The Ultimate Guide: Which Manufacturers Fall Under NIS2 Annex II

The EU’s NIS2 Directive (Directive (EU) 2022/2555) significantly expands the number of sectors and entities that fall under cybersecurity and resilience obligations. Among the most affected are manufacturers — especially those producing essential goods and components that impact critical supply chains.

In this article, we’ll take a detailed look at Annex II of NIS2 (Important entities), which explicitly lists the categories of manufacturing activities in scope, along with their references to EU regulations and NACE codes. If you’re a manufacturer, this guide will help you determine whether your operations fall within NIS2’s scope.

1. Manufacture, Production, and Distribution of Chemicals

Annex II includes:

“Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, as referred to in Article 3, points (9) and (14), of Regulation (EC) No 1907/2006, and undertakings carrying out the production of articles, as defined in Article 3, point (3), of that Regulation, from substances or mixtures.”

Key Definitions (Regulation (EC) No 1907/2006 – REACH)

• Substance (Art. 3(9)) → A chemical element and its compounds in the natural state or obtained by any manufacturing process.

  • Examples: pure metals (copper, aluminum), industrial gases (oxygen, nitrogen), sulfuric acid, methanol, pharmaceutical APIs.

• Mixture (Art. 3(14)) → A solution composed of two or more substances.

  • Examples: paints, adhesives, detergents, fertilizers.

• Article (Art. 3(3)) → An object whose shape, surface, or design matters more than chemical composition.

  • Examples: tires, plastic packaging, electronics casings, treated textiles, furniture.

NIS2 Implication

Any company manufacturing chemicals, distributing them, or producing goods (articles) using regulated substances/mixtures falls under NIS2. This includes plastics, textiles, paints, industrial chemicals, and coatings.

2. Production, Processing, and Distribution of Food

Annex II includes:

"Food businesses as defined in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council (3) which are engaged in wholesale distribution and industrial production and processing"

Definition (Regulation (EC) No 178/2002 – General Food Law)

• Food business (Art. 3(2)) → Any undertaking, whether for profit or not, public or private, carrying out activities at any stage of food production, processing, or distribution.

NIS2 Scope

Only the following are included:

• Industrial production/processing → factories, large processors.

• Wholesale distribution → large-scale storage, import/export, supply to retailers.

Small restaurants and retailers are not in scope.

Practical Examples

• Industrial production/processing: meat & poultry plants, dairies, bakeries, breweries, flour mills, frozen/canned food producers.

• Wholesale distribution: national wholesalers, cold storage hubs, food traders, beverage distributors.

3. Manufacturing of Medical Devices

Medical Devices (Regulation (EU) 2017/745 – MDR, Art. 2(1))

Definition: Any instrument, apparatus, software, implant, or material used for diagnosis, prevention, monitoring, treatment, or alleviation of disease.

• Examples: pacemakers, ventilators, MRI scanners, prosthetics, wheelchairs, syringes, diagnostic software.

In Vitro Diagnostic Medical Devices (Regulation (EU) 2017/746 – IVDR, Art. 2(2))

Definition: Devices used in vitro (outside the body) to examine human specimens for medical purposes.

• Examples: blood analyzers, PCR machines, COVID-19 test kits, pregnancy tests, genetic tests, donor screening kits.

NIS2 Implication

• In scope: All manufacturers of MDR devices and IVDR devices.

• Exception: Certain low-risk custom-made devices (Annex I, point 5, fifth indent of NIS2).

4. Other Manufacturing Categories (NACE Rev. 2 References)

NIS2 directly cites NACE codes (EU industry classification). Here are the divisions in scope:

• (a) Computer, Electronic & Optical Products (NACE C26)Semiconductors, computers, telecom equipment, consumer electronics, measuring instruments, optical devices.

• (b) Electrical Equipment (NACE C27)Motors, transformers, batteries, lighting equipment, wiring devices.

• (c) Machinery & Equipment n.e.c. (NACE C28)Engines, turbines, pumps, compressors, agricultural machinery, machine tools.

• (d) Motor Vehicles, Trailers & Semi-Trailers (NACE C29)Cars, trucks, buses, trailers, and parts.

• (e) Other Transport Equipment (NACE C30)Shipbuilding, aerospace, railway equipment, motorcycles, bicycles, military vehicles.

To make this even clearer, we are publishing separate, detailed articles for each NACE category. This way, you can quickly find your industry and see exactly how NIS2 applies.

5. Why These Manufacturers?

The EU has targeted these manufacturing categories because they are:

• Critical to supply chains (chemicals, food, machinery).

• Essential to services (medical devices, electronics, vehicles).

• High risk for disruption (a cyberattack could create cascading effects across Europe).

6. Next Steps for Manufacturers

If your business is in scope, you must prepare for:

• Implementing risk management and cybersecurity measures.

• Incident reporting within 24–72 hours.

• Supply chain security requirements.

• Management accountability (board and executives are personally liable).

Conclusion

NIS2’s Annex II brings a wide range of manufacturers into scope — from chemicals to cars, from food to medical devices. Compliance is not optional, but with the right approach, it can become a competitive advantage in securing supply chains and building trust.