TL;DR: Flemish manufacturing companies with more than 50 employees fall under the Belgian NIS2 law as a “significant entity.” That means mandatory security measures, incident reporting to the CCB and attention to the cyber security of your supply chain. The manufacturing industry is the hardest hit by ransomware worldwide, but through VLAIO grants, you can have up to 50% of your security program funded.
West Flanders is Belgium’s industrial engine. From machine builders in the Mandel Valley to food producers along the E403, the manufacturing industry is the economic backbone of the region. But these same companies face a new reality. Belgium’s NIS2 law, effective Oct. 18, 2024, puts manufacturing companies under a strict cybersecurity regime. Registration, risk analysis, incident reporting and a mandatory compliance assessment: it’s a lot at once. In this article you will read what NIS2 means concretely for your manufacturing company, which risks make the sector extra vulnerable and how Flemish subsidies lower the financial threshold.
Does your manufacturing company fall under NIS2?
The Belgian NIS2 law classifies the entire manufacturing sector as an “other critical sector.” Whether your company is included depends on its size. Medium-sized companies (50 or more employees, more than 10 million euro turnover) are classified as a “significant entity.” Large companies (250+ employees or more than 50 million euros in sales) may be classified as a “critical entity.”
The subsectors explicitly mentioned in the law cover a wide range of industrial activities: medical devices, computer products, electrical equipment, machinery and tools, motor vehicles and other means of transport. For the West Flanders context, this means that metal companies, machine builders, food producers and textile companies are almost all in scope.
Note: Is your company part of a group or holding company? Then the figures are consolidated. A Flemish branch with 80 employees belonging to an international group with 500 employees and €60 million in turnover falls under the stricter obligations for essential entities. In doubt? Through the Safeonweb@Work portal, the CCB offers a NIS2 Scope Test Tool. You can read a complete overview of all NIS2 obligations in our complete NIS2 guide.
Why is the manufacturing industry an attractive target for cyber attacks?
The manufacturing industry is the hardest hit sector globally by ransomware. By 2025, the number of ransomware attacks on manufacturing companies rose 56% to more than 1,400 incidents, according to research by Comparitech. The average ransom demand for the sector doubled to $1.16 million. Why exactly the manufacturing industry?
The answer lies in the low tolerance for downtime. Every minute a production line is down costs money. Attackers know that manufacturing companies are more likely to pay ransom than organizations in other industries. On top of that, many factory environments operate with outdated operating systems and industrial controllers (PLCs) that were not designed with cybersecurity in mind. The attack on the Picanol Group in 2020 is still the most telling Belgian example: production in three countries came to a complete halt and thousands of employees were unable to work for days.
Moreover, the threat is accelerating. According to Sophos, exploited vulnerabilities are the leading cause of ransomware in the manufacturing industry (32% of incidents), followed by malicious emails (23%). In 42.5% of affected manufacturing companies, lack of expertise was the main factor enabling the attack.
The 5 biggest cyber risks for manufacturing companies
Manufacturing companies face a unique combination of risks that office environments do not. Here are the five most critical:
1. The blurring line between IT and OT Where machines used to be completely disconnected from the office network, they are now connected for real-time data, predictive maintenance and supply chain optimization. That connection also means that ransomware entering an office laptop can flow through to production lines. Research shows that nearly 70% of industrial companies have experienced a cyber attack on their OT environment in the past year. You can read more about the fundamental difference between IT and OT security in our earlier article.
2. Legacy systems that cannot be patched Many PLCs and SCADA systems run on outdated firmware that cannot be updated without interrupting production. They use protocols such as Modbus and Profibus that are inherently insecure: no encryption, no authentication.
3. Vulnerable remote access Machine suppliers and maintenance technicians often gain remote access to the production environment for remote maintenance. Without Multi-Factor Authentication (MFA) and strict access management, this is an open backdoor for attackers.
4. Supply chain as attack vector Manufacturing companies depend on a complex network of suppliers. Under NIS2, you are legally responsible for incidents, even if the cause lies with an external supplier. That requires cybersecurity clauses in procurement contracts and a systematic risk assessment of critical suppliers.
5. Theft of intellectual property Design drawings, production processes, customer data and pricing agreements: attackers today combine encryption with data theft. They threaten to make stolen information public if the ransom is not paid. For a machine builder with patented designs, that can be an existential risk.
Network segmentation is one of the most important countermeasures to prevent an attack from spreading from the office network to the factory floor.
What NIS2 measures apply specifically to manufacturing?
The CCB has developed the CyberFundamentals (CyFun) framework as a practical route to NIS2 compliance. For most medium-sized manufacturing companies (“key entities”), the Important level with 117 controls is the standard. You can read more about the structure of the CyFun framework in our dedicated article.
But which controls are specifically relevant to the factory floor?
Asset management: You should have a complete inventory of all hardware and software in your production environment. That sounds obvious, but many companies do not have a current overview of all PLCs, sensors, HMIs and network components on the shop floor. Traditional IT tools often don’t see these “agentless” devices.
Network segmentation: Physically or logically separating the office network from the production environment is one of the most effective measures. The Purdue model for industrial networks provides a proven frame of reference for this, where a DMZ (Demilitarized Zone) filters and controls traffic between the office and factory.
Access Management and MFA: Any external access to your OT environment must be secured with Multi-Factor Authentication. No exceptions for machine suppliers or maintenance technicians.
Monitoring and detection: continuously scanning network traffic for unusual patterns, specifically targeting industrial protocols. An unexpected instruction to a PLC can be a sign of an attack.
