The European Commission has unveiled a new set of proposals to revise the EU Cybersecurity Act that fundamentally reshapes how operational technology infrastructure operators and enterprises must approach cybersecurity across the jurisdiction of the European Union. This cannot be seen as a mere incremental regulatory tweaking. Instead, it is a strategic pivot aligned to the changing realities broadcast by the threat environment that surround EU cyberspace.  

Some of us who have spent decades in the deep trenches of industrial cybersecurity, watching SCADA systems evolve from air-gapped islands to hyperconnected attack surfaces, this legislation represents a new regulatory dimension that needs a deep-dive. The new revision introduces mandatory supply chain derisking, accelerated certification frameworks for compliance, and significantly expanded enforcement mechanisms that will force organizations to fundamentally rethink their security architectures.

Before we move forward, don't forget to check out our previous blog post on "Decoding NCSC-UK, FBI and CISA's OT connectivity guidance: Strategic implications" here.

Core pillars of the revised Cybersecurity Act

ICT supply chain security framework: The geopolitical dimension

Perhaps the most consequential aspect of the revision is the establishment of a horizontal framework for trusted ICT supply chain security across all 18 critical sectors. This framework functions on a risk-based approach taking into account technical vulnerabilities and what the legislation terms "non-technical risks" a euphemism for geopolitical dependencies and foreign interference.

The practical implications are more than clear. Building on existing work under the EU's 5G security toolbox, the revised legislation will enable mandatory derisking measures to be deployed where suppliers pose significant cybersecurity concerns. For OT operators, this means that your vendor relationships can no longer be treated as mere procurement decisions. Instead they must now conduct strategic vetting and assessments that must account for:

• Supplier jurisdiction and foreign influence: Is the SCADA vendor subject to legal frameworks that could compel them to compromise system integrity or disclosure information?

• Critical dependencies: Do you have a line of alternative suppliers if a high-risk vendor is suddenly excluded from the market?

• Retroactive compliance: The proposal includes provisions to potentially recall and phase out products already deployed in EU infrastructure if suppliers are later deemed high-risk.

This retroactive enforcement capability is unprecedented. Organizations running multi-million-Euro industrial control systems could face infrastructure overhauls if their vendors are subsequently designated as high-risk.  

Streamlined European Cybersecurity Certification Framework (ECCF)

The original certification framework was a bit of a compliance quagmire. Only one EU certification scheme has been adopted since the original CSA was enacted seven years ago. The revised Act introduces a bit of streamlining:

• 12-month development timeline: Certification schemes must be developed within one year by default

• Organizational cyber posture certification: Beyond products and services, organizations can now certify their overall cybersecurity posture

• Presumption of conformity: ECCF certification will provide presumption of compliance with NIS2 and other EU legislation

The business model implications are significant. Organizations that move rapidly to achieve certification will gain a significant competitive advantage in the EU market.  

Enhanced ENISA mandate: From coordination to operational response

Since the first Cybersecurity Act in 2019, ENISA has turned into a cornerstone of the EU cybersecurity ecosystem. The revised Act expands its operational capabilities and scope:

• Early warning systems for emerging threats

• Direct support for ransomware incident response in coordination with Europol and national CSIRTs

• Union-wide vulnerability management coordination

• Single entry point for incident reporting across the EU

• Cybersecurity Skills Academy to address the talent gap

For multinational OT operators, ENISA's expanded role offers a potential solution to the fragmented compliance landscape created by varying degrees of national implementations of NIS2. Rather than navigating 27 different regulatory regimes, organizations gain a centralized coordination point.   

NIS2 amendments:

The Cybersecurity Act package includes targeted amendments to NIS2 that directly impact OT operators:

Compliance simplification

The amendments aim to ensure proportionality in the implementation of the NIS2 Directive in sectors such as electricity or chemicals, where more precise legal drafting is necessary to appropriately define the scope of the Directive. This addresses one of the most persistent complaints from industry: the original NIS2 language was often too broad or ambiguous for specific industrial contexts.

The amendments will ease compliance burdens for approximately 28,700 companies, including over 6,000 SMEs. A new category of "small mid-cap enterprises" offers some relief for an additional 22,500 organizations.

Expanded critical infrastructure coverage

The amendments ensure that submarine data cable infrastructure, as an increasingly critical type of infrastructure, is more comprehensively covered by the scope of the Directive. This expansion recognizes that critical infrastructure extends beyond traditional sectors to include the communications backbone that underlies digital society.

