SaaS in manufacturing: the security questions corporate IT must ask

The data classification for SOP software is often done as for any documentation tool — that underestimates the data class. A process video contains three layers of information worth protecting: the visible plant layout (relevant for sabotage and espionage scenarios), process parameters such as torques, temperatures, and inspection dimensions (the actual manufacturing know-how), and people (GDPR and co-determination).

Concrete requirements follow: encryption at rest and in transit is table stakes. What decides are tenant isolation (does plant A see plant B's processes?), key management, EU data residency with a solid data processing agreement, and the question of whether video data is used to train AI models — and if so, with what contractual guarantee the customer can rule that out.

Two EU legal acts are shifting the burden of proof. NIS2 obliges essential and important entities — including large parts of manufacturing — to actively manage the cybersecurity of their supply chain. In practice: IT must assess and document the security of every SaaS vendor. A vendor who answers assessment questions evasively is no longer just a poor contract partner, but a compliance risk inside the customer's own NIS2 documentation.

The Cyber Resilience Act adds the product side: products with digital elements will require a Software Bill of Materials — a machine-readable parts list of all components and dependencies. The background is the lesson of Log4Shell and the supply-chain attacks of recent years: without an SBOM, nobody knows in an emergency which systems even contain a vulnerable library. For procurement this means: a vendor who cannot deliver an SBOM on request today does not have its dependency management under control — regardless of when the transition periods formally apply.

The following eight points separate vendors with lived security practice from vendors with compliance slides. The second column names the evidence IT should request — not the self-declaration.

“We do regular pentests” is the most common and emptiest answer in vendor assessments. Three attributes make it solid: first, the tester — an established, independent testing firm with a reputation, not the hoster's bundled scan service. Second, the scope — web application, APIs, and infrastructure including tenant isolation, not just an automated vulnerability scan. Third, the handling of results — findings, remediation, and re-test must be traceable for customers; providing the report under NDA is the standard and credible route in B2B.

Soperion recently went through this itself: a multi-week penetration test by SySS GmbH, one of Germany's most established independent security testing firms, covering application, APIs, and infrastructure. We make the report available to customer IT departments under NDA during the assessment — in our view, the only form in which the statement “we were tested” carries any audit value at all.

Production-adjacent SaaS rarely fails on technology and more often on co-determination. Where videos are recorded at the workplace, §87 of the German Works Constitution Act and the GDPR are triggered — making works council approval mandatory. Addressing this after tool selection costs months. The vendor-side answer is both technical and organizational: automatic face anonymization by default, no performance or behavior analysis of individuals, and prepared documentation for the works agreement that IT does not have to write itself.