Business continuity planning: Tested backup and recovery procedures that take into account the specific restart sequence of industrial systems. You don’t reboot a production line like you do an office PC.
Since 2025, CyFun also requires a “Govern” function: documented cybersecurity policies approved by the board. Directors are personally liable under NIS2 for compliance with security measures and must participate in cybersecurity training.
VLAIO grants for Flemish manufacturing companies
The transition to NIS2 compliance requires an investment, but the Flemish government is making it considerably more bearable. Through VLAIO, there are two main channels:
Cybersecurity improvement programs offer the most targeted support. VLAIO subsidizes 50% of costs for SMEs with an approved service provider:
| Package | Contents | Price (excl. VAT) | After 50% subsidy |
|---|---|---|---|
| START | Initial analysis and action plan | €7,100 to €11,900 | €3,550 to €5,950 |
| MEDIUM | Analysis + action plan + limited guidance | €16,600 to €28,600 | €8,300 to €14,300 |
| PLUS | Analysis + action plan + full coaching | €26,500 to €39,900 | €13,250 to €19,950 |
You can read more details about the packages and application process in our article on the VLAIO cybersecurity improvement program.
The SME portfolio has offered subsidies exclusively for cybersecurity advice since Feb. 1, 2026: 45% for small and 35% for medium-sized enterprises, with a ceiling of €7,500 per year. A specific OT audit, an incident response plan or cybersecurity training for operators are all covered.
Calculation example for a machine builder with 120 employees:
A West Flanders manufacturing company wants to secure its entire environment in accordance with NIS2. It chooses a PLUS improvement program (€35,000) and invests in staff training (€5,000 via SME portfolio).
| Investment | Gross | Grant | Net |
|---|---|---|---|
| Improvement process PLUS | €35.000 | €17.500 (50%) | €17.500 |
| Staff training | €5.000 | €1.750 (35%) | €3.250 |
| Total | €40.000 | €19.250 | €20.750 |
The total own contribution of €20,750 for a complete NIS2 trajectory including guidance and training makes quality advice financially feasible even for medium-sized manufacturing companies.
The roadmap: from zero to NIS2 compliant as a manufacturing company
Getting started in concrete terms? These six steps are the route to compliance:
Step 1: Register and classify your business. Through the Safeonweb@Work portal, verify that your company is correctly registered and that your classification (essential or important) is correct. Note the consolidation line at holdings.
Step 2: Have a gap analysis performed. A cybersecurity audit maps out where your company stands in relation to the CyFun framework. Specifically for manufacturing companies, a separate assessment of the OT environment is essential. Count on three to five days for a medium-sized company.
Step 3: Choose your compliance framework. Three quarters of registered entities choose CyFun. The choice between ISO 27001 or CyberFundamentals depends on your international context and existing certifications.
Step 4: Implement the critical measures. Prioritize network segmentation (IT/OT separation), MFA on all remote access, a complete plant floor asset inventory and a tested incident response plan.
Step 5: Secure your supply chain. Map your critical suppliers, include cybersecurity clauses in procurement contracts and evaluate their access to your network. NIS2 makes you legally accountable for the weakest link in your chain.
Step 6: Complete the conformity assessment. Essential entities must achieve verification by an accredited conformity assessment body (CAB) by April 18, 2026. Key entities are subject to retrospective oversight, but can voluntarily obtain an assessment for presumption of conformity.
Don’t forget to apply for VLAIO funding in a timely manner. The complete process from gap analysis to conformity assessment takes three to six months.
How Cyberplan guides Flemish manufacturing companies
Cyberplan guides Flemish manufacturing companies from gap analysis to CyFun compliance, including OT security assessment. With 22 certified ethical hackers (CISSP, OSCP) and more than 300 clients since 2018, we combine the technical depth your manufacturing environment requires with understandable communication towards management and shop floor. Our ransomware protection guide offers additional practical measures.
Want to know where your manufacturing company stands? Book a no-obligation consultation and find out how to combine NIS2 compliance with maximum VLAIO funding.
Frequently asked questions about cybersecurity in the manufacturing industry
Is my manufacturing company covered by NIS2?
Yes, if your company has more than 50 employees or more than 10 million euros in sales and operates in one of the manufacturing subsectors (medical devices, electronics, machinery, vehicles). In the case of holding companies, the figures are consolidated. Check your status via the NIS2 Scope Test Tool on the Safeonweb@Work portal.
Do I need to secure my OT systems separately?
Yes. NIS2 requires all network and information systems to be in scope, including industrial control systems on the factory floor. A separate OT risk analysis and network segmentation between IT and OT environments are essential.
What CyFun level applies to a manufacturing company?
Medium-sized manufacturing companies (key entities) must meet CyFun Important (117 controls). Those classified as essential entities must pursue the Essential level (140+ controls). You can start at Basic level and scale up within 12 months.
Can I get VLAIO funding for an OT security audit?
Yes. Both the VLAIO cybersecurity improvement program (50% grant for SMEs) and the SME portfolio (45% for small, 35% for medium-sized enterprises) cover cybersecurity consulting, including OT assessments and audits.
What does a cybersecurity audit cost for a manufacturing company?
The cost depends on the size and complexity of your IT and OT environment. For a medium-sized manufacturing company, count on three to five days turnaround time. Through VLAIO grants, you reduce the investment by 35% to 50%. Learn more about the cost of a cybersecurity audit in our dedicated article.
Am I personally liable as a director?
Yes. The Belgian NIS2 law explicitly places responsibility on the governing body. Directors must oversee the implementation of cybersecurity measures, be regularly reported on the status and participate in specific training sessions. In case of negligence, personal liability is a real risk.
