The European Union's NIS2 Directive, which entered into force across member states in October 2024, represents the most consequential regulatory intervention in critical infrastructure cybersecurity in a generation. Unlike its predecessor, NIS2 reaches directly into Operational Technology (OT) environments: the supervisory control systems, programmable logic controllers, distributed control systems, and industrial networks that underpin manufacturing plants, energy grids, water treatment facilities, transport networks, and oil and gas pipelines across the EU and beyond.

For OT security leaders, the compliance challenge is acute. NIS2's risk management requirements — codified in Article 21 — demand practices that IT-centric frameworks address only superficially: passive network monitoring without disrupting production processes, vulnerability management for decade-old PLCs that cannot be patched, supply chain security for proprietary engineering environments, and incident reporting timelines that may conflict with safety system lockdown procedures.

The IEC 62443 family of standards — the internationally recognised framework for Industrial Automation and Control Systems (IACS) security — provides a structured, OT-native path to NIS2 compliance. Where Article 21 mandates cybersecurity risk management measures, IEC 62443 defines how those measures are implemented in industrial environments, from security level assignment and zone-and-conduit network architecture to secure remote access policies and supplier security requirements.

This guide provides OT security leaders with a definitive, practitioner-grade roadmap: a detailed NIS2-to-IEC 62443 control mapping, a phased implementation programme, sector-specific examples, an audit-readiness checklist, and strategic recommendations for building long-term OT cybersecurity governance. It is written for those accountable — legally and operationally — for securing industrial environments under the new regulatory regime.

2. Understanding NIS2 Through an OT Lens

2.1 Key NIS2 Objectives

NIS2 (Directive EU 2022/2555) elevates the baseline cybersecurity obligations of entities operating critical infrastructure by pursuing four principal objectives:

• Harmonisation: Establishing a consistent minimum security standard across all EU member states, eliminating the fragmented national interpretations that weakened NIS1.

• Scope expansion: Extending coverage to additional sectors (manufacturing, space, postal services, food) and imposing obligations on Important Entities as well as Essential Entities.

• Accountability: Making senior management — including board members — personally liable for cybersecurity failures.

• Proportionality: Requiring risk-based security measures appropriate to the size, criticality, and threat exposure of each entity.

Article 21 is the operational core: it mandates that covered entities implement cybersecurity risk management measures across ten domains including risk analysis, incident handling, supply chain security, access control, cryptography, and business continuity. These are precisely the domains where OT environments are most challenged.

2.2 Essential and Important Entities in OT Contexts

2.3 OT-Specific Compliance Challenges

Applying NIS2's requirements to OT environments introduces challenges that IT security practitioners rarely encounter:

• Availability primacy: OT systems prioritise uptime above all else. Patch cycles measured in months or years, not days, are common. Safety Instrumented Systems (SIS) may be deliberately isolated from all maintenance interfaces.

• Legacy technology: Much critical infrastructure runs on embedded systems, proprietary protocols (Modbus, DNP3, IEC 60870-5-104, OPC-UA), and hardware with fixed firmware — often without authentication or encryption capabilities.

• Safety-security conflicts: Security controls such as agent-based endpoint monitoring or network access control can introduce latency or failure modes unacceptable in safety-critical environments.

• Supply chain opacity: Engineering workstations, SCADA platforms, and industrial networking equipment pass through complex multi-tier supply chains that entities rarely have full visibility into.

• Skills gap: Most OT environments lack dedicated cybersecurity staff. Responsibility is often shared between IT security teams unfamiliar with industrial protocols and OT engineers unfamiliar with threat modelling.

2.4 Common Compliance Pitfalls

Organisations pursuing NIS2 compliance in OT environments frequently make the following errors:

1. Applying IT security frameworks directly: Deploying endpoint detection agents on PLCs, running active vulnerability scanners on process networks, or imposing IT patch timelines on OT systems can cause plant outages and safety incidents.

2.  Treating compliance as a point-in-time exercise: NIS2 requires continuous risk management, not annual assessments. Competent authorities increasingly expect demonstrable security operations.

