Am I a machinery manufacturer under NIS 2?
Annex II sector 5 of the NIS 2 Directive pulls manufacturing into scope. Machine builders sit in sub-category (d), NACE division C28. If you have 50 staff or 10 million euro turnover, you are an important entity with the same ten Article 21(2) duties as the big ones.
The short version
NIS 2 covers manufacturing as an important sector. Annex II sector 5 names six manufacturing sub-categories. Machinery and equipment manufacture, NACE division C28, is one of them. If that is what you do and you are above the size threshold, NIS 2 applies to you.
The size test sits in Article 2(1) of the Directive. 50 or more staff, or 10 million euro turnover and balance sheet total. Reach one of those and you are in. Below both, you are out of the default scope. Germany copies the same threshold into §28 BSIG.
What makes machinery special is the OT footprint. Your production cell has PLCs, SCADA, HMIs, robot controllers, and an ERP and MES on top. Article 21(2) treats that whole stack as one system to defend. The practical implementation route in Germany is BSI IT-Grundschutz, in particular the IND building blocks for industrial control systems, and ISO/IEC 62443 for the OT layer.
Annex II point 5 NIS 2 Directive (2022/2555) — Manufacturing
(a) Manufacture of medical devices and in vitro diagnostic medical devices (NACE C32.5 in part, C26.60 in part); (b) Manufacture of computer, electronic and optical products (NACE C26); (c) Manufacture of electrical equipment (NACE C27); (d) Manufacture of machinery and equipment n.e.c. (NACE C28); (e) Manufacture of motor vehicles, trailers and semi-trailers (NACE C29); (f) Manufacture of other transport equipment (NACE C30).
Machine builders sit under (d). The NACE reference is Rev. 2. If your business is grinding, milling, welding, assembly, or integration of industrial machines, plant or modules, C28 is your division. Annex II is the 'important entity' list. Same ten Article 21(2) duties as Annex I, lower penalty ceiling, reactive rather than proactive supervision.
Article 2(1) NIS 2 Directive — size test
This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
The size cap-off uses the EU SME definition. 50 staff or more, or annual turnover above 10 million euro and balance sheet total above 10 million euro. Reach one of those and you are in. The Directive lists a handful of cases where size does not matter, but pure machinery manufacture is not on that override list.
§28 BSIG (Germany) — wichtige Einrichtung, sector 'Verarbeitendes Gewerbe / Herstellung'
Wichtige Einrichtungen sind Einrichtungen, die einer in Anlage 2 genannten Einrichtungsart angehören und mindestens als mittleres Unternehmen im Sinne der Empfehlung 2003/361/EG der Kommission gelten.
Germany lists manufacturing under Anlage 2 of BSIG, with the same six sub-categories as Annex II point 5 of the Directive. Penalty ceiling for important entities is set by §65 BSIG: up to 7 million euro or 1.4 percent of worldwide turnover, whichever is higher.
NACE C28 or one of the five neighbours
Pull your NACE Rev. 2 code from your trade register entry or your last statistical return. If it starts with C28, you are a machinery manufacturer. C26, C27, C29, C30 and the C32.5 part for medical devices are the neighbouring Annex II sub-categories. Mixed shops (machine build plus electrical assembly) are typically classified by the primary activity. If your primary activity is in any of these, you are in the sector.
50 staff or 10 million euro
Article 2(1) reads as 'qualifies as medium-sized'. The SME definition has two thresholds: headcount 50 or more, or annual turnover above 10 million euro and balance sheet total above 10 million euro. Linked and partner enterprises count in. A 35-person UG inside a 400-person group is normally counted with the group.
Your OT footprint
Map your production cell once. PLCs, SCADA, HMIs, robots, CNCs, MES, ERP, engineering workstations, vendor remote-access boxes. That list is your asset inventory under Article 21(2)(a). It is also the scope of your risk analysis. Grundschutz lets you group identical assets (twelve identical CNCs as one entry with quantity). IT and OT are both in scope. The classic 'OT is air-gapped, so it is out' answer does not survive an audit.
Annex II is still NIS 2
Annex II entities are 'important', not 'essential'. The ten Article 21(2) measures are the same as for Annex I. What differs is the penalty ceiling and the supervision style. §65 BSIG caps fines at up to 7 million euro or 1.4 percent of worldwide turnover for important entities (vs. 10 million or 2 percent for essential). Supervision is reactive: the BSI looks if there is a concrete trigger, not on a routine cycle. Same duties, different enforcement intensity.