Ransomware data collection

Streamlined mechanisms for collecting and analyzing ransomware attack data will enable better threat intelligence sharing across member states. For OT operators, this could translate to earlier warnings about ransomware variants specifically targeting industrial control systems. This includes variants like EKANS that have demonstrated the ability to kill ICS processes.

The unique OT security challenge

Here's where theory collides with operational reality. Legacy OT systems were built for availability, not for logging or alerting. The fundamental design philosophy of industrial control systems prioritized uptime, deterministic behavior, and physical process control but not cybersecurity telemetry, patch management, or threat detection.

Unlike Information Technology (IT), which focuses on data processing and communication, OT is concerned with the physical operations of machinery and processes. This distinction creates unique challenges:

Different Risk Profiles: An IT system compromise might expose data or disrupt business operations. An OT compromise can cause physical damage, environmental disasters, or loss of life. The risk calculus is fundamentally different.

Incompatible Security Controls: Many standard IT security controls don't translate well to OT environments. While encryption is effective in IT networks, its implementation in OT environments may present challenges and provide a lower return on investment due to differing risk surfaces. The latency introduced by encryption can be unacceptable for real-time control systems. MFA can create operational friction that conflicts with safety requirements.

Extended Asset Lifecycles: IT assets typically refresh every 3-5 years. OT assets can remain in production for 20-30 years. A SCADA system commissioned in 2005 might still be controlling critical infrastructure in 2025—running Windows XP, lacking basic security features, and impossible to patch without extended outages.

The SANS Five Critical Controls for ICS

Dean Parsons from SANS Institute has identified five ICS-specific controls that should form the foundation of NIS2 compliance for OT operators:

• ICS-specific incident response: Generic IT incident response playbooks don't account for physical safety considerations, process control requirements, or the need to maintain system availability during containment.

• Defensible network architecture: Network visibility and monitoring using specialized tools and analysis capabilities to identify potential risks to control systems and operations. This means implementing proper network segmentation, DMZs between IT and OT networks, and defense-in-depth strategies tailored to industrial protocols.

• Network visibility and monitoring: You cannot protect what you cannot see. An important ICS-specific control to ensure the capability to detect the threat and have data collection to log, respond, is the proactive measure of ICS Network Visibility. This requires passive monitoring solutions that can decode industrial protocols (Modbus, DNP3, PROFINET, etc.) without introducing latency or reliability risks.

• Secure remote access: The COVID pandemic accelerated remote access requirements for OT environments. However, traditional VPNs often don't provide adequate segmentation or monitoring for industrial networks. Solutions must provide granular access control, session recording, and the ability to restrict access to specific HMIs or PLCs.

• Risk-based vulnerability management: Given the impossibility of patching many legacy OT systems, organizations must implement compensating controls: network segmentation, application whitelisting, and behavioral anomaly detection that can identify exploitation attempts even when systems remain technically vulnerable.

Incident Reporting: The 24-Hour Reality Check

NIS2 introduces more rigorous incident reporting requirements, compelling entities to report significant cybersecurity incidents within 24 hours. For OT environments, this timeline presents significant operational challenges.

Consider a typical OT incident scenario:

Hour 0-4: Initial detection—often from process anomalies rather than cybersecurity telemetry. OT operators notice unexpected behavior in control systems.

Hour 4-12: Investigation—Determining whether the anomaly is a cybersecurity incident, equipment failure, or operator error. This requires coordination between OT engineers, IT security teams, and potentially external ICS security specialists.

Hour 12-20: Containment decisions—In OT environments, containment might mean shutting down production, switching to manual control, or isolating critical systems. Each option has significant operational and safety implications that must be evaluated.

Hour 20-24: Formal notification—Preparing the regulatory notification while still actively responding to the incident.

This compressed timeline demands pre-established incident response frameworks that account for OT-specific considerations. Organizations need:

• Clear escalation paths that don't require navigating corporate bureaucracy during active incidents

• Pre-authorized decision-making authority for OT personnel to isolate systems or halt operations

• Template notifications that can be rapidly customized rather than drafted from scratch

• Regular tabletop exercises that specifically test the 24-hour reporting timeline with realistic OT scenarios

Supply Chain Security: The Hidden Attack Surface

Many organizations rely on a complex network of suppliers to operate. This complex supply chain is an attractive target for attackers because this supply chain can possibly provide an entry point into the industrial network.

