NIS2 for manufacturing

Industrial manufacturers fall under NIS2 as important or essential entities. Legacy Win98 IPCs, NUM controllers and unpatchable PLCs are at the core of the compliance challenge. Compensating controls or refit are required.

Classification

Does your factory fall under NIS2?

The size of your organisation and the type of products determine your NIS2 classification. Most industrial manufacturers fall as "important entities" under Annex II of the NIS2 directive.

Manufacturing, Annex II (important entities)

Most industrial manufacturers fall under Annex II if they have ≥50 employees or >€10M turnover. Supervision is reactive but the technical obligations (article 21) are identical to essential entities.

Critical manufacturing, Annex I (essential entities)

Manufacturers of critical products (medical equipment, defence-related) or suppliers of essential services may be classified as essential entities with proactive supervision.

In scope

OT systems that fall under NIS2

CNC controllers (Fanuc, Siemens Sinumerik, Heidenhain)
Legacy PLCs (Win98 IPCs, NUM controllers)
Robot controllers (KUKA, ABB, Fanuc)
SCADA and MES systems
OPC UA / Profibus / EtherNet/IP connections
Quality and CMM controllers
Risks

The specific NIS2 challenges in manufacturing

Legacy Win98 IPCs and NUM controllers

Many material processing factories run on industrial PCs with Windows 98 or early XP versions. These systems receive no patches and are directly connected to production networks: a NIS2 risk that cannot be solved with software alone.

OEM remote access without control

Machine suppliers connect directly via modem or RDP for maintenance. Every unmanaged connection is an attack vector per NIS2 article 21(2)(d) (supply chain).

Refit necessity for NIS2 compliance

Compensating controls (network segmentation, monitoring) can manage the risks of legacy controllers. But for machines that are completely unpatchable, a refit to a modern controller is the only sustainable route.

Our approach

Three steps to NIS2 compliance

01

OT asset inventory

Full inventory of all PLCs, IPCs, controllers and network connections in the production environment. Per system: OS version, firmware version, patch status and communication protocol.

02

Segmentation and compensating controls

Segment legacy machines on dedicated network VLANs. Passive OT monitoring (no active scanning, that can disrupt legacy controllers) to detect abnormal behaviour without production impact.

03

Refit planning for unpatchable systems

For Win98 IPCs and other completely unpatchable controllers: migration route to modern hardware within your production schedule. GCG combines NIS2 compliance and PLC migration in one project.

Also relevant
IEC 62443 for OT security

The international standard for industrial cybersecurity. GCG applies IEC 62443 as the technical framework for NIS2 compliance in manufacturing.

View IEC 62443
Also relevant
PLC migration for legacy controllers

Siemens S5, Allen-Bradley PLC-5, NUM: migration to modern controllers. Including NIS2 compliance as part of the migration project.

View PLC migration

Start your NIS2 assessment for manufacturing

A gap analysis starts with a technical intake specific to your production environment, your legacy landscape and your refit plans.