NIS2 for Mechanical Engineering and Manufacturing

Manufacturing and NIS2: Why You Are Affected

Mechanical engineering is a key industry of the German economy. The VDMA counts around 6,600 companies with more than 50 employees in Germany, many of them world market leaders in their niches. And a significant share of these companies falls under the new cybersecurity obligations since the NIS2 transposition act (NIS2UmsuCG) came into force.

Manufacturing is listed in Annex II of the NIS2 Directive as an other critical sector. The German transposition has adopted and specified this classification. Affected sectors include:

• Mechanical engineering (NACE Division 28)
• Manufacture of motor vehicles and motor vehicle parts (NACE 29)
• Other vehicle manufacturing (NACE 30)
• Manufacture of computer, electronic and optical products (NACE 26)
• Manufacture of electrical equipment (NACE 27)
• Manufacture of medical devices (partly also covered under the healthcare sector in Annex I)

The thresholds are the same as in all NIS2 sectors: at least 50 employees or at least EUR 10 million annual revenue or annual balance sheet total. For a mechanical engineering company with 120 employees and EUR 30 million revenue, it's clear: NIS2 applies, and specifically as an important entity.

What Distinguishes Mechanical Engineers from Other Sectors

NIS2 compliance in a mechanical engineering company is not the same as NIS2 compliance in a pure office business. The decisive difference lies in Operational Technology, or OT — the technology that controls and monitors production processes.

While a service company primarily needs to secure classic IT systems (servers, workstations, cloud services, email), mechanical engineers face an additional world: production controls, programmable logic controllers (PLCs), SCADA systems, Human-Machine Interfaces (HMIs), industrial networks, and sensors. These OT systems have fundamentally different characteristics than IT systems, and that's exactly what makes NIS2 implementation more complex.

The Differences Between IT and OT

These differences mean: You can't simply transfer your IT security concept to OT. A patch that runs without issues on an office PC can crash a production controller. A vulnerability scan that's routine in IT can put a PLC into an error state. And a firewall rule that blocks access can prevent the milling machine from receiving new programs.

IT/OT Convergence: The Central Challenge

Over the last ten years, a profound transformation has occurred in the manufacturing industry. Production systems that previously ran in isolation (the so-called air gap) are increasingly connected to the IT network and the internet. The reasons are understandable: remote maintenance by the machine manufacturer, centralized production data collection, ERP integration, predictive maintenance through cloud-based analytics.

This IT/OT convergence brings significant productivity gains but massively expands the attack surface. A ransomware attack that begins via a phishing email in accounting can spread through the network to the production control system if no segmentation exists. The Norsk Hydro attack of 2019 and the Colonial Pipeline incident of 2021 showed that such scenarios are not theoretical.

For NIS2 implementation, this means: Your ISMS must cover both worlds. The risk analysis must capture IT and OT assets equally. Protective measures must account for the different requirements. And responsibilities must be clearly defined — because in many companies, IT and OT still reside in separate departments with little coordination.

The Typical Risk Landscape of a Mechanical Engineering Company

Before you plan measures, you need a clear picture of the risks. For a mid-market mechanical engineering company, the threat landscape typically looks like this:

Risks on the IT Side

• Ransomware: The classic, and for manufacturing companies particularly painful. If the ERP system is encrypted, order intake, production planning, and shipping grind to a halt.
• Phishing and social engineering: Production workers who receive shift schedules by email, procurement staff who open supplier invoices, sales staff who process customer inquiries — the attack surface is large.
• Compromised remote access: VPN connections for remote workers, remote maintenance access for machine manufacturers, connections for external IT service providers.
• Cloud risks: When design data (CAD files, manufacturing drawings) resides in the cloud, these are highly sensitive trade secrets.

Risks on the OT Side

• Unsecured remote maintenance access: Many machine manufacturers require permanent VPN tunnels or TeamViewer connections to their machines. These connections are often not segmented, not logged, and not time-limited.
• Outdated operating systems: Production controllers running on Windows XP or Windows 7 Embedded no longer receive security updates. Replacement is often impossible because the control software is only certified for these systems.
• Flat network architecture: In many production environments, there is no segmentation between different machine groups, between the production network and the office network, or between IT and OT.
• USB-based attacks: When employees load programs onto CNC machines via USB stick, that's an entry point no firewall in the world can catch.
• Lack of monitoring: While IT networks are typically monitored through firewalls, IDS/IPS, and endpoint protection, data traffic in OT networks often runs uncontrolled.

