NIS2 for manufacturing
Industrial manufacturers fall under NIS2 as important or essential entities. Legacy Win98 IPCs, NUM controllers and unpatchable PLCs are at the core of the compliance challenge. Compensating controls or refit are required.
Does your factory fall under NIS2?
The size of your organisation and the type of products determine your NIS2 classification. Most industrial manufacturers fall as "important entities" under Annex II of the NIS2 directive.
Manufacturing, Annex II (important entities)
Most industrial manufacturers fall under Annex II if they have ≥50 employees or >€10M turnover. Supervision is reactive but the technical obligations (article 21) are identical to essential entities.
Critical manufacturing, Annex I (essential entities)
Manufacturers of critical products (medical equipment, defence-related) or suppliers of essential services may be classified as essential entities with proactive supervision.
OT systems that fall under NIS2
The specific NIS2 challenges in manufacturing
Legacy Win98 IPCs and NUM controllers
Many material processing factories run on industrial PCs with Windows 98 or early XP versions. These systems receive no patches and are directly connected to production networks: a NIS2 risk that cannot be solved with software alone.
OEM remote access without control
Machine suppliers connect directly via modem or RDP for maintenance. Every unmanaged connection is an attack vector per NIS2 article 21(2)(d) (supply chain).
Refit necessity for NIS2 compliance
Compensating controls (network segmentation, monitoring) can manage the risks of legacy controllers. But for machines that are completely unpatchable, a refit to a modern controller is the only sustainable route.
Three steps to NIS2 compliance
OT asset inventory
Full inventory of all PLCs, IPCs, controllers and network connections in the production environment. Per system: OS version, firmware version, patch status and communication protocol.
Segmentation and compensating controls
Segment legacy machines on dedicated network VLANs. Passive OT monitoring (no active scanning, that can disrupt legacy controllers) to detect abnormal behaviour without production impact.
Refit planning for unpatchable systems
For Win98 IPCs and other completely unpatchable controllers: migration route to modern hardware within your production schedule. GCG combines NIS2 compliance and PLC migration in one project.
The international standard for industrial cybersecurity. GCG applies IEC 62443 as the technical framework for NIS2 compliance in manufacturing.
Siemens S5, Allen-Bradley PLC-5, NUM: migration to modern controllers. Including NIS2 compliance as part of the migration project.
Start your NIS2 assessment for manufacturing
A gap analysis starts with a technical intake specific to your production environment, your legacy landscape and your refit plans.