Technical article

The NIS 2 Directive and how it affects mechanical engineering

NIS - Network and Information Security Directive | Security of Network and Information Systems

Share Article
Share Button Linkedin Share Button Xing Share Button X Share Button Email

The NIS-2 Directive (EU) 2022/2555 already came into force on 16 January 2023 and defines measures for a high common level of cybersecurity in the Union - it will therefore replace the NIS Directive, which came into force in 2016. The NIS 2 Directive must be transposed into national law by the member states by 17 October 2024.

The focus of the NIS 2 Directive for affected companies is on the implementation of risk management measures and the reporting obligations for recognised security incidents. In contrast to the NIS Directive, the sectors of critical facilities have been expanded and the main focus has been placed on dependency on partner companies (supply chains), among other things.

Who is affected?

Whether you are affected by the NIS-2 Directive depends on both the size of the company and the associated sector of the company. The NIS-2 Directive applies to public and private entities of the type listed in Annex I (High Criticality Sectors) and Annex II (Other Critical Sectors) that meet or exceed the thresholds for medium-sized enterprises set out in Article 2(1) of the Annex to Recommendation 2003/361/EC and provide their services or carry out their activities in the Union.

Annex I (High Criticality Sectors)
⇒ Essential Entities

Annex II (Other Critical Sectors)
⇒  essential facilities
EnergyPost and courier services (new in NIS-2)
TransportWaste management (new in NIS-2)
BankingChemicals (production, manufacturing and trade) (new in NIS-2)
Financial market infrastructuresFood (production, processing and distribution) (new in NIS-2)
HealthcareManufacturing/production of goods (new in NIS- 2)
Drinking waterDigital service provider
Waste water (new in NIS-2)Research (new in NIS-2)
Digital infrastructure 
Management of ICT* services (business-to-business) (new in NIS-2) 
Public administration (new in NIS-2) 
Space (new in NIS-2) 

Information and communication technology

For mechanical engineering companies, the sub-sectors defined under the "Manufacturing/production of goods" sector are of particular importance:

  1. Manufacture of medical devices and in vitro diagnostic medical devices
  2. Manufacture of computer, electronic and optical products (described in division 26 NACE Rev. 2)
  3. Manufacture of electrical equipment (described in division 27 NACE Rev. 2)
  4. Machinery (described in division 28 NACE Rev. 2)
  5. Manufacture of motor vehicles, trailers and semi-trailers (described in division 29 NACE Rev. 2)
  6. Other transport equipment (described in division 30 NACE Rev. 2)

As already mentioned, the company concerned must meet or exceed the thresholds for medium-sized enterprises. The respective thresholds can be found here:

Size classEmployeesAnnual turnoverAnnual balance sheet total
Small business (KU)< 50 AND≤ 10 million. Euro OR≤ 10 million euros. Euro
Medium enterprise (MU)< 250 AND≤ 50 million. Euro OR≤ 43 million. Euro
Large company (JV)≥ 250 OR> 50 million euros AND> 43 million euros

However, in accordance with Art. 2 and Art. 3 of the NIS 2 Directive, it is possible for companies to also fall under the scope of the NIS 2 Directive under certain conditions and regardless of their size - this is particularly conceivable in the case of dependencies through supply chains.

Tip: Link to the self-assessment (In German) according to NIS-2 from the Austrian Federal Economic Chamber (WKO):

How is controlled / penalised?

In contrast to the NIS Directive, the NIS 2 Directive does not require every company to undergo a regular audit. In the case of important facilities, an inspection is only carried out if there is reasonable suspicion, for example following a security incident. However, regular NIS 2 audits by external bodies are planned for essential facilities. In addition, on-site/off-site inspections or security scans are possible at any time. The sanctions in the event of non-compliance also vary, see the following table: 

 Essential facilityImportant facility
SupervisionEx-ante (in advance) and
ex-post (after the fact)
 Regular safety checksOnly in case of reasonable suspicion
 Sample checks 
SanctionsUp to 10 Mio. euros or 2% of global turnoverUp to 7 million euros or 1.4% of global turnover

What needs to be implemented

The risk management measures (Art. 21 para. 2) must be based on a cross-hazard approach aimed at protecting the systems from security incidents and cover at least the following topics. The sub-items serve as examples:

a) Concepts related to risk analysis and security for information systems;