Risks at the IT/OT Interface

• Lateral movement: An attacker who breaks in through IT moves into the OT network because no segmentation exists.
• Shared credentials: When the same admin accounts are used for IT and OT systems, a stolen password compromises both worlds.
• ERP-to-production interface: Automatic order transfer from ERP to production control requires network connections that must be carefully secured.

NIS2 Measures for Mechanical Engineering: What You Specifically Need to Do

Article 21 of the NIS2 Directive defines ten minimum measures. For mechanical engineering, some of these have particular characteristics.

Risk Analysis: Considering IT and OT Together

The risk analysis must cover both worlds. This sounds obvious but often fails in practice because the IT department and production engineering work separately. For a complete risk analysis, you need:

• OT asset inventory: What controllers, PLCs, HMI panels, industrial switches, and sensors exist? What software versions are running? What network connections exist?
• IT/OT network map: Where are the transitions between IT and OT networks? What firewalls or segmentation exist? What data flows run between the two worlds?
• Risk assessment per production line: What happens if Line 1 fails? How long can the company produce without Line 2? Which machines are most critical?
• Threat scenarios for OT: Ransomware in the production control system, manipulation of machine programs, failure of remote maintenance access, physical sabotage.

Network Segmentation: The Purdue Model

For separating IT and OT, the Purdue Model (also known as the ISA-95 model) has established itself as a reference architecture. It defines different levels:

Between the levels sit firewalls and a so-called Demilitarized Zone (DMZ) between IT (Levels 4-5) and OT (Levels 0-3). Data traffic between IT and OT runs exclusively through defined, controlled connections in the DMZ.

For a mid-market company, the implementation doesn't need to perfectly follow the Purdue Model. But you should adhere to three basic principles:

1. Physical or logical separation between the office network and the production network. At minimum a firewall with restrictive rules.
2. No direct internet access from the production network. Remote maintenance runs through a jump server in the DMZ.
3. No shared Active Directory for IT and OT. If OT systems need domain accounts, use a separate AD or local accounts.

Patch Management: The OT Challenge

In IT, patch management is relatively straightforward: test patches, roll out, done. In OT, it's significantly more complicated. Many reasons argue against simply patching production controllers:

• The machine manufacturer has certified the software only for a specific OS version
• A patch requires a production stop that's only possible during the next planned shutdown
• There are simply no more patches because the operating system is end-of-life

The NIS2-compliant solution is not to keep all OT systems up to date (that's often impossible) but to consciously manage the risks:

• Document compensating measures: If a system cannot be patched, what other protective measures are in place? Network segmentation, application whitelisting, access restrictions, monitoring?
• Formally approve risk acceptance: Executive management must know the residual risk and formally accept that certain systems are not patched. This decision is documented and regularly reviewed.
• Virtual patching: Intrusion prevention systems placed in front of unpatched OT systems can block known exploits without changing the system itself.

Incident Response: Production-Specific Scenarios

The incident response plan must cover OT-specific scenarios. A ransomware attack on the production control system requires different responses than a compromised mail server.

Key questions for the OT incident response plan:

• Can production continue manually if the digital control fails?
• Who has the authority to shut down production in an emergency?
• How are machine manufacturers integrated into the incident response process (remote diagnostic)?
• Are there offline backups of machine programs and configurations?
• How long does it take to restore a production line from backup?

The BSI reporting obligation also applies to incidents that exclusively affect OT systems. In ISMS Lite, IT and OT assets can be managed in a single inventory, and risk assessment can be differentiated by availability and integrity requirements. If a cyberattack shuts down production, that is a significant security incident that must be reported within 24 hours.

Business Continuity: Production as the Core Process

For a mechanical engineering company, production is the central business process. The business continuity plan must therefore specifically address production availability:

• Recovery Time Objective (RTO): How quickly must production be running again after an incident? Every day of downtime at a EUR 30 million company quickly costs EUR 100,000 or more.
• Recovery Point Objective (RPO): How much data loss in machine programs, orders, and quality data is acceptable?
• Manual fallback procedures: Can critical machines be operated in emergency mode manually or with local programs?
• Spare parts inventory: Are replacements available for critical control components (PLCs, HMI panels, industrial switches)?