3. Underestimating supply chain scope: NIS2 Article 21(d) explicitly requires entities to address supply chain security. This includes OEM remote access, firmware provenance, and third-party integrators.

4. Neglecting incident reporting rehearsal: The 72-hour notification window for significant incidents is aggressive. Many organisations lack the detection capability and internal escalation procedures to meet it.

3. Why IEC 62443 Is the Preferred Framework for OT Security

3.1 Overview of IEC 62443

IEC 62443 is a multi-part international standard published jointly by IEC Technical Committee 65 and ISA (the International Society of Automation). It addresses the cybersecurity of Industrial Automation and Control Systems across the full lifecycle, from design and procurement through operation and decommissioning, and allocates responsibilities across three roles: asset owner, system integrator, and product supplier.

3.2 Benefits of Adopting IEC 62443 for NIS2

• OT-native design: IEC 62443 was built for industrial environments. Its Security Level (SL) model — SL 1 through SL 4 — accommodates the availability constraints and legacy technology realities of OT without the implicit assumption of patchable, internet-connected IT endpoints.

• Structured risk methodology: The Zone and Conduit model (IEC 62443-3-2) provides a documented, auditable basis for NIS2's risk analysis requirements that regulators and auditors can verify.

• Supply chain coverage: IEC 62443-2-4 and 4-1 directly address supplier security requirements — a NIS2 obligation that most IT frameworks treat as a footnote.

• Regulatory recognition: The European Union Agency for Cybersecurity (ENISA) explicitly references IEC 62443 as a suitable framework for OT compliance. Several EU member state competent authorities have embedded IEC 62443 requirements into their NIS2 sector-specific guidance.

• Certification pathway: IEC 62443 certification (particularly 2-1 and 4-2) provides tangible audit evidence that can be presented to regulators, customers, and insurers.

3.3 IEC 62443 vs. IT-Centric Frameworks in OT Contexts

4. Detailed NIS2-to-IEC 62443 Mapping

The following table maps NIS2 Article 21 cybersecurity risk management requirements to the most relevant IEC 62443 standards, provides OT implementation guidance, and specifies the evidence artefacts required for audit and regulatory demonstration.

5. OT-Specific NIS2/IEC 62443 Implementation Roadmap

The following phased roadmap provides a practical programme for OT organisations pursuing NIS2 compliance via IEC 62443. Each phase is sequenced to minimise operational disruption while progressively maturing the security posture.

Phase 1: Current-State Assessment and Gap Analysis (Months 1–3)

Phase 2: Risk Prioritisation and Security Level Assignment (Months 2–4)

Phase 3: Foundational Controls Implementation (Months 3–12)

Phase 4: Advanced Detection, Response and Supply Chain (Months 9–18)

Phase 5: Governance, Metrics, and Continuous Improvement (Ongoing from Month 12)

6. NIS2 Audit Readiness for OT Environments

6.1 Documentation Requirements

Competent authorities and their designated auditors will expect a complete documentary trail demonstrating that the entity has implemented, and is maintaining, appropriate cybersecurity risk management measures. For OT environments, this documentation must go beyond IT-standard policies to encompass industrial-specific content.

•  IACS Cybersecurity Management System (CSMS) policy, scope, and procedure set aligned to IEC 62443-2-1

• OT network architecture documentation: Zone & Conduit diagrams, firewall rule justification, IT/OT DMZ design

• OT asset register: all IACS components, firmware versions, end-of-life dates, security level assignments

• Risk assessment reports: IEC 62443-3-2 methodology, threat scenarios, SL-T assignments, residual risk decisions

• Vendor and third-party security documentation: contracts, assessments, access logs, IEC 62443-2-4 compliance evidence

• Incident response plan and tabletop exercise records

• Business continuity and disaster recovery plans with test evidence

• Training completion records and awareness programme materials

6.2 Technical Evidence Requirements

• NDR/IDS deployment evidence: tool configuration, network coverage map, alert tuning records

• Access control evidence: IAM policy, MFA deployment, privileged access review records, shared credential elimination records

• Patch management records: patch register, OT-specific risk assessment for each patch, maintenance window records, compensating control register

