When implementing the NIS2 Directive (Directive (EU) 2022/2555) within Operational Technology (OT) environments, the phrase "appropriate and proportionate security measures" under Article 21 is often misunderstood. It is not an invitation to blindly import IT security frameworks into the plant floor, nor is it a checklist that can be completely ticked off.

In an industrial context, "appropriate" means controls must preserve safety and availability above confidentiality, and "proportionate" ties your spending and operational disruption directly to your specific risk profile, asset exposure, and potential societal or economic impact.

Under NIS2, Article 21 mandates an all-hazards approach spanning 10 core areas. Here is a detailed breakdown of what these requirements actually mean when translated into real-world OT practices.

Before we move forward, don’t forget to check out our previous blog post on How USB Drives Still Bypass Modern Defenses in 2026 here.

The 10 mandatory risk-management measures in OT

Risk analysis and Information System security policies

• The misconception: Relying on generic IT corporate policies or automated vulnerability scans that risk crashing legacy Programmable Logic Controllers (PLCs).

• The OT reality: You have to rely on ISA/IEC 62443-3-2 to identify and prioritize risks based on physical consequences like production shutdowns, environmental damage, and/or safety hazards.

• Actionable evidence: A documented OT Cyber Risk Assessment Report with sufficient data detailing your cyber-physical boundaries, worst-case scenarios, and a formal Risk Mitigation Plan that is signed off by corporate leadership.

Incident management

• The misconception: Having an incident response (IR) plan that assumes you can simply isolate a network segment or wipe and reimage a machine mid-production.

• The OT reality: IR playbooks must be tailored to industrial protocol anomalies (e.g., Modbus, S7, EtherNet/IP) and coordinate closely with Plant Safety Managers. To meet the strict 24-hour early warning and 72-hour incident notification deadlines under NIS2, your monitoring must be active but non-disruptive.

• Actionable evidence: An OT-specific IR Plan containing explicit escalation matrices, plant-floor communication protocols, and logs from periodic tabletop exercises simulating a process disruption or ransomware attack on Human-Machine Interfaces (HMIs).

Business continuity, backup and crisis management

• The misconception: Standard IT endpoint backups pushed overnight to a cloud repository.

• The OT reality: Backing up industrial architecture involves capturing precise PLC/SCADA project files, firmware versions, network switch configurations, and golden images of legacy Windows systems (like XP or 7) running critical industrial software.

• Actionable evidence: A documented Disaster Recovery (DR) runbook showing clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) specifically for the factory floor, backed by validated, periodic offline restoration test logs.

Supply chain security

• The Misconception: Sending a generic, multi-page security questionnaire to the vendors who provide your plant's raw components or enterprise software.

• The OT Reality: The primary third-party risk in OT comes from system integrators, automation vendors (e.g., Siemens, Rockwell, Schneider), and external maintenance providers who maintain persistent or ad-hoc remote access links into your industrial network.

• Actionable Evidence: A risk-ranked inventory of all direct OT suppliers, technical service-level agreements (SLAs) dictating secure remote access methods, and formalized security addendums embedded in procurement contracts.

Security in acquisition, development, and maintenance

• The misconception: Enforcing an aggressive, automated patch-management cycle that installs updates every Tuesday.

• The OT reality: Critical OT components cannot just be patched without violating warranties, causing production slowdown or possibly forcing a plant shutdown that is costly. In such an environment, vulnerability handling means verifying vulnerabilities against your asset inventory and deploying robust compensatory controls (such as virtual patching or through strict firewall rules at the perimeter). This is until a scheduled maintenance window allows for a formal update.

• Evidence that is actionable: A customized and documented Patch Management Policy with OT-specific SLAs, a Coordinated Vulnerability Disclosure (CVD) plan that is tested, and change-management logs detailing compensating controls for unpatched, legacy equipment.

Policies and procedures to assess security effectiveness

• The misconception: Relying purely on annual external compliance audits to confirm safety.

• The OT reality: You cannot protect what you cannot see. Continuous verification requires passive network monitoring and anomaly detection tailored to industrial protocols, establishing a behavioral baseline so that unauthorized configuration changes or rogue assets are spotted immediately.

• Actionable evidence: Regular internal audit reports, summaries of passive security posture scans, and documented outcomes of third-party or internal penetration tests conducted safely against staged or offline industrial environments.

Cyber Hygiene Practices & Cybersecurity Training

• The Misconception: Forcing control room operators to sit through generic corporate training modules focused on office phishing or social media safety.

• The OT Reality: Operators and field engineers require training directly relevant to their physical workspace. This includes recognizing social engineering tactics targeted at engineering personnel, identifying rogue USB drives, and understanding the physical indicators of a cyber-induced process anomaly.

