If you run IT or security at a manufacturing company in Romania, Poland or Czech Republic, NIS2 is no longer a future problem. It is a present one. Romania transposed the directive into national law via GEO 155/2024, which is fully in force. Poland enacted its transposition in March 2026. The Czech Republic's implementation is live under the NÚKIB framework.

Enforcement is active. Regulators are beginning to assess compliance. And yet most mid-sized manufacturers we speak to have not completed a formal gap assessment — many are not even sure whether they fall in scope.

This guide answers the most common questions we receive and gives you a practical starting point.

"The three most common NIS2 gaps we find at manufacturers are: no formal asset inventory, no documented incident response procedure, and no supplier security questionnaire process. All three are fixable in under 90 days with the right support."

Does Your Manufacturing Company Fall Under NIS2?

NIS2 applies to companies in certain sectors that meet a size threshold. For manufacturing, the directive covers companies including:

  • Manufacture of medical devices and in vitro diagnostic medical devices
  • Manufacture of computers and electronic products
  • Manufacture of machinery and equipment
  • Manufacture of motor vehicles and parts
  • Chemical and pharmaceutical manufacturing
  • Food processing at scale

The size threshold is: 50+ employees OR €10M+ annual turnover. If you are above both thresholds, you are classified as an Important Entity. If you are above 250 employees or €50M turnover, you may be classified as an Essential Entity with stricter obligations.

What NIS2 Requires: The 5 Core Obligations

1. Risk Management and Security Policies

You must have a documented cybersecurity risk management framework. This includes an asset inventory, a risk register, and written security policies covering at minimum: access control, encryption, network security, and physical security of IT systems.

2. Incident Reporting

Under Romania's GEO 155/2024 and equivalent laws, significant incidents must be reported to CERT-RO (Romania), CERT Polska (Poland), or NÚKIB (Czech Republic) within 24 hours of discovery. A full report follows within 72 hours. Most manufacturers do not have a documented procedure for deciding what constitutes a "significant incident" — this is one of the first things to fix.

3. Business Continuity and Disaster Recovery

NIS2 requires documented business continuity plans covering your critical IT and OT systems. This includes backup procedures, recovery time objectives (RTOs), and regular testing of recovery procedures.

4. Supply Chain Security

This is the obligation that catches most manufacturers off guard. NIS2 requires you to assess and manage the cybersecurity risks of your suppliers and service providers — including cloud services, industrial software vendors, and logistics platforms. You need a process for evaluating new suppliers and reviewing existing ones.

5. Access Control and Privileged Access Management

Multi-factor authentication (MFA) must be implemented for all remote access and administrative accounts. User access must be reviewed regularly and limited to what is required for each role.

NIS2 by Country: Where Things Stand

🇷🇴 Romania

Romania transposed NIS2 via GEO 155/2024, which entered into force in November 2024. In-scope companies must register with DNSC and meet the full range of obligations. Enforcement is active. Fines reach up to €10 million or 2% of global turnover.

🇵🇱 Poland

Poland enacted its NIS2 transposition in March 2026. While the law is newly enacted, companies are expected to be compliant from day one — there is no grace period. Polish manufacturers with OT environments should prioritise IT/OT segmentation first.

🇨🇿 Czech Republic

The Czech Republic implemented NIS2 through an update to the Cybersecurity Act, overseen by NÚKIB. Automotive Tier 1 and 2 suppliers face additional pressure: OEM customers are beginning to require NIS2 compliance as a procurement condition.

OT Security: The Manufacturing-Specific Challenge

Unlike financial services or retail, manufacturers often run Operational Technology (OT) environments — production control systems, SCADA, PLCs — that were never designed with cybersecurity in mind. NIS2 requires these systems to be assessed and protected alongside traditional IT infrastructure.

A pragmatic NIS2 approach for manufacturers focuses on network segmentation (isolating OT from IT), anomaly monitoring, and compensating controls rather than forcing patches onto legacy industrial systems.

Where to Start: A Practical 4-Step Approach

  1. Confirm you are in scope — review your sector, headcount, and turnover against NIS2 thresholds in your country.
  2. Complete a gap assessment — compare your current security posture against NIS2 requirements to get a prioritised remediation roadmap.
  3. Fix the highest-risk gaps first — incident reporting procedures, asset inventory, and MFA on remote access can typically be implemented within 30 days.
  4. Document everything — NIS2 enforcement is evidence-based. Regulators ask to see documentation. Start building your compliance file from day one.