NIS2 Mechanical Engineering: Manufacturer Obligations and OT Security

German mechanical and plant engineering — more than one million employees and EUR 270 billion in turnover (VDMA 2024) — is a key industry and classified under Annex II of the NIS2 Directive as "other critical sector". Add sector overlaps: medical-technology manufacturers fall under healthcare; manufacturers of power-supply components under energy; providers of cloud-based machine data under cloud computing. This guide sets out applicability, OT specifics and measures for mechanical engineering firms and industrial equipment makers.

1. Is mechanical engineering subject to NIS2?

Annex II of the NIS2 Directive (other critical sectors) lists "Manufacturing" with three sub-sectors:

• Manufacture of computer, electronic and optical products (NACE C26): computers, controllers, measuring instruments, optical instruments
• Manufacture of electrical equipment (NACE C27): switchgear, electric motors, generators, power supplies
• Manufacture of machinery and equipment n.e.c. (NACE C28): classic machinery and plant engineering, machine tools, special-purpose machines

Other relevant Annex II sub-sectors: manufacture of motor vehicles and motor-vehicle parts (NACE C29), manufacture of other transport equipment (NACE C30), and manufacture of medical devices and in-vitro diagnostics (overlapping with the health sector).

Thresholds: when does NIS2 apply?

Thresholds apply at group level (linked and partner enterprises are aggregated). Sector special rules can include smaller enterprises.

Detailed classification: NIS2 for enterprises with 50–100 employees and NIS2 implementation in Germany.

2. OT-security specifics: PLC, SCADA, industrial IoT

Unlike office IT, OT systems in mechanical engineering have specific properties that shape NIS2 implementation:

Typical OT weaknesses in mechanical engineering

• PLCs with default passwords or unencrypted engineering protocols (Profinet, EtherNet/IP)
• Remote-maintenance access without MFA, often plain-text VPN
• Flat networks without segmentation (IT/OT convergence without firewalls)
• End-of-life operating systems on HMIs (Windows 7/XP Embedded)
• USB sticks as vectors for patches and configuration
• OT devices without logging/monitoring

Recommended OT security measures

1. Network segmentation per IEC 62443-3-3: zones and conduits between office IT, MES and production OT
2. OT-specific firewalls: industrial next-gen firewalls with DPI for Profinet, OPC-UA
3. Central OT inventory: capture of all PLCs, HMIs, sensors with firmware levels
4. Vulnerability management: subscriptions to BSI Industrial-CSAF, vendor advisories (Siemens ProductCERT, Rockwell, Beckhoff)
5. OT-SOC or hybrid SOC: anomaly detection via passive sensors (Claroty, Nozomi, Dragos)
6. Maintenance/remote-access concept: jump servers, MFA, session recording
7. Secure commissioning: hardening checklists per machine type

3. Cyber Resilience Act + NIS2: interplay

Mechanical engineers with connected products (Industry 4.0, IoT-capable plants, software-as-a-service components) face dual regulation:

Recommendation: build secure-SDLC and SBOM processes in sync with the NIS2 ISMS. Vulnerability management covers both frameworks. CRA patch-support obligations feed into the NIS2 supply-chain concept.

4. Supplier audit obligations

German mechanical engineering is a global business. Components come from China (electronics, semiconductors), Taiwan (sensors, chips), USA (software, controllers), Italy/Switzerland (precision mechanics). That makes the NIS2 supply-chain obligation (Art. 21(2)(d), Section 30(2) no. 4 BSIG) particularly demanding.

Concrete approach for mechanical engineers

1. Supplier inventory: capture all hardware/software suppliers, cloud services, maintenance providers
2. Criticality classification: top-20 by criticality (failure impact, substitutability, access to own systems)
3. Contractual requirements: cybersecurity annex (based on VDMA model contract), 24-hour incident notification, audit right, sub-contractor consent
4. Initial audit for top suppliers: ISO 27001 certificate, IEC 62443 certification, SOC 2 Type II, own questionnaires (e.g. VDMA 66415)
5. Annual re-assessment: re-validation of security measures, new threat picture
6. Exit strategy: multi-sourcing, stockpiling of critical components, qualified alternative suppliers
7. EU supply-chain focus: prefer EU/EEA suppliers for critical components (resilience, audit travel feasibility)

Deep dive: NIS2 supply chain security.

5. Concrete action list for mechanical engineers

Phase 1: stock-take (months 1–2)

• NIS2 self-assessment: sector + thresholds
• BSI registration (if required under Section 33 BSIG)
• Asset inventory IT + OT (CMDB extension)
• Supplier inventory with criticality classification
• Review of existing audits (ISO 27001, IEC 62443, TISAX)

Phase 2: risk management (months 3–4)

• Risk analysis per BSI 200-3 or ISO 27005 (IT + OT)
• Threat catalog for the industry (BSI ICS situation report, VDMA recommendations)
• Risk register with action plan
• Management approval and training per Section 38 BSIG

Phase 3: technical implementation (months 5–9)

• MFA for all privileged access (IT + engineering)
• Network segmentation IT/OT per IEC 62443-3-3
• Backup concept including OT backup (PLC programs, recipes)
• Patch management with OT maintenance windows
• Logging and monitoring for OT (passive sensors)
• Endpoint hardening for engineering workstations

Phase 4: organisational implementation (months 6–10)

• ISMS policy and roles matrix
• Incident response plan with OT escalation and production-stoppage scenarios
• BCM with production recovery concepts
• Awareness training for staff (office + shop floor)
• Special training for engineering personnel (OT security)

Phase 5: auditing (from month 9)

• Internal audit per Section 30 BSIG area
• Effectiveness measurement with KPIs
• Optional external audit (ISO 27001 / IEC 62443)
• Tabletop exercise with production scenario

6. Recommendations from VDMA and ZVEI

VDMA: German Mechanical and Plant Engineering Federation

VDMA has published several works supporting NIS2 implementation in mechanical engineering:

• VDMA standard sheet 66415-1 (IT security): requirements for suppliers and operators of industrial control systems
• VDMA cybersecurity model contract clauses: security annex for supplier contracts
• VDMA Industrial Security guide: practical recommendations for SMEs
• VDMA position on the Cyber Resilience Act: industry interpretation of obligations

ZVEI: German Electro and Digital Industry Association

• ZVEI Industry 4.0 Security guide: security architecture for connected production
• ZVEI cybersecurity maturity model: self-assessment for manufacturers
• ZVEI position on NIS2 implementation: sector interpretation aids

7. Protection of design data and control software

In mechanical engineering the most valuable asset is often not the office IT but intellectual property:

• CAD design data: Solidworks, NX, CATIA, Inventor — repositories with MFA, backup, version control with audit trail
• NC programs and tool paths: often on USB sticks or unencrypted network drives — at-rest encryption, access logging
• Control software and PLC logic: source-code repositories (Git, TIA Portal projects) — code signing, branch protection, mandatory reviewers
• Configuration files and parameters: machine data, recipes, calibrations — backup and recovery procedures
• Customer-side product data: machines often with remote-maintenance connection — IRM/DRM concepts, contractually anchored customer-side protective measures

Cross-reference: the German Trade Secrets Protection Act (GeschGehG, Federal Law Gazette 2019 I no. 12) requires appropriate confidentiality measures. This obligation harmonises with NIS2 measures but should be documented separately.