When is a machinery manufacturer subject to NIS2?

Machinery manufacturers fall under NIS2 Annex II No. 10 (manufacturing) once they meet medium enterprise size (50 employees or 10M EUR annual turnover per SME Recommendation 2003/361/EC Art. 2) and industrial production structure. Production structure is considered industrial with automated CNC production lines, networked machine tools, or digital order management (MES). Individual workshop operations without network connectivity are generally not covered.

What is the difference between NIS2 and KRITIS for mechanical engineering?

Machinery manufacturers are by default Annex II entities (Important Entities) under NIS2. KRITIS under BSI-KritisV only applies if a machinery manufacturer simultaneously operates critical infrastructure for other sectors (e.g. as a maintenance provider for energy supply systems). In general, machinery manufacturers are subject to NIS2 only, not KRITIS.

What protection obligations apply to networked machines and MES systems under NIS2?

Networked CNC machines, robots, and MES systems qualify as OT infrastructure under § 30 BSIG-neu. Mandatory measures include network segmentation between OT manufacturing layer and office IT, access control for machine tool controllers, patch management for CNC firmware, and backup concepts for manufacturing programs. Protection against attacks on Industry 4.0 interfaces (OPC-UA, MQTT) is of particular relevance.

What fines do machinery manufacturers face for NIS2 violations?

§ 65 BSIG-neu provides Important Entities (medium machinery manufacturers) fines up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large companies, groups) are subject to the same ceilings. Managing directors are personally liable under § 38 BSIG-neu in cases of proven organizational negligence.

What do NIS2 supply-chain obligations mean for mechanical engineering?

§ 30 Para. 2 No. 4 BSIG-neu requires securing the supply chain. Machinery manufacturers must impose cybersecurity requirements on suppliers of CNC controls, hydraulic components with network connectivity, MES software, and maintenance service providers. Outgoing supply-chain obligations apply equally: when a machinery manufacturer supplies customers from critical sectors, these can pass NIS2 requirements on contractually.

When must machinery manufacturers register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. For operations that directly meet the criteria upon BSIG-neu's entry into force, a three-month transitional period applies. Registration is via the BSI reporting portal with sector classification (manufacturing), entity category, and contact details.

Are machinery manufacturer managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve, supervise, and train on cybersecurity measures. Culpable omission can trigger personal liability. Machinery manufacturers can effectively combine NIS2 requirements with an ISO/IEC 27001 ISMS that includes OT systems (IEC 62443) and explicitly documents management obligations under § 38 BSIG-neu.

Industry-specific Self-Check

Is my machinery operation affected by NIS2?

Custom machinery, serial production, tooling: German mid-market is very likely to hit NIS2 thresholds. Export and remote service increase the attack surface.

Step 1 / 2

Production and service structure

NIS2 Annex II No. 10 covers manufacturing. Check what applies to your operation.

Serial or type production of machineryCatalogue products, machine tools, production systems, roboticsNetworked production with MES / ERP / IIoTIntegrated control, digital twin, manufacturing execution systemRemote service / predictive maintenance on customer machinesMaintenance access, VPN tunnels, field telemetry data, OPC UAExport to B2B customers worldwideSupply chain across multiple countries, service hubs, international customers

Step 2 / 2

Company size

Mechanical Engineering: The Complete NIS2 Guide

Mechanical engineering companies with 50 or more employees or EUR 10 million in annual revenue are in scope under NIS2 Annex II No. 5 (Manufacturing). The particular challenge for mechanical engineering lies in the growing digitalization of machines: remote service, predictive maintenance, and digital twins create new attack vectors that NIS2 directly addresses. This guide is written for managing directors, product managers, and IT directors in mechanical engineering.

Who is affected?

Mechanical engineering companies (NACE C.28) fall under NIS2 Annex II No. 5 when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Companies with more than 250 employees and more than EUR 50 million in revenue are Important Entities of the second-highest category under Annex II. Essential Entity (Annex I) status is rare in mechanical engineering unless the company is also an operator of critical infrastructure.

