Skip to main content
Back to overview

NIS2 for Manufacturers: The IT/OT Boundary Is Where Your Audit Will Be Won or Lost

By NIS2Certify
nis2manufacturingot-securitynetwork-segmentationarticle-21
NIS2 for Manufacturers: The IT/OT Boundary Is Where Your Audit Will Be Won or Lost

NIS2 for Manufacturers: The IT/OT Boundary Is Where Your Audit Will Be Won or Lost

A food producer in Flanders rebuilt its entire firewall ruleset two weeks before its NIS2 audit. The reason: a single flat network where the office VLAN, the ERP server, and a 12-year-old PLC controlling a packaging line all sat in the same broadcast domain. One phished invoice on a sales laptop could have reached the production floor in two hops. The auditor would have called that exactly what it is — an unmanaged risk under Article 21.

This is the problem most manufacturers walk into NIS2 with. They treat it as an IT compliance exercise and forget that the directive explicitly covers the operational technology running their machines. If you advise industrial clients, the IT/OT boundary is the single area where you can deliver the most value — and where a sloppy setup will sink an otherwise decent compliance posture.

Manufacturing Is in Scope, and Most Operators Don't Know It Yet

NIS2 classifies manufacturing as an important entity sector. That covers companies producing medical devices, electronics, machinery, motor vehicles, and certain food products. The threshold is the standard one: more than 50 employees, or annual turnover above €10 million.

Important entities face the same Article 21 risk-management obligations as essential entities. The difference is supervision. Essential entities get proactive inspections; important entities get ex-post supervision — authorities step in once there's evidence something went wrong. That sounds lighter until you realise it usually means the authority is already looking at you because you've had an incident. The standard isn't lower. The scrutiny just arrives at the worst possible moment.

A lot of plant managers assume "we make pumps, not software, NIS2 isn't about us." It is. The directive defines OT systems as an integral part of critical digital infrastructure. The PLCs, HMIs, and SCADA systems on the factory floor are squarely in scope.

Does NIS2 Apply to Your Organisation?

1

Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?

YesNo
2

Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?

YesNo
3

Is your organisation a critical infrastructure provider or a qualified trust service provider?

YesNo

NIS2 does not directly apply to your organisation.

NIS2 applies to your organisation as an Essential or Important Entity.

!

NIS2 may apply to your organisation — seek legal advice to confirm your status.

Applies
Possibly applies
Does not apply

The Ten Article 21 Measures Apply to the Factory Floor, Not Just the Office

When a client reads the Article 21 list — risk analysis, incident handling, business continuity, supply chain security, cryptography, access control, MFA, secure development, training, and effectiveness assessment — they instinctively map it to their IT estate. That's the trap.

Every one of those measures has an OT dimension. Access control isn't just about the domain controller; it's about who can log into the HMI on line 3. Business continuity isn't just about restoring email; it's about whether you can keep producing when a controller is compromised. Cryptography and secure communication apply to the data link between your PLCs and your ERP.

The ENISA Technical Implementation Guidance, published in June 2025, runs to 170 pages and translates the Implementing Regulation (EU) 2024/2690 into concrete, evidenceable measures across 13 thematic areas. While that regulation is binding only for specific digital sectors, the guidance is the clearest benchmark available for what "appropriate and proportionate" actually looks like. Use it as your reference standard for OT-heavy clients even where it isn't strictly mandatory — auditors will recognise it.

Article 21 — 10 NIS2 Cybersecurity Measures

Article 21

10 Cybersecurity Measures

Governance & Strategy

1Risk analysis & information security policies
6Effectiveness assessment of security measures

Incident & Continuity

2Incident handling & notification
3Business continuity & disaster recovery

Supply Chain & Systems

4Supply chain security
5Security in network & information systems development

Technical Controls

8Cryptography & encryption
10Multi-factor authentication & secure communications

People & Assets

7Cyber hygiene & training
9HR security & access control

Network Segmentation Is the Measure Auditors Probe First

If you do one thing for a manufacturing client before their first audit, segment the IT and OT networks. A flat network is the fastest way to fail a risk analysis, because it means a single compromised endpoint anywhere reaches everything.

Article 21 doesn't name network segmentation as a numbered measure, but it falls directly out of the risk-management and access-control obligations. In practice, auditors treat it as a baseline expectation for any environment with production systems. The directive's segmentation and access-control language maps almost one-to-one onto the zone-and-conduit model from IEC 62443 — which is the framework your client's auditor is most likely benchmarking against.

A workable target architecture for a typical plant looks like this. The OT segment holds the PLCs, HMIs, and production machines, physically or logically separated from the office network. The connection to the ERP server is limited and ideally one-directional — production data flows out, nothing routes in unprompted. The OT segment has no direct internet access. Remote vendor access to machines goes through a controlled jump host, not a flat VPN that drops a technician onto the same subnet as the controllers.

This is also where you'll find the legacy problem. Plants run controllers that are ten or fifteen years old, can't be patched, and were never designed to be network-exposed. You can't rip them out. Segmentation is the compensating control that lets an unpatchable asset stay in service without becoming the breach path. Document it that way and the auditor sees a managed risk rather than an ignored one.

Incident Reporting Doesn't Pause for the Production Line

Manufacturers hesitate on incident reporting because stopping a line costs money by the minute. The deadlines don't care. A significant incident triggers a 24-hour early warning, a 72-hour full notification, and a 30-day final report — the same clock that applies to a bank or a hospital.

The hard part for OT environments is detection. If your client has no monitoring on the production network, they won't know an incident is significant until it's already disrupted output — and by then the 24-hour window has been ticking. Continuous monitoring of the OT segment isn't a nice-to-have; it's what makes the reporting obligation achievable at all. Build the detection capability and the reporting deadlines become manageable. Skip it and your client is reporting blind, late, or not at all.

NIS2 Incident Reporting Timeline

24h

Early Warning

Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.

72h

Incident Notification

Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.

1mo

Final Report

Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

What to Do Before June 30, 2026

The first NIS2 compliance audit deadline for in-scope entities is June 30, 2026. For a manufacturing client starting from a flat network, that's tight but not impossible if you sequence it right.

Start with an asset inventory of the OT environment — you cannot segment or protect what you haven't mapped, and most plants have no current inventory of their controllers. Then draw the zone boundaries: office, ERP/DMZ, and OT, with documented conduits between them. Implement the IT/OT separation and lock down remote access through a jump host with MFA. Layer monitoring onto the OT segment so incident detection is actually possible. Finally, document every compensating control for the legacy assets you can't patch, because that documentation is what converts an auditor's red flag into an accepted risk.

The clients who treat NIS2 as a pure IT project will pass the office-side checks and fail on the factory floor. The ones who get the IT/OT boundary right walk into the audit with the hardest question already answered.

If you want a fast read on where a manufacturing client actually stands against Article 21 — including the OT measures most assessments skip — run them through the NIS2 readiness quick scan. It surfaces the segmentation and OT gaps before an auditor does.

For the underlying measures in detail, see our breakdown of the ten Article 21 measures, and for clients still unsure whether they're caught at all, does NIS2 apply to me.

    NIS2 for Manufacturers: The IT/OT Boundary Is Where Your Audit Will Be Won or Lost — NIS2Certify