When is a mill subject to NIS2?

Mills fall under NIS2 Annex II No. 5 (food production) where they meet an industrial milling structure and the size threshold of 50 employees or 10 million Euro annual turnover per SME Recommendation 2003/361/EC Art. 2. Industrial in this context means: automated milling, silo systems with IT connectivity, or B2B deliveries to bakeries and the food industry. Small mills with purely regional direct sales are generally outside the scope.

What is the difference between NIS2 and KRITIS for mills?

NIS2 Annex II No. 5 covers medium and large mills with industrial processing structure. KRITIS under BSI-KritisV § 4 Annex 3 requires annual processing of over 434,500 tonnes in the food sector; no single German mill reaches this figure. Mills are therefore subject to NIS2 only, if size thresholds are met.

What fines face mills for NIS2 violations?

§ 65 BSIG-neu provides Important Entities (medium mills) fines up to 10 million Euro or 2 percent of global annual revenue. For Essential Entities (large mills, groups) the same ceilings apply. In addition, personal management liability under § 38 BSIG-neu threatens where organizational negligence is proven.

How must mill control systems and silo controls be protected under NIS2?

Automated milling and silo systems are OT infrastructure under § 30 BSIG-neu. Mandatory measures include network segmentation between OT control layer and office IT, access control for process computers, patch management for PLCs, and regular security assessments. Security incidents trigger the 24-hour initial reporting obligation under § 32 BSIG-neu.

What do NIS2 supply-chain obligations mean for mills?

§ 30 Para. 2 No. 4 BSIG-neu requires supply-chain security. For mills this particularly affects providers of process control systems (e.g. Bühler, ABB), ERP systems, and logistics software for bulk transport. Supply contracts must include security requirements and audit rights.

When must mills register with the BSI?

The registration obligation under § 33 BSIG-neu arises within three months of determining NIS2 applicability. For operators who fall directly under the regulation from BSIG-neu's entry into force, a three-month transitional period applies. Registration is via the BSI reporting portal with sector, entity category, and designated contact.

Are mill managing directors personally liable under NIS2?

§ 38 BSIG-neu requires management to approve and supervise risk management measures and actively participate in training. Culpable breach of these duties creates personal liability. Mills should archive resolutions and training records in an audit-proof manner and update them annually.

Industry-specific Self-Check

Is my mill affected by NIS2?

Artisanal mill, grain mill, feed mill - classification determines KRITIS obligations, not tradition.

Step 1 / 2

Production and distribution structure

NIS2 targets 'industrial production' — an EU term, not the craft registry. Check what applies to your operation.

Central mill supplies multiple customersOne mill supplies bakeries, food manufacturers, feed mixersAutomated milling and storage technologyRoller mills, plansifters, silo systems, automated bagging and loadingSupply to external B2B customersLarge bakeries, food manufacturers, pasta/muesli factories, feed industryAnnual milling above 1,000 tonnes of grainIndicator of industrial milling scale

Step 2 / 2

Company size

Mill: The Complete NIS2 Guide

Mills are in scope under NIS2 Annex II No. 5 as food manufacturers as soon as they exceed 50 employees or EUR 10 million in annual revenue. As part of the grain supply chain, industrial mills are among the most networked segments of the food sector, with automated milling systems and just-in-time logistics that rely entirely on IT. This guide is written for mill owners, operations managers, and IT managers.

Who is affected?

Grain mills (NACE C.10.6 Grain Milling) fall under NIS2 Annex II No. 5 (Food) when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Large mills that play a critical role in national grain supply and exceed the KRITIS threshold under BSI-KritisV (434,500 t/a grain equivalent) are Essential Entities under NIS2 Annex I.

A mill with 70 employees, its own wheat silos, and daily deliveries to bakery chains and food retailers exceeds the NIS2 threshold and is an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new defines seven obligation categories that are particularly relevant for mills with their automated milling equipment:

Risk analysis and management: Milling system controls, sieve automation, silo management IT, and logistics ERP must all be assessed.
Incident handling: A milling control system failure caused by a cyberattack is a significant incident. Escalation paths and reporting processes must be defined.
Business continuity: Mills often deliver daily on fixed schedules. A BCP must include alternative delivery concepts and manual fallback processes.
Supply chain security: Grain suppliers, logistics providers, and software vendors for milling management systems must be reviewed for security standards.
Access control and MFA: Access to production systems and corporate networks must be secured by MFA. Remote maintenance access from equipment manufacturers must be secured.
Encryption: Customer data, supplier contracts, and quality data (analysis certificates) must be stored encrypted.
Training and awareness: Millers, dispatchers, and administrative staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months of determining obligations. For security incidents, § 32 BSIG-new requires: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A ransomware attack on the milling control system that stops production for more than one business day and violates ongoing delivery obligations is reportable. The initial report must be filed even if a full root cause analysis is not yet available.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new establishes personal liability for management for negligently missed NIS2 obligations. In family-owned mills where owner and managing director are the same person, the personal risk is significant.

Just-in-time grain logistics and milling controls as NIS2 risk factors

Modern mills operate on tight schedules: grain is delivered just-in-time from silos or directly from farmers, processed, and shipped the same day. These processes depend on ERP, dispatch software, automated weighing systems, and digital delivery notes.

The risk scenario: an attacker infiltrates the ERP through a compromised supplier account. He manipulates delivery planning data so that raw material orders are incorrectly scheduled and production runs idle. At the same time, ransomware encrypts the dispatch software. Result: delivery stops to major buyers, contract penalties, and production losses.

What § 30 BSIG-new requires here: data backups for dispatch software with short recovery times (define RTO/RPO targets), access controls for supplier portals, and network segmentation between administrative IT and production IT.

First steps

Check headcount and revenue against the SME thresholds.
Inventory all networked production systems: milling controls, silo management, weighing IT, laboratory software.
Review all remote maintenance access points from equipment manufacturers.
Conduct a risk analysis for dispatch software failure.
Create a contingency plan: what happens if the ERP fails when delivery deadlines are approaching?
Review supplier contracts for security requirements under § 30 Para. 2 No. 4 BSIG-new.
Ensure that backups of production configuration data are created and tested regularly.

Common pitfalls

Milling software not recognized as an IT security topic: The control software for the milling plant is IT. Its failure means production stoppage and immediate financial damage.

Supplier portals without access control: Many mills operate web portals for suppliers and customers. These are potential attack vectors that must be included in the risk analysis.

Quality certificates and analysis data not backed up: Flour quality analyses and certificates are legally relevant for customers. Their loss or manipulation is a security incident.

Contingency plan does not account for delivery deadlines: A BCP that does not include customer escalation and alternative delivery options is incomplete for mills.

Use the industry-specific NIS2 calculator for mills to determine your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my mill affected by NIS2?

Mill: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Just-in-time grain logistics and milling controls as NIS2 risk factors

First steps

Common pitfalls

Frequently asked questions

01When is a mill subject to NIS2?

02What is the difference between NIS2 and KRITIS for mills?

03What fines face mills for NIS2 violations?

04How must mill control systems and silo controls be protected under NIS2?

05What do NIS2 supply-chain obligations mean for mills?

06When must mills register with the BSI?

07Are mill managing directors personally liable under NIS2?