  • Risk-based approach - see also, for example, ISO 270001 and IEC 62443

b) Management of security incidents;

  • Incident response plan

c) Maintenance of operations & crisis management;

  • BCM - Business Continuity Management
  • Backup & Recovery

d) Supply chain security;

  • Interfaces to suppliers, service providers and partner companies
  • Consider supply chain availability
  • State-of-the-art security standards

e) Security measures for the acquisition/development/maintenance of ICT;

  • Certification of components and manufacturers
  • Vulnerability and patch management
  • Security by design
  • Security by default

f) Concepts and procedures for evaluating the effectiveness of risk management measures;

  • Information Security Management System (ISMS - see ISO 27001)

g) Cyber hygiene and cyber security training;

  • Recurring training and workshops
  • Employee awareness of cyber security (e.g. phishing)
  • Define processes and guidelines (e.g. passwords, authorisations, etc.)

h) Cryptography and encryption if necessary;

  • Guarantee the integrity of the data, both in rest (during storage) and in transit (during transmission)

i) Security of personnel, concepts for access control;

  • Physical security
  • Defence-in-Depth approach (see IEC 62443)

j) Multi-factor authentication or continuous authentication.

  • Additional factor to the password (dongle, biometrics, app solutions, etc.)
  • Secured voice, video and text communication
  • Note emergency communication

The measures must ensure a level of security appropriate to the existing risk, taking into account the state of the art and, where applicable, the relevant European and international standards and the costs of implementation. Factors for the proportionality of the measures are The extent of the facility's exposure to risk, the size of the facility and the likelihood of security incidents occurring and their severity, including their social and economic impact. 

In addition, there are reporting obligations to be taken into account in the event of significant security incidents. The deadlines for this are as follows:

  • Within 24 hours: Early warning to the authority.
  • Within 72 hours: detailed notification/assessment.
  • Within one month: detailed progress/final report.


If they have not already done so, companies should familiarise themselves with the NIS 2 Directive and define responsibilities (per department) as quickly as possible - even without the current regulation! With the help of initial workshops and surveys, which require the involvement of knowledge holders in the company, critical services and the necessary assets can be quickly identified. However, it should be noted that all services within a company must be subjected to a risk analysis - the remedial measures and the timing of implementation are then defined using the risk-based approach. In the event of difficulties in achieving the objectives (roadmap), it is recommended to seek help in the form of external consulting companies - the actual implementation should be carried out by internal resources in any case, as this keeps the expertise within the company.  

It is important to note that there is no need to reinvent the wheel when implementing risk management measures. There are already existing frameworks and recognised standards, such as ISO 27001 (Information Security Management) and IEC 62443 (Industrial communication networks - IT security for networks and systems). The requirements from the NIS 2 directive coincide in many areas with the components of the two standards.

For companies, e.g. machine manufacturers, that are not affected by NIS-2, however, this does not mean that they have no obligations in terms of cyber security. Both the new Machinery Directive and the forthcoming Cyber Resilience Act define requirements for manufacturers. Last but not least, operators who are covered by NIS-2 will also place requirements on their suppliers in order to fulfil their NIS-2 obligations with regard to supply chain security. 

Posted on: 2024-04-02


Martin Strommer
Dipl.-Ing. "Information Security" and Bachelor "Software Design". OT Security Engineer in the areas of critical infrastructures and manufacturing companies. Supports customers in the implementation of intrusion detection systems (IDS), in the handling of security alerts and in the realisation of security advisories. Previously worked for 7 years in the field of machine security, particularly in the areas of safety/security risk assessments and programming of programmable logic controllers. Trained as an internationally certified machine safety expert (CMSE® - TÜV Nord). Lecturer in the "Smart Engineering" bachelor's degree programme at St. Pölten UAS.


Share Article
Share Button Linkedin Share Button Xing Share Button X Share Button Email

CE InfoService

Don't miss CE news and changes!

You are not yet registered? Register now for the free CE InfoService and receive information by e-mail when new technical papers, important standards publications or other news from the field of machinery and electrical equipment safety or product compliance are available.


Support by IBF

CE Software Safexpert

CE software for systematic and professional safety engineering


Practical seminars on aspects of risk assessment and ce-marking

Stay Up-to-Date!

With the CE InfoService you stay informed about important developments in the field of product safety.