NIS2 obligations for pharma and life sciences companies 2026

Where pharma sits in NIS2

Annex I No. 5 (health): EU reference laboratories, manufacturers of basic pharmaceutical products and medicinal products listed in the WHO essential medicines list or considered critical under Regulation (EU) 2022/123. These are essential entities at large enterprise size.

Annex II No. 5 (manufacturing): manufacture of medical devices and in vitro diagnostics, and manufacture of pharmaceutical products including APIs.

Size filter: 50 employees or EUR 10m revenue means important entity, 250 employees or EUR 50m revenue means essential entity in Annex I and still important entity in Annex II.

Group counting applies. Mid-cap generics manufacturers and family-owned MedTech firms practically all fall into at least important entity status.

Conflict zone: NIS2 meets GMP, GxP and CSV

GMP (EU GMP Guide Annex 11, FDA 21 CFR Part 11) requires full validation (CSV) and a complete audit trail for computerised systems in pharma manufacturing. Every software change, every patch, every configuration change must be validated before going live.

NIS2 Art. 21(2)(e) requires timely vulnerability handling. A critical CVE on an MES server controlling tablet production would by IT logic need to be patched in days, but by GMP logic only after revalidation of the entire process chain.

The fix is not technical but procedural: pre-validated patch tracks with the vendor (often SAP, Werum, Rockwell, Siemens) plus documented risk acceptance for the transition period, plus compensating controls (segmentation, monitoring, application allowlisting).

Ten concrete obligations

1. Site-level risk analysis, GxP and non-GxP separately. Patient safety impact explicitly modelled.

2. Incident handling with notification cascade to BSI (24h/72h/one month). In addition AMG/MPDG filings for production disruptions affecting supply security or product quality.

3. Business continuity: recovery plans for MES, LIMS, ERP, serialisation platform (FMD), distribution platforms with documented RTO/RPO.

4. Backup and recovery: especially for GxP systems with retention duty (LIMS data up to 30 years). Immutable backups plus documented restore tests.

5. Vulnerability management with a GMP-compliant patch track. Pre-validated vendor updates and emergency patch procedures with retrospective validation.

6. Cryptography for every data flow leaving production (MES to ERP, LIMS to QMS), TLS and key management.

7. Access control plus MFA. Sensitive: in GMP-validated workstations, any authentication change triggers validation rework. Pattern: central IAM with documented CSV extension.

8. Supply chain: contracts with MES vendors (Werum, Rockwell, SAP DM), cloud LIMS and serialisation platforms need NIS2 clauses plus GMP supplier qualification.

9. Training duty for management body (board, managing directors), QA leadership, IT staff, production staff with system access.

10. Personnel security, asset inventory (with GxP-relevant systems separately tracked), authentication.

Audit trail integrity: NIS2-plus for pharma

Annex 11 GMP requires audit trails that cannot be tampered with. NIS2 Art. 21(2)(h) requires cryptography and secure authentication.

Concretely: audit trail databases must be technically immutable (append-only, WORM, or cryptographically chained). Read access is logged, write access is system-side only.

In a ransomware incident in a GxP environment, beyond the recovery effort, the integrity proof becomes critical: the competent authority (in Germany: state-level authority, BfArM, EMA for centrally authorised products) expects evidence that data integrity was not compromised.

Multi-notification: BSI, BfArM, state authority

BSI under NIS2: material incident (24h/72h/one month).

BfArM in case of shortages or supply problems with authorised medicines (§ 52b AMG, supply shortage notification).

State authority (district government) for GMP deviations.

EMA for centrally authorised products and EU-wide supply issues.

A prepared notification playbook is helpful, defining per incident type which addressees are notified in which order and which internal sign-off precedes which step.

Management body liability

Board or managing directors, depending on legal form. In practice affected: CEO, COO/site head, CIO, CISO, qualified person (QP) at the overlap.

Essential entities (Annex I): fines up to EUR 10m or 2 percent of worldwide group turnover.

Important entities (Annex II): up to EUR 7m or 1.4 percent. For most pharma mid-caps Annex II governs, but critical APIs or listed medicines pull them into Annex I.

Training duty at least annually, documented. A short training slot inside the annual GMP mandatory training is a pragmatic solution.

What DecisionOS does

In a pharma environment, IT security decisions are never pure IT decisions: every choice of EDR, MES modernisation, cloud LIMS or IAM platform touches GMP validation, QA sign-off and potentially supply security. DecisionOS records each as a decision memo mapped to NIS2 Art. 21 with a GMP validation note, stakeholder alignment (CIO, CISO, QA, QP, site head, board where applicable) and a readiness score. The same dossier serves BSI audits, state-authority inspections and internal QA reviews.