• Log retention evidence: SIEM/log aggregator configuration showing OT data ingestion, retention period settings

• Backup and recovery: backup schedule, offline storage inventory, restoration test records

• Penetration test reports and remediation tracking

6.3 Incident Reporting Readiness

NIS2 Article 23 requires entities to submit an early warning to their national CSIRT within 24 hours of becoming aware of a significant incident, followed by a full incident notification within 72 hours, and a final report within one month. In OT environments, this timeline requires specific preparation:

• Define what constitutes a 'significant incident' in OT context: disruption to process availability, suspected LOTL activity, safety system anomaly, ransomware detection on OT-adjacent networks

• Establish a documented escalation path from OT site to CISO to competent authority within the 24-hour early warning window

• Pre-register the entity with the relevant national CSIRT and establish a secure reporting channel

• Create pre-populated incident notification templates to reduce response time under pressure

• Conduct at least one simulated 72-hour notification exercise annually

6.4 Board-Level Accountability

NIS2 Article 20 makes senior management personally accountable for cybersecurity governance failures. For OT-heavy organisations, this means boards and executive teams must be able to demonstrate:

• Evidence of cybersecurity risk oversight: board meeting minutes referencing OT security review, approved risk appetite for OT, documented CISO reporting line

• Executive-level approval of the CSMS scope and policy

• Formal acknowledgement of NIS2 personal liability obligations (legal counsel advice on record)

• Regular board reporting on OT security posture, incidents, and NIS2 compliance status

7. Practical OT Security Controls Mapped to IEC 62443

7.1 Industrial Asset Discovery

Use only passive OT asset discovery tools (Shieldworkz) that listen to network traffic without injecting probe packets. Active scanning tools can trigger PLC fault states and safety shutdowns. Integrate asset discovery output with the CMDB to maintain a living asset register. Schedule quarterly reconciliation between discovered assets and documented inventory.

7.2 OT Network Monitoring and NDR

Deploy passive Network Detection and Response (NDR) at span/tap points on process network switches. Configure baseline behavioural profiles for each Zone during normal operations. Priority detection rules should include:

• Modbus Function Codes 6 (Write Single Register) and 16 (Write Multiple Registers) from unexpected sources — indicators of FrostyGoop-style manipulation

• External connections to OT protocol ports (502, 102, 20000, 44818, 4840) — potential PIPEDREAM/INCONTROLLER activity

•  New devices appearing on process networks — potential unauthorised access or LOTL staging

• Engineering workstation connections to internet or IT networks — exfiltration indicators (AZURITE/Flax Typhoon TTP)

7.3 Secure Remote Vendor Access

Remote access by OEM vendors and integrators is the dominant initial access vector for OT attacks. Implement a Vendor Remote Access Platform (VRAP) with the following controls:

• Centralised jump server located in the IT/OT DMZ — vendors never connect directly into the process network

• Multi-factor authentication required for all vendor sessions

•  Session recording with video and keystroke capture

• Time-limited, request-and-approve access workflow — no persistent VPN connections

•  Explicit deny-by-default firewall rules from DMZ to OT zone, with allowlist per vendor per session

7.4 Industrial Vulnerability Management

OT vulnerability management differs fundamentally from IT practice. The following sector examples illustrate the required approach:

7.5 OT SOC Integration

Integrating OT security monitoring into a Security Operations Centre requires OT-specific playbooks and trained analysts. Key integration points:

•  OT NDR alerts forwarded to SIEM with OT asset context enrichment (asset criticality, process function, zone classification)

•  OT-specific escalation procedures: some alerts (e.g. SIS anomaly) require immediate site response, not standard L1/L2 triage

• Protocol-aware playbooks for Modbus, DNP3, and IEC 61850 anomalies

• Shieldworkz OT Threat Intelligence integration for TTP-level context (VOLTZITE, KAMACITE, BAUXITE campaigns)

7.6 Engineering Workstation Security

Engineering workstations (EWS) that program PLCs, configure RTUs, and administer SCADA systems are high-value targets that straddle the IT/OT boundary. Controls aligned to IEC 62443-4-2:

