Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
Compliance

German Mid-Market Machinery: NIS-2 Extension, IEC 62443, and Industrial Espionage Risk

SecTepe Editorial
|
|
7 min read

German machinery mid-market firms are a doubly attractive target in 2026: Industry 4.0 connectivity creates attack surfaces, decades of accumulated know-how (engineering data, CAD models, tool geometries) is a first-rate espionage trophy. On top of that: the NIS-2 extension hits many houses that previously assumed they were "not critical infrastructure".

Who Falls Under NIS-2 in 2026 – Even When They Didn't Expect It

Annex I + II of the NIS-2 Directive (implemented in Germany via the NIS-2 Implementation Act) covers, among others:

  • Manufacturers of essential digital devices – including industrial devices with IT components
  • Manufacturers of machines used in critical infrastructure sectors – e.g. pumps for water utilities, turbines for power plants
  • Suppliers to critical infrastructure operators with significant relevance (thresholds: 50 employees / €10 M revenue)

Many mid-market firms 80–500 employees are confronted in 2026 for the first time by their supervisory board or a critical-infrastructure customer with the question: "Are we now in scope?" Answer often: yes.

The Second Stressor: Industrial Espionage in 2026

The German BfV report 2025 documented a 240 % increase in detected espionage incidents against the German mid-market vs. 2022. Focus sectors: machinery, optics, semiconductors, medical technology. Typical approaches:

  • Supplier acquisition: buying a small supplier with direct access to engineering data of the larger customer.
  • Spear phishing with fake customer contact requesting a CAD file "for clarification".
  • Insider recruitment: engineering staff with foreign links, often via job change.
  • OT lateral movement: access via a connected machine on the production floor, escalation into the engineering network.

IEC 62443 as Technical Framework for OT

IEC 62443 is the international standard for industrial automation and control systems. It's extensive (parts 1–4), but for mid-market firms three areas are practically relevant:

  1. Zone model and conduits (62443-3-2): production network strictly separated from office network. Communication only over defined conduits with filtering.
  2. Security Level (SL) 2 as realistic target: protection against intentional attacks with simple means. SL 3+4 are for high-security environments.
  3. Component security lifecycle: machinery vendors must have patch mechanisms, update obligation documentation, EOL clauses in the contract.

The Five Levers That Work in Machinery

1. Maintain a Separate OT Asset Inventory

PLCs, HMIs, robots, sensors – each with vendor, software state, EOL date, network zone. Asset module with OT class modeled and separate protection-need rating.

2. Enforce Zone Model With Coraza/OPNsense

Office network ↔ engineering network ↔ production network strictly segmented. Conduits explicitly defined with allow lists. Anomaly detection in Wazuh on inter-zone traffic.

3. Mail Security With CAD Attachment Forensics

CAD attachments (.step, .dwg, .iges) are a standard spear-phishing vehicle. CAPE sandbox can detonate CAD loaders, analyze macro code, extract embedded scripts.

4. Supplier Risk With an Espionage Lens

Who has access to engineering data? Which sub-processors? Ownership relationships annually reviewed. TPRM with geography rating as risk-score factor.

5. Insider Threat Indicators in the SIEM

Atypical data exports (large CAD packages to cloud storage), USB mass storage connections, access outside working hours. Wazuh correlation rules for these exist as Sigma templates.

Where Machinery CIOs Typically Underestimate

  • "Our machines aren't on the internet." – Yes they are, often. Via vendor service VPN, via ERP integration, via service technician's mobile devices.
  • "CAD data isn't personal data." – True, but the German trade secrets act (GeschGehG) creates its own confidentiality obligations.
  • "IEC 62443 is for the big players." – True today, but insurers, critical-infrastructure customers, and auditors increasingly expect it in the mid-market too.
  • "Espionage doesn't hit us." – Yes it does, statistically growing risk.

Realistic Setup Expectation

  • 250-employee machinery firm with 1 plant: 9 months ISMS foundation + OT segmentation, 12 months NIS-2 readiness, ~€180 k initial investment.
  • Multiple plants + international sites: 12 months, ~€280 k, benefits more strongly from a central platform solution.

Compliance Mapping

  • NIS-2 Art. 20–23: management duty, minimum measures, 24h early warning.
  • IEC 62443: OT security, zone model, component security lifecycle.
  • ISO 27001 + ISO 27019: energy-related extension for energy-industry suppliers.
  • GeschGehG (German trade secrets act): trade secret protection with documented confidentiality measures as a precondition.
  • Machinery Regulation 2023/1230: cyber security requirements for machinery manufacturers, applicable from 2027.

Conclusion

German machinery mid-market 2026: NIS-2 extension hits more firms than most expect, industrial espionage is real and growing, IEC 62443 moves from "big-industry topic" to insurance minimum standard. Anyone starting now with OT asset inventory, segmented zone model, CAD-capable mail security, and supplier rating reaches audit readiness in 12 months – and tangibly reduces espionage risk.

View all articles More in this category