The SolarWinds and Kaseya incidents demonstrated how software supply chain compromises can cascade across thousands of organizations. For OT operators, supply chain risk extends beyond software to include:

Hardware components: PLCs, RTUs, and other field devices from manufacturers who may face geopolitical pressure or possess backdoors for "remote diagnostics"

System integrators: Third-party firms with deep access to control system configurations, network architectures, and security controls

Managed service providers: Organizations providing remote monitoring, maintenance, or optimization services with persistent access to OT networks

Engineering and design firms: Partners who create HMI interfaces, configure SCADA systems, or design control logic—often retaining access credentials long after project completion

NIS2's supply chain requirements mandate that organizations:

• Conduct security assessments of critical suppliers

• Include cybersecurity requirements in procurement contracts

• Monitor supplier compliance through audits or certifications

• Have contingency plans for supplier compromise or unavailability

The Cybersecurity Act's supply chain framework adds another layer: organizations must consider the geopolitical risk profile of their suppliers, not just technical security posture. A technically secure supplier located in a jurisdiction subject to foreign influence requirements may now be considered high-risk.

Governance and accountability: Cybersecurity in the Boardroom

Management bodies are explicitly responsible for compliance, including approval and oversight of cybersecurity strategy. This represents a fundamental shift in accountability.

Previously, cybersecurity was often delegated to IT or security teams with limited board visibility. NIS2 and the revised Cybersecurity Act make executives personally accountable. Governance failures may result in temporary bans or disqualification of individuals from leadership roles.

For OT organizations, this creates both risk and opportunity:

The risk: Boards and C-suite executives often lack deep understanding of OT security challenges. They may apply IT security mental models to OT environments where they don't fit, or approve compliance budgets that dramatically underestimate the required investment.

The opportunity: Mandatory board-level accountability creates leverage for CISOs and OT security leaders to secure necessary resources, prioritize security architecture decisions, and embed cybersecurity into strategic planning rather than treating it as a cost center.

Organizations should establish:

• Regular board briefings on OT cybersecurity posture using metrics executives can understand (not just technical indicators)

• Clearly defined roles and responsibilities between IT security, OT engineering, and business leadership

• Board-level cyber risk committees with representation from both IT and OT perspectives

• Tabletop exercises that include board members to ensure they understand incident response decision-making in practice, not just in policy documents

Enforcement: Real penalties

Let us now talk about what keeps compliance officers awake at night. Unlike the original NIS Directive, NIS2 introduces stronger enforcement powers for national authorities, including regular audits, security inspections, binding instructions, and crucially administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher.

For context, 2 percent of global revenue for a major European utility or manufacturer could reach hundreds of millions of euros. These are not symbolic penalties but instead they're business-threatening financial consequences.

Essential entities face proactive supervision, meaning authorities can audit you at any time. No warning, no preparation time. Regulatory authorities can show up, demand access to your OT networks, review your security controls, and assess your incident response capabilities.

The enforcement powers extend beyond fines:

• Binding instructions: Authorities can order specific security measures implemented within defined timeframes

• Market access restrictions: Non-compliant products can be blocked from EU markets

• Public disclosure: Serious violations may be publicly announced, creating reputational damage

• Director disqualification: Authorities can disqualify company directors in serious cases of negligence.

The implementation timeline: What to expect

The revised Cybersecurity Act will apply immediately as when approved by the European Parliament and Council. However, practical implementation follows a more staggered timeline:

Immediate (2026):

• Organizations should begin supply chain risk assessments, particularly reviewing vendor geopolitical risk profiles

• Certification framework becomes available—early adopters can gain competitive advantage

• ENISA begins enhanced coordination and support functions

Short-term (2026-2027):

• Member States have one year to transpose NIS2 amendments into national law

• National cybersecurity authorities establish proactive supervision mechanisms

• First enforcement actions likely to target the most egregious non-compliance

Medium-term (2027-2028):

• Harmonized certification standards mature and become market expectations

• Supply chain derisking measures are fully enforced, potentially requiring infrastructure changes

• Industry-specific guidance documents from ENISA provide clarity on sector-specific requirements

Practical Recommendations for OT Operators

Based on the regulatory landscape and operational realities, here are concrete steps OT infrastructure operators should take:

Conduct Comprehensive Asset Inventory

You cannot protect what you don't know exists. Ensure you have a full overview of your OT devices so you can manage the OT lifecycle better and minimize downtime. This includes:

• Complete inventory of all field devices (PLCs, RTUs, sensors, actuators)

• Network topology documentation showing all interconnections

• Software and firmware version tracking

• Supplier and vendor relationships mapped to specific assets

Implement ICS-Specific Network Visibility

Deploy passive monitoring solutions that can decode industrial protocols without impacting system performance. This provides the logging and alerting capabilities that legacy OT systems lack by design, without requiring modifications to production systems.