•  Application allowlisting (e.g. Tripwire, Carbon Black App Control) — only authorised engineering software may execute

• Removable media control: disable USB ports by default; implement approved media workflow with scanning

• No direct internet access from EWS; updates via approved channels through DMZ

•  Endpoint logging forwarded to SIEM for anomaly detection

• Dedicated, non-shared user accounts with role-based access to specific PLCs/projects

8. Common Challenges and How to Overcome Them

9. OT CISO's NIS2 Compliance Checklist

The following 60-item checklist provides an immediate self-assessment tool for OT security leaders. Items are grouped by NIS2 Article 21 domain and aligned to IEC 62443 requirements.

Governance and Risk Management

☐ CSMS policy documented, scoped to all OT environments, and signed off by senior management

☐ OT-specific cybersecurity risk assessment completed using IEC 62443-3-2 methodology

☐ Security Level Targets (SL-T) assigned to all OT zones and conduits

☐ Risk register maintained with owner, treatment status, and review date for each risk

☐ Board has formally acknowledged NIS2 personal liability obligations (Article 20)

☐ CISO reporting line to board or audit committee documented

☐ OT security KPIs defined and reported to executive leadership quarterly

☐ NIS2 entity registration submitted to competent authority

Asset Inventory and Network Architecture

☐ Passive OT asset discovery deployed across all process network segments

☐ OT asset register complete: all IACS components, firmware versions, EOL dates

☐ End-of-life assets identified and formal risk acceptance or replacement plans documented

☐ Zone & Conduit network model documented and validated against actual network configuration

☐ IT/OT DMZ implemented and enforced by industrial firewall

☐    Internet-facing OT assets identified and eliminated or isolated

☐    Purdue Model or equivalent reference architecture documented for all sites

Access Control

☐    Role-based access control implemented on all SCADA, HMI, and engineering workstation systems

☐    All shared/default credentials eliminated from OT assets

☐    MFA enforced for all remote access to OT environments

☐    Privileged Access Management (PAM) implemented for OT admin accounts

☐    User access reviews conducted at least annually

☐    Joiners/movers/leavers process includes OT access revocation

☐    Physical access to OT control rooms and plant floor networks controlled and logged

Vulnerability and Patch Management

☐ OT-specific vulnerability management process documented and operational

☐ ICS-CERT, vendor, and Shieldworkz threat intelligence advisories reviewed regularly

☐ Vulnerability triage process accounts for OT-specific exploitability (not CVSS score alone)

☐ Compensating control register maintained for all unpatchable OT assets

☐ Patch staging/test environment available for OT systems before production deployment

☐ Patch deployment integrated into planned maintenance windows

☐ SIS firmware updates subject to vendor-validated patch process

☐ Deferred patches subject to formal risk acceptance with review date

Monitoring, Detection and Logging

☐ Passive NDR solution deployed on all OT network segments

☐ OT NDR alerts integrated with SIEM or OT SOC

☐ Detection rules tuned for OT-specific TTPs (Modbus FC6/16, new device enumeration, EWS anomalies)

☐ Log retention policy requires minimum 12 months for OT event data

☐ Log integrity controls in place to prevent tampering

☐ Windows Event IDs 1102 and 104 (log clearing) monitored and alerted

☐ Engineering workstation activity logged and reviewed

Secure Remote Access and Third-Party Risk

☐ Vendor Remote Access Platform (VRAP) implemented with jump server in DMZ

☐ All vendor remote access sessions recorded (video and keystroke)

☐ No persistent remote access connections into OT zones

☐ Remote access access requests follow approval workflow with time limits

☐ All IACS service providers assessed against IEC 62443-2-4 requirements

☐ Security requirements included in all OT procurement contracts

☐ Third-party risk register maintained with annual review schedule

☐ SBOM obtained for all critical OT components

Incident Response and Reporting

☐ OT-specific Incident Response Plan documented and approved

☐ IRP includes OT-safe containment procedures (process isolation without safety compromise)

