01
OT and IT convergence under NIS2
Industrial control systems integrated with corporate IT. ICS networks must now meet cybersecurity standards under NIS2.
IMPACTCyber-physical incidents trigger 24h reporting.
SECTOR PRACTICE · MANUFACTURING & INDUSTRIAL
EU compliance for manufacturing & industrial
GDPR, NIS2, and OT/IT security for manufacturers and industrial IoT
REGULATIONS.STACK · INDUSTRY● 09
CRACyber-resilience for products
NIS2Manufacturing as important entity
AI ACTIndustrial AI and machine vision
CSDDDSupply-chain due diligence (EU)
LKSGSupply chain due diligence (DE)
GDPRWorkforce and customer data
MACHINERYMachinery Regulation 2023
REACHChemicals registration
BATTERYBattery Regulation passport
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Six manufacturing profiles, one compliance map.
From automotive supply to chemicals and food processing. Each sub-sector triggers a different combination of product regulations, sustainability rules and OT cybersecurity.
AUTOMOTIVE
Automotive supply and tiers
R155 cyber type approval, CRA for ECUs, CSDDD due diligence, conflict minerals.
CRAR155CSDDD
MACHINERY
Industrial machinery and robotics
Machinery Regulation 2023, CE marking, AI Act for safety-critical machine vision.
MACHINERYAI ACTCRA
ELECTRONICS
Electronics and components
CRA for connected products, RoHS and WEEE, semiconductor supply chain, REACH.
CRAREACHGDPR
CHEMICALS
Chemicals and materials
REACH registration, CLP labelling, BREF emissions, OT cyber for hazardous processes.
REACHNIS2GDPR
FOOD & BEV
Food and beverage processing
Food safety, traceability, NIS2 (food sub-sector), sustainability reporting.
NIS2GDPRCSDDD
PHARMA MFG
Pharmaceutical manufacturing
GMP, serialisation, falsified medicines, integration with healthcare regimes.
GMPGDPRNIS2
§ 02 / LANDSCAPE
The manufacturing-sector regulatory clock.
Multiple regimes interlock. We sequence them around your operating cadence.
LIVEGDPR
IN FORCE
Workforce and customer data
Employee monitoring, ERP and CRM systems, dealer and after-sales data flows, transfers to non-EU plants.
LIVEREACH
IN FORCE
Chemicals registration
Registration, evaluation, authorisation and restriction of chemicals. SVHC notifications and SCIP database.
LIVELKSG
IN FORCE
German Supply Chain Act
Risk analysis, supplier code, remediation tracker, annual report. From 1,000 employees in Germany.
LIVEMACHINERY
IN FORCE
Machinery Regulation 2023
Replaces 2006 directive. Cybersecurity essential requirements, digital documentation, conformity assessment.
NEXTMACHINERY
JAN 2026
Machinery Regulation application
Date of application from 14 January 2027. Notified body submissions need 18-month lead time.
CRITICALAI ACT
AUG 2026
Industrial AI as high-risk
AI in machinery safety functions, predictive maintenance with safety impact, machine-vision quality control.
CRITICALCRA
DEC 2027
Cyber Resilience Act application
Connected products (hardware + software) must meet essential cybersecurity requirements. CE marking required.
NEXTCSDDD
2027
Corporate Sustainability Due Diligence
EU-wide supply-chain due diligence for large companies. Phased application from 2027.
§ 03 / WHAT TO SOLVE
Where manufacturers get stuck.
02
CRA cyber-resilience for products
Connected products need CE marking with cybersecurity essential requirements. Vulnerability handling and 5-year support obligation.
IMPACTNo CE means no EU shelf space from Dec 2027.
03
LkSG / CSDDD supply-chain mapping
Tier 1, Tier 2 and beyond. Risk analysis, supplier code, remediation, annual report. Documentation is the deliverable.
IMPACTBAFA fines plus exclusion from public contracts.
04
Machinery Regulation transition
New regulation applies from January 2027. Digital documentation, cybersecurity essential requirements, AI for safety functions.
IMPACTType withdrawn from EU market without conformity.
05
REACH and chemical regulation
Substance registration, SVHC notifications, SCIP database for articles, authorisation lists growing.
IMPACTProduction halt for unauthorised substances.
06
Industrial AI under AI Act
Machine vision quality control, predictive maintenance with safety impact, robotics decision-making all caught by Annex III.
IMPACTMis-classification = product line withdrawal.
§ 04 / OFFERING
Our services for manufacturing
MF-01
CRA readiness and CE marking
Essential-requirements gap, secure-by-design review, vulnerability handling process, conformity route, technical documentation.
DCRA gapDConformityDCE pack
MF-02
NIS2 readiness for manufacturing
Entity classification, ISMS aligned with ISO 27001 and IEC 62443, OT segmentation, incident reporting playbook.
DClassificationDIEC 62443DIncident SOP
MF-03
LkSG and CSDDD programme
Risk analysis methodology, supplier code, preventive and remedial measures, annual report.