• Actionable Evidence: Updated employee training registries, customized training curricula and response training based on escalating OT security scenarios for industrial personnel, and documented cyber hygiene policies explicitly addressing plant-floor behaviors.

Cryptography and the use of encryption

• The misconception: Mandating end-to-end Transport Layer Security (TLS) encryption across all internal plant assets.

• The OT reality: Legacy fieldbus networks and older serial-to-Ethernet devices lack the processing capability to handle cryptographic overhead without introducing severe latency, which can disrupt real-time industrial processes. Appropriate execution requires protecting data in transit at the edge and boundaries, utilizing secure industrial protocols (like OPC UA Secure Conversation or CIP Security) where modern hardware permits.

• Actionable evidence: A formal cryptographic policy mapping where encryption is technically viable, along with documented technical justifications and network segmentation strategies where encryption cannot be implemented due to legacy device limitations.

Human Resources security, access control and asset management

• The Misconception: Relying on Active Directory for control system authentication, or maintaining a static, manual asset spreadsheet.

• The OT Reality: A reliable asset inventory should necessarily be dynamic, capturing detailed attributes such as firmware versions, patch status, hardware revisions, and physical slot configurations. Access control must  by default implement the principle of least privilege, mapping explicit roles to operational actions (such as Read vs. Write/Program permissions on a controller).

• Actionable Evidence: A live, continuously updated OT Asset Inventory (typically populated via passive network monitoring), formalized Role-Based Access Control (RBAC) matrices for engineering systems, and offboarding checklists that immediately revoke access keys upon personnel changes.

Multi-Factor Authentication (MFA) and secure communications

• The Misconception: Deploying smartphone-based push notifications for operators working in environments where mobile devices are prohibited due to safety regulations.

• The OT Reality: MFA must be aggressively enforced at the boundary where the IT network interfaces with the OT network, particularly for any external remote access. Inside the plant floor, continuous authentication or hardened hardware tokens (e.g., physical keys suited for industrial settings) must be evaluated based on process safety constraints.

• Actionable Evidence: Technical architecture diagrams proving that all remote access pathways cross a Demilitarized Zone (DMZ) and are gated by MFA, along with verified configurations for secure internal emergency communication channels.

Architectural Enforcement: The Purdue Model Alignment

To demonstrate compliance to an auditor, your technical controls should align with a structured industrial framework, such as the Purdue Reference Model. This ensures clear boundaries between enterprise functions and physical process controls.

Direct corporate accountability: The bottom line

NIS2 brings forth a major transition in regulatory enforcement by placing accountability directly on corporate leadership. This is in contrast to what existed before. (Article 20).

• Management liability: Board members and executives can no longer delegate cybersecurity liability and look the other way. They are now required to actively examine, understand, approve and oversee the implementation of risk-management measures that are backed by evidence.

• Personal sanctions: In cases of gross negligence in the wake of a significant cyber incident designated national authorities have the power to impose punitive and substantial non-monetary sanctions. This includes issuing public compliance breach statements or even enforcing temporary bans against executives from holding managerial positions.

Implementing "appropriate" measures is no longer just a technical best practice. Instead it is a mandatory exercise in corporate governance and operational resilience.

We are offering a free NIS2 consultation. Talk to a NIS2 expert and get your doubts cleared now.

Additional reading

The Operational Technology NIS2 compliance playbook

An implementation guide tailored specifically for industrial automation and control systems (IACS) to translate all 10 core pillars of Article 21 into engineering workflows without risking plant downtime. Access Playbook

The OT-specific risk assessment toolkit

A downloadable toolkit containing risk templates, consequence-driven assessment matrices, and worksheets aligned with ISA/IEC 62443-3-2 to establish physical impact and safety-based risk profiling. Access Toolkit

The 24-Hour/72-Hour Industrial Incident Response playbook

A specialized IR runbook template featuring explicit escalation workflows and notification checklists tailored to meet strict European Competent Authority reporting timelines. Access Playbook

Third-party access and System Integrator security addendum

A procurement-ready legal and technical template containing standard security clauses, SLA requirements, and access constraints to bind external automation vendors to NIS2 standards. Access Addendum

Compensating controls framework for legacy industrial assets

A technical brief outlining alternative defense-in-depth strategies, such as virtual patching and conduit isolation, for critical plant components that cannot be actively patched. Access Framework

The Industrial DMZ (IDMZ) reference architecture guide

A detailed network architecture blueprint mapping out the logical separation and secure multi-factor authentication requirements between Level 3 operations and Level 4 enterprise IT. Access Guide

The OT cyber Hygiene and control room operator training kit

A visual training curriculum and slide deck designed specifically for floor engineers, focusing on physical security, rogue USB drives, and industrial social engineering tactics. Access Training Kit