A mechanical engineering company with 300 employees, its own remote service platform, and customers in the energy and pharmaceutical sectors is clearly subject to NIS2 and has elevated risk exposure from its connected products.

Obligations under § 30 BSIG-new

§ 30 BSIG-new defines seven obligation areas that are especially relevant for mechanical engineers because of the connection between corporate IT and product IT:

Risk analysis and management: ERP, CAD/PLM, remote service platforms, and network connections to customer systems must all be assessed.
Incident handling: A security incident on the remote service platform can simultaneously affect many customer machines. The incident response plan must include customer notification.
Business continuity: Failures of remote service infrastructure can violate contractual SLAs with customers. BCPs must define escalation and manual service processes.
Supply chain security: Component suppliers, software providers for control systems, and cloud service providers must be reviewed for security standards.
Access control and MFA: Access to remote service systems, development environments, and ERP must be secured by MFA.
Encryption: Machine data, diagnostic data, and development documentation must be encrypted in transit and at rest.
Training and awareness: Service engineers, developers, and administrative staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months of becoming aware of obligations. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

An attack on the remote service platform that compromises customer machine data or manipulates machine controls is a reportable incident. The reporting obligation applies even when the damage occurs at the customer's site.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. § 38 BSIG-new establishes personal liability for management. Added to this is product liability if NIS2 compliance failures lead to compromise of customer systems.

Remote service and predictive maintenance as attack vectors: MITRE ATT&CK for ICS

Remote access to customer machines is one of the greatest security risks in modern mechanical engineering. Via remote service platforms, technicians can perform diagnostics, install software updates, and change parameters. These connections are direct access paths to industrial control systems at the customer's site.

The MITRE ATT&CK for ICS framework describes concrete attack techniques on industrial systems. Relevant for mechanical engineers: "Remote Services" (T0886), "Lateral Movement via Remote Services" (T0812), and "Modify Parameter" (T0836). An attacker who compromises the mechanical engineer's remote service platform can reach the control systems of dozens of customers through legitimate access paths.

§ 30 BSIG-new requires: dedicated security architecture for remote service access (jump servers, session recording), access only on demand with time limits, complete logging of all remote actions, and regular review of access permissions.

First steps

Clarify headcount and revenue. Over 50 employees or EUR 10 million: Important Entity.
Inventory all connected products and the associated remote service infrastructure.
Conduct a risk analysis for remote service access: who has access to which customer machines?
Check: are all remote actions fully logged? Is session recording in place?
Identify customers in NIS2-relevant sectors (energy, health, water): they will impose security requirements.
Create an incident response plan with a customer notification process.
Register with the BSI.

Common pitfalls

Remote service platform treated as "product" rather than IT security asset: The remote service infrastructure is corporate IT in the NIS2 sense. Its security is your responsibility.

No logging of remote actions: What a technician does remotely to a customer machine must be completely logged. Missing logs are both a compliance problem and a forensics problem.

Software updates without signed transmission: Firmware and software updates deployed remotely must be signed and transmitted with integrity verification.

Customer notification forgotten in security incidents: If the remote service platform is compromised, affected customers must be informed immediately - independently of the BSI reporting obligation.

Use the industry-specific NIS2 calculator for mechanical engineering to determine your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my machinery operation affected by NIS2?

Mechanical Engineering: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Remote service and predictive maintenance as attack vectors: MITRE ATT&CK for ICS

First steps

Common pitfalls

Frequently asked questions

01When is a machinery manufacturer subject to NIS2?

02What is the difference between NIS2 and KRITIS for mechanical engineering?

03What protection obligations apply to networked machines and MES systems under NIS2?

04What fines do machinery manufacturers face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for mechanical engineering?

06When must machinery manufacturers register with the BSI?

07Are machinery manufacturer managing directors personally liable for NIS2 compliance?