Manufacturing

Compliance requirements for the manufacturing sector.

---

Sector Profile

Attribute	Value
AI Act impact	MEDIUM
NIS2 category	Important (Annex II) or Out of scope
GDPR impact	MEDIUM
Other regulations	Machinery Directive, Product Safety

---

AI Act for Manufacturing

Typical AI Systems

System	Classification	Obligations
Predictive maintenance	LOW	Minimal
Quality control (visual)	LOW	Minimal
Production optimization	LOW	Minimal
Safety systems (AI)	MEDIUM	Documentation
Worker monitoring	MEDIUM	Transparency
Robotics (collaborative)	MEDIUM	Safety assessment

Safety-critical AI

Safety-critical AI in manufacturing

AI AS A SAFETY COMPONENT (Annex I, item 2) If AI is part of a machine’s safety system:

• HIGH-RISK classification
• Machinery Directive compliance
• CE marking
• Third-party conformity assessment

AI FOR WORKER SAFETY MONITORING If AI monitors worker safety:

• MEDIUM-RISK (Art. 52)
• Transparency towards employees
• GDPR compliance (employee data)
• Works council consultation

Embedded AI in Products

If your product contains AI:

• You must classify the AI component
• Documentation for downstream users
• Product safety implications

---

NIS2 for Manufacturing

Scope Determination

Criterion	Essential	Important	Out of scope
Medical device manufacturing	Yes
Computer/electronics manufacturing		Yes
Machinery manufacturing		Yes
Chemical manufacturing		Yes
Food production		Yes
Other manufacturing			Yes (usually)

Condition: >50 employees OR >EUR 10M revenue

OT Security (Operational Technology)

OT Security — manufacturing specifics

IT/OT convergence

• Segmentation of IT and OT networks
• Firewall between corporate and production
• Monitoring of cross-network traffic

Legacy systems

• Older PLC/SCADA without patch support
• Compensating controls
• Network isolation

Vendor access

• Remote maintenance access
• VPN + MFA for vendors
• Session logging

Supply chain

• Component integrity
• Firmware verification
• Vendor security assessment

Specific Requirements

Area	Requirement	Priority
IT/OT segmentation	Network separation	Critical
OT monitoring	IDS for industrial protocols	High
Legacy protection	Compensating controls	High
Backup/recovery	OT system backups	Critical
Vendor management	Remote access controls	High

---

GDPR for Manufacturing

Typical Data

Category	Examples	Legal basis
Employee data	Attendance, performance, safety	Contract + Legal
Supplier data	Contacts, contracts	Contract
Customer data	Orders, contacts	Contract
CCTV	Security cameras	Legitimate interest
Access logs	Facility entry	Legal + Legitimate

Employee Monitoring

Employee monitoring in manufacturing

CCTV in the workplace

• Legitimate interest (safety)
• Informing employees
• Restricted access to recordings

Access systems

• Who entered when
• Retention: as needed (30-90 days)
• Audit trail for investigations

Productivity (if applicable)

• Employee consent
• Transparency
• Works council approval

Wearables (safety)

• Health data = special category
• Explicit consent
• Data minimization

---

Machinery Directive + AI

AI in Machinery

If AI affects machine safety:

Aspect	Requirement
Risk assessment	Machine + AI combined
CE marking	Entire system
Documentation	AI as component
Validation	AI behavior testing
Updates	Change management for AI updates

CE Marking with AI

CE Marking process with AI

1. Identify AI components
2. AI risk classification (AI Act)
3. Machinery risk assessment
4. Conformity assessment (Notified Body if required)
5. Technical file including AI documentation
6. Declaration of Conformity
7. CE marking

---

Checklist for Manufacturing

Immediate (Weeks 1-2)

• Inventory of AI in production and products
• NIS2 scope assessment
• IT/OT network mapping

Short-term (Months 1-3)

• OT security gap analysis
• Employee monitoring GDPR review
• Vendor access audit

Medium-term (Months 3-6)

• IT/OT segmentation project
• Legacy system protection
• Product AI documentation

Long-term (Months 6-12)

• OT monitoring implementation
• NIS2 full compliance (if in scope)
• AI Act product compliance

---

Typical Costs

Item	Estimate
IT/OT security assessment	EUR 15-30k
Network segmentation	EUR 30-60k
OT monitoring	EUR 20-50k
GDPR employee data audit	EUR 10-20k
Product AI compliance	EUR 15-30k/product
Total Y1	EUR 90-190k

---

Resources

• Machinery Directive 2006/42/EC
• IEC 62443 (Industrial Cybersecurity)
• NIST Manufacturing Cybersecurity