 2003/361/EC Art. 2) and industrial production structure. Industrial production includes automated SMT lines, ICT test systems, and networked production control. Manufacturers of components for critical infrastructure (e.g. semiconductors for energy supply) may be classified as Essential Entities.

What is the difference between NIS2 and KRITIS for electronics manufacturers?

Electronics manufacturers are by default Annex II entities (Important Entities) under NIS2. KRITIS under BSI-KritisV only applies if an electronics manufacturer simultaneously operates critical infrastructure (e.g. as a telecommunications network operator). As pure manufacturers, electronics companies are subject to NIS2 only. Suppliers of key components to critical sectors may be indirectly affected through contractual pass-through of NIS2 requirements.

What protection obligations apply to networked production facilities at electronics manufacturers?

Automated SMT lines, ICT test systems, and MES platforms qualify as OT infrastructure under § 30 BSIG-neu. Mandatory measures include OT/IT network segmentation, access control for production computers, patch management for production software, and backup concepts for manufacturing programs and test data. IEC 62443 provides supplementary security requirements for automation systems in electronics production.

What fines do electronics manufacturers face for NIS2 violations?

§ 65 BSIG-neu provides Important Entities (medium electronics manufacturers) fines up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large groups) face the same ceilings. Personal management liability under § 38 BSIG-neu is added in cases of culpable organizational negligence.

What do NIS2 supply-chain obligations mean for electronics manufacturers?

§ 30 Para. 2 No. 4 BSIG-neu requires supply-chain security. Electronics manufacturers must impose security requirements on ERP system vendors, PCB design software (CAD/CAM), production software, and logistics platforms. As component suppliers to NIS2-obligated customers, electronics manufacturers may in turn receive and must fulfill security requirements from their customers.

When must electronics manufacturers register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. For operations directly meeting the criteria upon BSIG-neu's entry into force, a three-month transitional period applies. Registration is via the BSI reporting portal with sector classification (manufacturing), entity category, and contact details.

Are electronics manufacturer managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve, supervise, and train on cybersecurity measures. Culpable omission can trigger personal liability. Electronics manufacturers should establish an ISMS per ISO/IEC 27001 including OT systems (IEC 62443), and archive management resolutions and training records in an audit-proof manner.

Industry-specific Self-Check

Is my electronics operation affected by NIS2?

PCB assembly, industrial electronics, consumer devices, sensors: electronics manufacturers are explicitly listed in NIS2 Annex II as manufacturing.

Step 1 / 2

Manufacturing and product structure

NIS2 Annex II No. 10 covers manufacturing including electronics manufacturers. Check what applies to your operation.

Serial production of electronic devices or assembliesSMT assembly, final housing assembly, functional testing, packagingAutomated SMT or THT linesPick-and-place, reflow ovens, automated optical inspection (AOI), X-ray testsODM / OEM manufacturing for brand customersContract manufacturing, white-label, design and manufacturing servicesRoHS / CE / FCC compliance processes establishedStructured conformity evidence, supply chain tracking, BoM management

Step 2 / 2

Company size

Electronics: The Complete NIS2 Guide

Electronics companies with 50 or more employees or EUR 10 million in annual revenue are in scope under NIS2 Annex II No. 5 (Manufacturing). The particular challenge in the electronics sector lies in complex contract manufacturing and ODM supply chains: NIS2 requires that these supplier relationships be secured under § 30 Para. 2 No. 4 BSIG-new. This guide is written for managing directors, supply chain managers, and IT security directors in the electronics sector.

Who is affected?

Electronics manufacturers (NACE C.26 Computer and Electronic Products, C.27 Electrical Equipment) fall under NIS2 Annex II No. 5 when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Companies producing electronic components for critical infrastructure (e.g., control units for energy, medical technology, or automotive) are especially required as suppliers under § 30 Para. 2 No. 4 BSIG-new.

An EMS/ODM service provider with 200 employees producing PCBs and assemblies for automotive and medical technology customers is an Important Entity under NIS2.

Obligations under § 30 BSIG-new

§ 30 BSIG-new defines seven obligation areas that are especially relevant for electronics companies because of supply chain complexity:

Risk analysis and management: ERP, PLM, manufacturing management systems (MES), test systems, and supplier portals must all be included in the risk analysis.
Incident handling: A security incident in development IT can compromise intellectual property (schematics, layouts) and endanger customer IP. Customers must be notified.
Business continuity: Delivery failures in the electronics industry trigger production stops at customers in critical sectors. BCPs must explicitly address supply chain disruptions.
Supply chain security: Customers from NIS2-relevant sectors will impose security requirements under § 30 Para. 2 No. 4 BSIG-new. Contract adjustments must be prepared.
Access control and MFA: Access to development environments, customer IP repositories, and ERP must be secured by MFA.
Encryption: Customer IP (schematics, firmware, layouts), production data, and test reports must be stored encrypted.
Training and awareness: Developers, production staff, and administrative employees must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

Theft of customer IP (schematics, firmware) is a reportable security incident. Reporting is required even when the primary damage occurs at the customer's site.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. § 38 BSIG-new: personal liability for management. Added to this is contractual liability to customers for IP loss.

Securing contract manufacturing and ODM supply chains under § 30 Para. 2 No. 4 BSIG-new

The electronics sector is characterized by multi-tier supply chains: OEM engages EMS/ODM, who in turn uses assembly partners, component suppliers, and logistics service providers. Each stage of this chain is a potential attack point.

§ 30 Para. 2 No. 4 BSIG-new obligates NIS2 entities to include security requirements in supplier contracts. For electronics companies with NIS2-obligated customers, this means: customers will demand contractual security certifications (ISO 27001, SOC 2), audit rights, and incident notification.

Concrete contract clauses that will be expected: MFA requirement for access to customer systems, encryption of customer IP, incident notification obligations within 24 hours, rights to security audits, and proof of a risk analysis.

For ODM service providers with many small customers: standardized security certifications are more efficient than individual contract negotiations.

First steps

Clarify headcount and revenue. Over 50 employees or EUR 10 million: Important Entity.
Identify NIS2-obligated customers: automotive, healthcare, energy, water, IT service providers.
Inventory all systems where customer IP is stored.
Review existing contracts for missing security clauses.
Conduct a gap analysis against the ISO 27001 standard to estimate certification effort.
Create an incident response plan with a customer notification process.
Register with the BSI.

Common pitfalls

Customer IP not separated from corporate IT: Customer schematics and firmware repositories must be stored in separate, specially secured environments.

EMS/ODM chain not recognized as NIS2-relevant: Even if you are "only" a manufacturer, you are a critical supplier to NIS2-obligated customers and must meet their requirements.

Certification deferred until customer pressure: Those who wait until customers demand certifications have no time for a careful ISO 27001 implementation.

Test reports and test data not secured: Quality inspection reports and test data are trade secrets and must be included in the security architecture.

Use the industry-specific NIS2 calculator for electronics to verify your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my electronics operation affected by NIS2?

Electronics: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Securing contract manufacturing and ODM supply chains under § 30 Para. 2 No. 4 BSIG-new

First steps

Common pitfalls

Frequently asked questions

01When is an electronics manufacturer subject to NIS2?

02What is the difference between NIS2 and KRITIS for electronics manufacturers?

03What protection obligations apply to networked production facilities at electronics manufacturers?

04What fines do electronics manufacturers face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for electronics manufacturers?

06When must electronics manufacturers register with the BSI?

07Are electronics manufacturer managing directors personally liable for NIS2 compliance?