OT is in scope, end of story
Article 21 covers 'network and information systems'. The CIR and ENISA TIG both treat OT, SCADA and PLCs as in-scope. The BSI IT-Grundschutz catalogue has dedicated IND building blocks for industrial control systems. ISO/IEC 62443 is the international standard the engineering community uses, and ENISA maps Article 21 measures onto it. An audit that excludes OT is not an Article 21 audit.
BSI / IT-Grundschutz IND
The BSI is the competent authority for NIS 2 in Germany. For machine builders the practical route is IT-Grundschutz with the IND building blocks: IND.1 (process control and automation general), IND.2 (industrial control system), IND.3 (sensors and actuators). Implement those alongside the standard IT building blocks (SYS, NET, OPS, APP) and you have a defensible Article 21 baseline.
VDMA
The Verband Deutscher Maschinen- und Anlagenbau publishes sector-specific guidance on NIS 2, the Cyber Resilience Act and ISO/IEC 62443 for its members. It runs working groups on OT security and translates the regulatory text into practical implementation language for the German machinery sector. Membership is voluntary but most mid-size machine builders are members.
ENISA Technical Implementation Guidance
ENISA publishes a Technical Implementation Guidance for CIR (EU) 2024/2690 that maps Article 21 measures onto ISO/IEC 27001:2022, NIST CSF 2.0 and other standards. The mapping table is at v1.2 as of August 2025 under CC BY 4.0. For machinery, the relevant overlap is with the ISO/IEC 62443 series, which ENISA references for the OT layer.
NIS 2 is for big industrial groups, not for our 80-person machine shop.
The size test is 50 staff or 10 million euro turnover. An 80-person machine shop with NACE C28 is squarely in. The Annex II 'important entity' category exists exactly for the Mittelstand layer. The penalty ceiling is lower than for essential entities, but the ten Article 21(2) duties are the same.
We only do final assembly, the real manufacturing is at our suppliers.
NACE classifies by primary activity, not by where the value add is. If your company sells finished machines or modules under your own name, your primary activity is manufacture, even if a lot of the build happens upstream. The classification follows the trade register entry and the statistical return, not the value-chain narrative.
We mostly export, so EU rules do not apply.
The Directive uses establishment, not customer base. If your legal entity is established in an EU member state and you meet the sector and size tests, you are in scope regardless of where you sell. Exporters are NIS 2 entities like any other manufacturer. The buyers being outside the EU does not change your obligations on the production side.
What we see on the ground in the German Mittelstand machine sector: a one-page applicability memo first (NACE code, headcount, turnover, the legal reasoning), then a gap assessment that walks the ten Article 21(2) measures against the existing IT and OT setup. Most shops already have something for IT. The OT side is usually thinner.
After the gap, the twelve to fifteen most urgent measures get done in the first year. Asset inventory, risk analysis, supplier review, incident handling, basic OT segmentation, multi-factor authentication on engineering workstations and remote-access boxes. The rest spreads over the next year or two. That holds under the Article 21(1) proportionality clause as long as the phasing is written down and signed off by the management body.
We support the Annex II sector 5 applicability check as a one-step entry: pick your NACE code, confirm staff and turnover, and you land on a workspace pre-seeded with the ten Article 21(2) measures and the BSI IND building blocks for the OT layer. Asset inventory, risk register, supplier list and incident workflow sit on the same data model.
OT-specific evidence (network segmentation diagrams, PLC inventory exports, vendor remote-access reviews) plugs into the same evidence library as the IT controls. You do not run a separate ISMS for the production cell. The §38 BSIG management training requirement is built in as a course module for the Geschäftsführung.
- Directive (EU) 2022/2555 (NIS 2), Annex II point 5 (Manufacturing) and Article 2(1) (scope and size test) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC, Annex Article 2 (SME definition)
- Eurostat NACE Rev. 2 classification, Section C divisions 26, 27, 28, 29, 30 and group 32.5
- BSI Act (BSIG), §28 (Anwendungsbereich, wichtige Einrichtungen) and §65 (penalties)
- BSI IT-Grundschutz Kompendium, building blocks IND.1, IND.2, IND.3 — bsi.bund.de/grundschutz
- VDMA, sector guidance on NIS 2 and OT security — vdma.org
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690, mapping table v1.2 (August 2025)