The transition to Industry 4.0 isn’t just about buying smart machines or implementing sensors. It is a complex transformation where every digital connection creates a footprint, whether in the form of employee personal data, operational logs, or artificial intelligence algorithms.
For owners and managers of manufacturing plants, topics like cybersecurity and privacy protection are no longer just an “IT agenda” on the sidelines. They are strategic pillars that directly affect production stability, business insurance, and the ability to participate in international supply chains.
Ignoring this legislative triangle can lead to fatal consequences—from crippling fines and production shutdowns due to cyberattacks to the forced decommissioning of innovative AI technologies.
The key to success is not to see regulations as an obstacle, but as a compass that defines a safe and sustainable innovation environment.
Transparency above all
Employee monitoring in manufacturing is one of the most sensitive areas of labor law and privacy protection. In production halls, where the need for safety and efficiency oversight is high, there is often a conflict between the employer’s interests and employee rights.
According to Nikoleta Ducárová, the biggest problem is an incorrectly defined purpose for monitoring. Many managers believe that if they have cameras on the premises, they can freely use the footage for any purpose—for example, to penalize an employee for a slow work pace.
“In the vast majority of cases, the purpose of a camera system is property protection, health and safety at work (OSH), or the prevention of illegal activity, not the direct monitoring of employee performance,” explains Nikoleta Ducárová, who serves as a Data Protection Officer and consultant for the private sector, specializing in GDPR implementation in technically demanding environments.
If an employer crosses this line without a clear legislative framework and prior discussion with employee representatives, they run the risk that any disciplinary measures derived from the recordings will be declared invalid by a court.
A solution that saves costs
The fundamental recommendation for manufacturing companies is to address data protection right at the system design stage. Retroactively “patching” processes in an ongoing operation is not only organizationally demanding but often ineffective.
“In cases where a client contacts me only after the system is already in place, it usually turns out that the setup is not GDPR-compliant. Subsequently, processes need to be fundamentally reworked, which is financially and organizationally taxing for the operator,” adds the expert.
Specific measures to minimize penalties:
Strict data minimization: Process only what you truly need. If you monitor forklift movement for safety, there is no need to collect the drivers’ biometric data.
Access rights audit: Ensure that only a narrow circle of authorized persons has access to the records.
Clear retention periods: Camera recordings should not be kept longer than necessary (typically a few days) unless an incident has occurred.
Quality information: A simple “Area is monitored” sign is not enough. Employees must know exactly what is being tracked, why, and what their rights are.
A new standard of resilience
The NIS2 Directive, transposed into Slovak legislation by Act No. 366/2024 Coll., represents the most significant change in cybersecurity in the last decade. For many manufacturing companies, this means a transition from voluntary security to a legal obligation.
Criteria are based on the sector of operation and company size. If you operate in sectors such as energy, transport, food production, the chemical industry, or the manufacture of selected machinery and have more than 50 employees (or a turnover over EUR 10 million), NIS2 directly applies to you.
“Classification and registration of the entity is the responsibility of the organization itself. Failure to comply with this obligation can lead to sanctions of up to 10 million euros or 2% of total global annual turnover,” warns Martin Hasin, specialist in cybersecurity and IT infrastructure.
Underestimated areas: Where are the weak points in manufacturing?
Hasin identifies three key areas that management often overlooks:
Centralized log collection: Many companies collect data, but no one monitors it. Without a central system (SIEM), it is impossible to catch an attack in its early stages.
Incident management as a process: Having a paper directive is not enough. NIS2 requires incident reporting within 24 hours, which necessitates trained teams and communication channels.
Supply Chain Security: A manufacturer is also responsible for the security of its suppliers. In a manufacturing environment, this primarily concerns service technicians who have remote access to machine control systems (PLC/SCADA).
Realistic implementation schedule
Phase 1 (0–3 months): GAP analysis and registration. Identifying the difference between the current state and legal requirements.
Phase 2 (3–9 months): Implementation of technical foundations. Network segmentation (separating office IT from production OT), deployment of multi-factor authentication (MFA), and encryption.
Phase 3 (9–15 months): Stabilization and testing. Penetration tests and incident response exercises.
Phase 4 (15–24 months): Continuous improvement and preparation for an external audit.
Innovation under control
Artificial intelligence in manufacturing is revolutionizing quality and maintenance. However, with the arrival of the European Artificial Intelligence Act (AI Act), the era of unregulated experimentation is ending.
The AI Act categorizes systems based on risk level. If your AI affects worker safety or manages critical infrastructure, it likely falls into the “high-risk” category. This brings obligations such as risk management, high data set quality, and ensuring human oversight.
Risk of incorrect role qualification
Peter Čičala points out a fundamental issue: what position does your company hold?
Deployer (user): You use a purchased system.
Provider: If you develop the system internally or modify it substantially, you assume full manufacturer responsibility.
“A company often considers itself only a deployer, even though a substantial modification of the system can turn it into a provider, along with the entire package of obligations. This is often the critical moment because the company suddenly bears the primary compliance responsibility,” explains Peter Čičala, lawyer at the law firm Hronček & Partners and expert on European technology regulation.
3 steps for legal AI implementation:
Use-case qualification: Legal analysis of what the AI does in the company and what risk it represents.
Pilot operation and metrics: Verification that the AI does not produce errors that could lead to sanctions.
AI Literacy: Training employees to understand how to work safely with AI, which is a direct requirement of the regulation.
Security is not a cost, but an investment in the future
Implementing the requirements of GDPR, NIS2, and the AI Act may seem like an insurmountable administrative hurdle at first glance. However, practical experience shows the opposite. Companies that approach these challenges proactively gain not only protection against sanctions but, above all, internal stability.
A secure company is more resilient to production outages, more trustworthy for international customers, and ready for future technological leaps. Legal and technical compliance is not a brake on innovation, but its essential foundation.
TEXT: Natália Stašíková
PHOTO: INOVATO, Hronček & Partners
