GEA expands its cybersecurity certifications by TÜV Rheinland and strengthens security across connected industrial processes

GEA has further expanded its information security and cybersecurity capabilities across the Group in recent months. Independent certifications confirm this progress, and GEA has again expanded their scope. The Group's Information Security Management System (ISMS) is certified by TÜV Rheinland to the internationally recognized standard ISO/IEC 27001:2022 and now covers 98 sites worldwide – 45 of which were newly added in the past twelve months. At selected sites, additional certifications according to ISA/IEC 62443 apply – the international standards for cybersecurity in industrial production environments and secure product development. The certificates were handed over by Ralph Freude, Head of Businessline ICT and Lead Auditor at TÜV Rheinland, to Alexander Kocherscheidt, CFO, and Iskro Mollov, CISO of GEA, on 18 February 2026.

“Cyber threats often hit industrial companies where the consequences are most severe: availability, delivery capability and trust. GEA operates and develops equipment for some of the most sensitive production processes in the world – from food and pharmaceuticals to chemical processes. The more connected these plants become, the greater the value of the data they generate – and the greater the impact of a failure or security breach. Information Security begins with established governance. Our certifications reflect that we manage security systematically – according to verifiable, externally audited standards,” says Iskro Mollov, CISO and Senior Vice President Information Security, Business Continuity and Crisis Management at GEA.

Group-wide Information Security: ISO/IEC 27001:2022 scaled worldwide

Expanding certification to 98 sites demonstrates that GEA plans, implements, continuously improves and audits Information Security worldwide according to consistent, risk-based standards. ISO/IEC 27001:2022 is the internationally recognized benchmark for auditable Information Security Management Systems. For customers, partners and investors, this means GEA manages sensitive information – from design and process data to quality and service data – according to uniform, externally verified standards across the Group.

Secure products and secure production: ISA/IEC 62443

In industrial environments – characterized by long system life cycles, high availability requirements, and the close integration of Information Technology (IT) and Operational Technology (OT) – GEA goes a step further. At selected sites, GEA also holds certifications to ISA/IEC 62443, the internationally recognized standards developed specifically for these requirements:

Düsseldorf, Oelde and Alcobendas hold umbrella certification to ISA/IEC 62443-4-1. This standard confirms that cybersecurity is systematically embedded in the product development process – from design and development through to maintenance and further evolution. Security is built in from day one (“Secure-by-Design”).

Oelde and Niederahr are certified according to ISA/IEC 62443-2-1. The certification attests to structured security management for industrial production environments.

What this means for customers and partners

GEA equipment sits at the heart of customers’ critical production processes – running around the clock, in regulated environments, connected to wider systems. When that equipment is developed, integrated and operated securely, it helps protect customers directly from unplanned downtime, data loss and the associated liability and reputational risks. The ISA/IEC 62443 certifications demonstrate that cybersecurity has been designed into GEA products and processes from the outset.

Connected industrial projects also involve the circulation of sensitive data – design and process know-how, production, quality and service histories – with real economic value and legal implications. The ISO/IEC 27001 certification shows that GEA manages this across the Group according to consistent, risk-based standards. Cybersecurity thus becomes a prerequisite for partnerships, tenders and long-term cooperation.

Context: growing cyber pressure and European requirements

Many GEA customers operate critical infrastructure or work in highly regulated environments. As a result, they face rising NIS2 requirements for governance, risk management, technical and organizational measures, and supply chain security. The Cyber Resilience Act adds further obligations for manufacturers of products with digital elements, requiring verifiable security across the entire product lifecycle.

GEA supports customers in addressing these requirements and provides auditable evidence for its own security practices: as an operator through ISO/IEC 27001 and as a manufacturer through ISA/IEC 62443. Customers deploying GEA products and expertise in their production environments can build directly on GEA's certifications for their own compliance requirements. This helps shorten audits, strengthens partnerships and protects shared values.