Branche · Manufacturing & Industrial
DecisionOS for manufacturing and industrial
Manufacturing operates under three regulatory pressures by 2026: NIS2 (manufacturing as important entity), Cyber Resilience Act (CRA, in force from 2027 for products with digital elements) and industry standards like TISAX for automotive suppliers and IEC 62443 for industrial control systems. DecisionOS structures the central IT and OT decisions so the memo serves BSI examiners, internal audit and supervisory boards at the same time.
TL;DR
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.
Regulatorik im Überblick
Regulatory context
NIS2 Annex II classifies manufacturing as an important entity: manufacturers of medical devices, computers and electronics, electrical equipment, machinery, motor vehicles, other vehicles. Threshold: from 50 employees or 10 M EUR turnover.
The Cyber Resilience Act (Regulation 2024/2847) fully applies from 11 December 2027. Obligations for manufacturers, importers and distributors of products with digital elements: risk analysis, security by design, SBOM, vulnerability management, update duty, conformity assessment, CE marking.
TISAX (Trusted Information Security Assessment Exchange) is mandatory for suppliers to the automotive industry. The ISA catalogue (currently 6.x) focuses on information security, prototype protection, data protection, connectivity.
IEC 62443 is the international OT security standard. Maturity levels 1-4. Increasingly required by insurers and OEM customers.
Typische Entscheidungen
Dealbreaker (nicht verhandelbar)
OT visibility and IEC 62443 fitness
Pure IT tooling sees neither PLCs nor HMIs. OT discovery must be native or integrated through partners.
Supply-chain diligence under NIS2 Art. 21 (d)
Industrial supply chains run deep. SBOM and vendor audits are mandatory.
Air-gap and immutable backup
Ransomware in OT can stop plants for weeks. Recovery testing is mandatory.
EU data residency with BSI C5
Production and engineering data are crown jewels. Exclude US CLOUD Act exposure.
Typical decisions
OT security stack: passive network monitoring (Claroty, Nozomi, Dragos), asset inventory, vulnerability management at PLC level.
IT-OT convergence: SOC with combined IT and OT telemetry, joint escalations.
Supplier review: TISAX label requirements for suppliers with data access. SBOM duty for software components in own products.
ERP modernisation: SAP S/4HANA migration with OT integration (MES, shop-floor apps).
Where DecisionOS plugs in
The memo maps directly: criteria to NIS2 Art. 21, dealbreakers to TISAX-ISA and CRA requirements, stakeholder alignment across CIO, CISO, plant management, OT engineering, supplier management. Versioning when vendors change.
Hosting and data sovereignty
DecisionOS is hosted in Germany on Hetzner, EU-only data flow, Art. 28 GDPR data processing agreement in place. Suitable for regulated OT workloads.
FAQ
Are all manufacturers in scope of NIS2?
From 50 employees or 10 M EUR turnover in one of the Annex II sectors, yes. In addition, every supplier to an essential or important entity can be contractually forced into NIS2 hygiene.
How does the Cyber Resilience Act affect manufacturing?
Machinery with digital elements (i.e. nearly all modern machines) falls under CRA. Obligations: security by design, SBOM, vulnerability management, update duty across the product lifecycle, EU database registration. Placing non-compliant products from December 2027 onward risks market bans and fines up to 15 M EUR or 2.5% of annual turnover.
How do TISAX and ISO 27001 fit together?
ISO 27001 is the generic baseline. TISAX is industry-specific (automotive) with additional requirements for prototype protection and connectivity. Companies certified to ISO 27001 have a significant head start for TISAX but must fulfil the additional ISA modules separately.
Related decision guides
Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
Security
How to choose an EDR or XDR platform in 2026
Security
SIEM platform and SOC build: a structured decision guide
Backup, Recovery und Disaster Recovery
Backup- und DR-Lösung auswählen: strukturiert unter NIS2, DORA und BAIT
ERP-Modernisierung
ERP auswählen: SAP S/4HANA, Microsoft Dynamics, Oracle, Infor, Open-Source
Related comparisons
DecisionOS vs LeanIX
LeanIX tracks your portfolio. DecisionOS decides what changes.
DecisionOS vs OneTrust
OneTrust manages privacy and risk continuously. DecisionOS produces the decision inside.
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
Relevant industries
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.
Pharma & Life Sciences
Pharma IT is regulated IT. Validation (CSV/CSA) and audit trail are not optional. The decision memo is the mandatory front-end documentation.
Automotive & Suppliers
Automotive = TISAX + UNECE R155/R156 + ISO 21434 + NIS2. The decision memo is the only format that maps all four in parallel.
Chemicals & Process Industry
Chemicals is a NIS2 important entity with physical major-accident risk. IT-OT convergence is the core strategic question.
Retail & Commerce
Retail IT = payment + customer data + logistics. PCI DSS 4.0 and GDPR are the two hard axes.