Practical Example: Mechanical Engineering Company with 120 Employees

Let's look at how a specific company can approach NIS2 implementation.

Starting Position:

PräzisionsTech GmbH (fictitious example) is a mechanical engineering company based in Baden-Württemberg. 120 employees, EUR 32 million annual revenue. The company manufactures precision parts for the automotive and medical technology industries. Production includes CNC milling machines, lathes, grinding machines, and an automated assembly line. Control runs through a mix of Siemens SINUMERIK (CNC), Siemens S7-1500 (PLC for the assembly line), and a local MES system.

The IT infrastructure consists of a local server rack with two physical servers (Hyper-V), a cloud-based ERP system (proAlpha as SaaS), Microsoft 365 for communication and collaboration, a CAD/CAM system on local engineering workstations, and a VPN solution for remote work and remote maintenance.

A formal ISMS does not exist. IT is managed by a two-person team (IT manager plus system administrator). Basic security measures are in place: firewall, endpoint protection, regular backups of IT systems. OT security has not been systematically addressed to date. Between the office network and the production network there is a separate VLAN, but the firewall rules are generously configured.

Phase 1: Assessment (Months 1-2)

Applicability analysis: PräzisionsTech clearly falls under NIS2 with 120 employees and EUR 32 million revenue. Manufacturing (mechanical engineering, NACE 28) is a sector in Annex II. Classification: important entity.

Appoint CISO: The IT manager takes on the CISO role at 50% time allocation. Long-term, a dedicated CISO will be hired, but the part-time solution suffices for the start.

Create asset inventory:

IT Assets (excerpt):

• 2 Hyper-V hosts with a total of 12 VMs
• Microsoft 365 tenant (Exchange Online, SharePoint, Teams)
• proAlpha ERP (SaaS)
• 6 CAD/CAM workstations (SolidWorks, hyperMILL)
• FortiGate firewall
• Veeam Backup

OT Assets (excerpt):

• 8 CNC machining centers (Siemens SINUMERIK 840D sl, various build years 2012-2023)
• 4 CNC lathes (various manufacturers)
• 2 grinding machines
• 1 automated assembly line (Siemens S7-1500, 3 HMI panels)
• 1 MES system (local server, Windows Server 2016)
• 3 industrial switches (Siemens SCALANCE)
• 2 remote maintenance routers (machine manufacturers)

Document network topology: The IT team creates a complete network map covering both IT and OT networks. This reveals that while VLAN separation exists, the firewall rules between VLANs are too permissive. The MES server communicates directly with the ERP and with production controllers without these connections being restricted or monitored.

Phase 2: Risk Analysis and Action Planning (Months 3-4)

The risk analysis uncovers critical vulnerabilities:

Core policies created:

• Information security policy (overarching IT + OT)
• OT security policy (specific to production environment)
• Incident response plan (with OT-specific scenarios)
• Remote maintenance policy (rules for machine manufacturer access)
• Backup policy (IT + OT)
• Access policy (differentiated for IT and OT areas)

Phase 3: Technical Implementation (Months 5-8)

Implement network segmentation (Months 5-6): The existing FortiGate is replaced with a larger model capable of inspecting OT traffic as well. The network architecture is redesigned following the Purdue Model:

• Office VLAN (Level 4-5): Workstations, servers, cloud access
• DMZ (Level 3.5): Remote maintenance server, data gateway between IT and OT
• OT VLAN (Level 2-3): MES, SCADA/HMI, engineering workstations
• Machine VLANs (Level 0-1): Separate VLANs per production line

Firewall rules are restrictively configured: Only defined connections between zones are permitted; everything else is blocked and logged.

Build OT backup (Month 5): All machine programs, PLC configurations, and MES data are systematically backed up. For CNC programs, a DNC server (Distributed Numerical Control) is set up, serving as both central program management and backup. PLC projects are versioned in a separate repository.

Centralize remote maintenance (Months 6-7): The direct VPN tunnels from machine manufacturers are replaced by a central remote maintenance platform. Access is only activated on demand, all sessions are logged, and a PräzisionsTech employee monitors the remote maintenance sessions.

Introduce MFA (Month 7): Multi-factor authentication is introduced for all VPN connections, admin accounts, cloud services, and the remote maintenance server. For the production area, a differentiated approach is chosen: HMI panels authenticate via RFID badge plus PIN — not full MFA, since availability must not be impaired.