Assess and Document Supply Chain Risk

Create a tiered supplier risk assessment that considers:

• Technical security posture (certifications, audit results, vulnerability management)

• Geopolitical risk profile (jurisdiction, foreign influence requirements, dual-use technology regulations)

• Criticality to operations (availability of alternatives, switching costs, dependency depth)

• Contractual security requirements and enforcement mechanisms

Develop OT-Specific Incident Response Playbooks

Standard IT incident response plans don't account for physical safety considerations, process control requirements, or the need to coordinate with operational technology engineers. Your playbooks should include:

• Safety-first decision trees that prioritize human safety and environmental protection

• Clear authority to shut down systems without lengthy approval chains

• Pre-defined communication templates for the 24-hour reporting requirement

• Coordination protocols between IT security, OT engineering, and operations teams

Establish Board-Level Governance

Cybersecurity is no longer just the CISO's job. Boards and executive leadership are expected to understand and manage cyber risk as a matter of governance. Create:

• Quarterly board briefings with executive-friendly metrics

• Cyber risk committees with cross-functional representation

• Regular tabletop exercises that include C-suite participants

• Clear escalation and decision-making authority for cybersecurity incidents

Plan for Legacy System Migration

Many manufacturers rely on outdated legacy systems that are difficult to secure and may not meet NIS2 standards. Take a phased approach:

• Prioritize systems based on criticality and exposure

• Implement compensating controls (network segmentation, application whitelisting) for systems that cannot be upgraded

• Budget for multi-year migration programs recognizing that wholesale replacement isn't feasible

• Use APIs and modern integration patterns to isolate legacy systems while maintaining functionality

Invest in Workforce Development

The cybersecurity skills gap is acute in OT environments where expertise requires both IT security knowledge and operational technology understanding. ENISA's Cybersecurity Skills Academy will help, but organizations need internal capability development:

• Cross-training between IT security and OT engineering teams

• ICS-specific security certifications (GICSP, GRID, ICS515)

• Regular participation in industry information sharing groups

• Retention strategies for the scarce talent pool of OT security specialists

The Convergence of Compliance Frameworks

One silver lining in this regulatory evolution: By identifying shared requirements across NIS2, CRA, and other frameworks like GDPR, companies can implement controls that satisfy multiple regulatory obligations simultaneously, creating more efficient compliance programs.

Organizations already implementing frameworks like IEC 62443 for industrial cybersecurity or NIST CSF will find significant overlap with NIS2 requirements. The key is developing an integrated compliance approach rather than treating each regulation as a separate initiative:

• Map existing security controls to NIS2, CRA, and GDPR requirements

• Identify gaps that need new controls versus documentation improvements

• Leverage ECCF certification to demonstrate compliance across multiple frameworks

• Create unified governance structures that oversee all cyber risk and compliance obligations

The revised EU Cybersecurity Act represents the most ambitious attempt yet to secure Europe's digital infrastructure against evolving threats. For OT operators and enterprises across critical sectors, it demands fundamental rethinking of security architectures, supplier relationships, and governance structures.

But here's the strategic insight that separates leaders from laggards: Organizations should view NIS2 compliance as the natural outcome of a strong cybersecurity posture. The companies that will thrive aren't those scrambling to achieve minimal compliance, but those that recognize robust OT security as a competitive differentiator and operational imperative.

The organizations that treat this as a compliance checkbox exercise will struggle. Those that embed security into their operational DNA, that invest in visibility and resilience, that build cultures where cybersecurity is everyone's responsibility—these organizations will not only meet regulatory requirements but will be better positioned to:

• Prevent and respond to incidents that cripple competitors

• Win contracts that require demonstrated security maturity

• Attract and retain talent in competitive labor markets

• Command premium market valuations that reflect lower cyber risk profiles

The threat landscape won't get easier. Nation-state actors are developing increasingly sophisticated capabilities targeting industrial control systems. Ransomware groups have proven the economic viability of targeting critical infrastructure. The convergence of IT and OT networks continues to expand attack surfaces.

The revised Cybersecurity Act provides a framework, resources through ENISA, and enforcement mechanisms to drive necessary improvements. But fundamentally, securing operational technology infrastructure requires organizations to make security architecture decisions, resource allocations, and cultural commitments that transcend regulatory compliance.

The question isn't whether your organization can afford to implement these measures. The question is whether you can afford not to, measured not just in regulatory penalties, but in operational resilience, competitive positioning, and ultimately, in the continued ability to deliver the essential services that underpin modern society.

The regulatory implications are coming. But organizations that move proactively will discover that the path to compliance is also the path to operational excellence.

Need help with your regulatory compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Test drive our OT security platform here.