DRisk methodologyDSupplier codeDAnnual report
MF-04
Machinery Regulation conformity
Essential-requirements assessment, cybersecurity for safety functions, digital documentation, notified-body submissions.
DConformityDTech fileDNB liaison
MF-05
AI Act for industrial AI
Annex III classification for safety-critical AI, machine vision and predictive maintenance. Technical file, human oversight.
DClassificationDAnnex IVDPMM
MF-06
REACH and chemicals compliance
Substance registration support, SVHC notifications, SCIP database submissions, restriction list monitoring.
DRegistrationDSCIPDMonitoring
MF-07
OT cybersecurity programme
IEC 62443 framework, ICS network segmentation, asset inventory for OT, secure remote access.
DIEC 62443DSegmentationDInventory
MF-08
GDPR for workforce and customers
Employee monitoring lawful basis, ERP/CRM governance, dealer network data, transfers to non-EU plants.
DLB mappingDERP/CRMDTransfers
MF-09
Outsourced manufacturing compliance
Senior advisor with industrial experience, regulator and notified-body liaison, board reporting.
DRetainerDBoard memosDRegulator
§ 05 / SELECTED WORK
All case studies →Manufacturing engagements.
CASE 01Automotive Tier-1
CRA + R155 readiness across 11 product lines. CE pack prepared ahead of December 2027.
11
PRODUCT LINES
Filed
DOSSIERS
+8 months
LEAD TIME
SCOPECRA · R155 · CSMS · CE
CASE 02Industrial machinery
Machinery Regulation transition, AI-vision QC classification under AI Act high-risk.
4
PRODUCT FAMILIES
12 mo
NB CYCLE
Issued
CE
SCOPEMachinery · AI Act · ISO 13849 · Notified body
CASE 03Chemicals manufacturer
LkSG programme rolled across 240 suppliers. Reporting filed on time.
240
SUPPLIERS
62
RISK ACTIONS
Filed
REPORT
SCOPELkSG · CSDDD · Supplier code · BAFA
§ 06 / FREE TOOL
Map your manufacturing stack to the EU rulebook.
Eight questions about your products, processes and supply base. Get an indicative obligations map across CRA, NIS2, AI Act, CSDDD, Machinery and REACH.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Do your products contain software or connect to a network?
Yes, primary purpose is software (digital element)A
Yes, with software for monitoring or maintenanceB
Limited firmware, no network connectivityC
No software or connectivityD
INDICATIVE → CRA + RED ART. 3(3) + AI ACT
§ 07 / FAQ
Frequently Asked Questions
01Are we in scope of NIS2?+
Manufacturing sub-sectors listed in NIS2 Annex II as important entities include automotive, machinery and electronics manufacturing above thresholds (50 staff or €10M turnover). Critical manufacturing (medical devices, computers, electronic optical products) can be essential under Annex I.
02When does CRA apply?+
Cyber Resilience Act applies from 11 December 2027. Vulnerability reporting from 11 September 2026. Connected products placed on the EU market after the date need CE marking with cybersecurity essential requirements.
03How does CRA interact with Machinery Regulation?+
Machinery Regulation 2023 already requires cybersecurity essential requirements for safety functions. CRA layers on top for the full product lifecycle. Our team builds combined technical documentation that satisfies both regimes.
04What is the LkSG threshold for German entities?+
Companies with 1,000 employees in Germany are in scope from January 2024. Smaller companies are not directly in scope but are typically required by larger customers to participate in supplier code and risk analysis.
05Are we caught by CSDDD if we are not in Germany?+
CSDDD applies EU-wide from 2027 with phased thresholds. Companies above 1,000 employees and €450M EU turnover are in scope first, with smaller thresholds following. Non-EU companies meeting the EU turnover threshold are also in scope.
06Does AI Act apply to predictive maintenance?+
Yes if the AI affects safety functions or has high-risk outcomes (employment, safety-critical applications). Annex III lists AI in safety components of products subject to harmonised legislation. Most industrial safety AI is caught.
07What is the SCIP database obligation?+
Substances of Concern in articles, as such or in complex objects (Products). Notification required for articles placed on the EU market containing SVHCs above 0.1%. Database is operated by ECHA, accessible to consumers and authorities.
08Can you handle our notified body submissions?+
Yes. We prepare technical documentation, coordinate with the notified body, manage queries and run dry-run interviews before submission. We have completed conformity files for machinery, medical devices and connected products.
§ 08 / RELATED
Related practices.
Cybersecurity
ISMS, ISO 27001, IEC 62443 and OT cybersecurity programmes.
Open practice →NIS2 Compliance
Scoping, ISMS and supervisory readiness for manufacturers.
Open practice →AI Compliance
AI Act for industrial AI, machine vision and predictive maintenance.
Open practice →09 / GET STARTED
NIS2 and OT security for manufacturing
Typical outcomes: NIS2 status determined, OT/IT segmentation plan, resilience measures.