Vulnerability management (Months 7-8): For IT systems, a regular patch cycle is established: Critical patches within 72 hours, normal patches within 30 days. For OT systems, a separate process is defined: Patches are first approved by the machine manufacturer, then applied during a maintenance window. For systems that cannot be patched, compensating measures are documented and the residual risk is formally accepted.

Phase 4: Organizational Measures (Months 8-10)

Training program:

• All employees: Online training on cyber hygiene (phishing, passwords, USB sticks, reporting channels)
• Production workers: Additional training on OT-specific risks (no personal USB sticks on machines, report suspicious control system behavior)
• IT team: Advanced training on OT security, network segmentation, incident response
• Executive management: NIS2 obligations, personal liability, approval role in the ISMS

Supplier assessment: PräzisionsTech identifies 12 critical IT/OT suppliers and assesses their security level:

• IT service provider (managed services)
• proAlpha (ERP SaaS)
• Microsoft (M365)
• Siemens (machine controllers, remote maintenance)
• Other machine manufacturers
• CAD/CAM software vendor
• Backup solution
• Firewall vendor

For each supplier, a security questionnaire is sent and results documented. Existing contracts are supplemented with security clauses.

Business continuity plan: For each production line, the following is defined: maximum downtime, manual fallback procedures, recovery process, and required resources. The plan is tested in a tabletop exercise simulating a ransomware scenario.

Phase 5: Audit and Improvement (Months 10-12)

Internal audit: Systematic review of all NIS2 minimum measures, in both IT and OT areas. Findings are documented and corrective measures defined.

Management review: Executive management assesses the state of information security, approves the residual risk register, and decides the budget for the following year.

BSI registration: If not already completed, registration with the BSI is finalized.

Timeline and Budget at a Glance

In addition come internal personnel costs (CISO at 50% time allocation, IT team and production engineering involvement) as well as hardware and software investments (new firewall, remote maintenance platform, possibly OT monitoring solution). Realistically, you should plan a total budget of EUR 80,000 to 130,000 for the first year, including internal costs. To keep tool costs manageable: ISMS Lite offers full functionality ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro, ohne Seat-Lizenzen oder versteckte Kosten.

From the second year onward, costs drop significantly to an estimated EUR 25,000 to 40,000 for external support plus ongoing internal costs for the CISO and regular reviews and audits.

Common Mistakes in Mechanical Engineering

From practice, several typical pitfalls can be identified:

Ignoring OT. The most common mistake is limiting the ISMS to IT and excluding production. NIS2 doesn't recognize this distinction. If a cyberattack shuts down your production, that's a reportable security incident regardless of whether it entered through IT or OT.

Not involving machine manufacturers. Many OT security measures require collaboration with the machine manufacturer: patch approvals, remote maintenance arrangements, compatibility checks. Involve manufacturers early and clarify which security measures are possible without voiding the warranty.

Wanting everything at once. The OT security of an established production facility cannot be brought up to date in three months. Prioritize by risk, start with network segmentation and remote maintenance access, and then work your way to further measures.

Underestimating availability. In IT, you can plan maintenance windows for security measures. In production, every hour of downtime costs real money. Plan all OT-related measures to minimally impact production — ideally during planned shutdowns (plant holidays, weekends, maintenance windows).

Not bringing IT and OT together. When the IT department and production engineering work on security separately, gaps emerge at the interfaces. Form a joint team or at least a regular coordination meeting for IT/OT security.

What You Should Do Now

If you are the managing director or IT manager of a mechanical engineering company and need to implement NIS2, start with these three steps:

1. Formally clarify and document applicability. Sector, employee count, revenue, and the resulting classification.
2. Create an OT asset inventory. Before you do anything else, you need to know what networked technology is running in your production. In many companies, nobody has complete knowledge of this.
3. Bring IT and OT to the table. Organize a workshop with IT manager, production manager, and executive management. Discuss the current situation, the risks, and the path forward.

NIS2 implementation in manufacturing is more complex than in pure office businesses, but it is achievable. The key is to include OT security from the start rather than treating it as an afterthought. Your ISMS must cover both worlds — because an attacker doesn't distinguish between IT and OT.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• Risk Assessment in the ISMS: Methods, Criteria, and Practical Examples
• Network Segmentation for SMEs: Practical Guide for Mid-Market Companies
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• NIS2 Fines: Who Is Liable and How High Are the Penalties?