☐ 72-hour NIS2 incident notification procedure documented and tested

☐ Escalation path from OT site to CISO to CSIRT documented

☐ Pre-registration with national CSIRT completed

☐ Annual OT tabletop exercise completed

☐ Incident classification criteria for 'significant OT incident' defined

☐ Post-incident review process established and documented

Business Continuity and Backup

☐ OT Business Continuity Plan documented including manual fallback procedures

☐ RTO and RPO defined for all critical OT systems

☐ Offline backups of all OT configurations maintained (PLC logic, HMI, historian, engineering files)

☐ Backup restoration tested at least annually in non-production environment

☐ Recovery playbooks documented and accessible off-network

Security Awareness and Training

☐ OT-specific security awareness training programme delivered to all OT-adjacent staff

☐ Removable media policy documented and enforced with technical controls

☐ Training completion records maintained and available for audit

☐ OT security awareness included in onboarding for new staff with OT access

10. Conclusion

Key Takeaways

• NIS2 compliance in OT environments requires an OT-native security framework. IEC 62443 is the internationally recognised standard built for this purpose and is explicitly endorsed by ENISA and EU member state authorities as the appropriate mechanism for demonstrating NIS2 Article 21 compliance in industrial environments.

• The threat landscape validates the regulatory imperative. Shieldworkz's H1 2026 OT Threat Advisory documents 119 active ransomware groups targeting industrial organisations, purpose-built OT malware (FrostyGoop, DynoWiper, PIPEDREAM), and threat actors pre-positioning inside critical infrastructure networks. NIS2 is not bureaucratic overhead — it is the regulatory codification of controls the threat environment demands.

• Senior management accountability is real and personal. NIS2 Article 20 exposes board members and executives to personal sanction for cybersecurity governance failures. The CISO's role is to ensure leadership understands this obligation and to provide the evidence trail that demonstrates its discharge.

• A phased, risk-prioritised approach is essential. Attempting to implement all IEC 62443 controls simultaneously is neither practical nor necessary. The five-phase roadmap in this guide allows organisations to address highest-risk gaps first while building sustainable governance structures.

• Supply chain and remote access are the most underinvested control areas. Shieldworkz threat intelligence consistently shows that third-party access and supply chain compromise are primary OT intrusion vectors. IEC 62443-2-4 and VRAP implementation are non-negotiable priorities.

Strategic Recommendations for OT CISOs

• Commission a formal IEC 62443-2-1 gap assessment before the next regulatory audit window. The gap assessment output provides the prioritised roadmap and the evidence of proactive governance that regulators expect.

• Elevate OT security to board-level visibility immediately. Frame the conversation around NIS2 personal liability (Article 20), the 72-hour notification requirement, and the financial penalties (up to €10M or 2% of global turnover for Essential Entities) rather than technical control gaps.

• Establish passive OT visibility as the first technical control. Without an accurate asset inventory and network monitoring baseline, all other security controls are built on sand. Deploy OT NDR as a priority.

• Treat IEC 62443-2-4 as a procurement standard, not a supplier aspiration. Begin enforcing OT supply chain security requirements in all new and renewed IACS service provider contracts.

• Engage OT cybersecurity expertise. The combination of OT protocol knowledge, IEC 62443 expertise, and NIS2 regulatory fluency is rare. Shieldworkz provides advisory, assessment, and managed detection services specifically for this domain.

IEC 62443 as a Long-Term OT Governance Framework

Beyond NIS2 compliance, IEC 62443 provides the structural foundation for a sustainable OT cybersecurity programme. Its CSMS framework (IEC 62443-2-1) establishes the governance processes — policy management, risk assessment, training, incident response, metrics — that mature security programmes require. Its technical controls (IEC 62443-3-3, 4-2) define the security baseline against which OT assets are designed, procured, and operated. Its supplier framework (IEC 62443-2-4, 4-1) extends the programme throughout the supply chain.

Organisations that implement IEC 62443 as a genuine operating framework — rather than a compliance checklist — will find that NIS2 audits become a validation of existing practices rather than a remediation exercise. They will also be positioned to navigate the next wave of OT-specific regulation: the EU Cyber Resilience Act, sector-specific implementing acts under NIS2, and the emerging AI security requirements that will increasingly affect industrial automation environments.

Additional resources