Prayukth KV
September 23, 2025
A practical guide to NIS2 preparedness for your OT environment
As they say, the clock is ticking away. By October 18, 2024, EU member states were required to transpose the Network and Information Security 2 (NIS2) Directive into national law. Now, in late 2025, the enforcement period is still underway, and organizations are facing the reality of compliance. While many have focused on strengthening their IT cybersecurity, a critical and often more vulnerable domain is being overlooked: Operational Technology (OT).
Recent events in Europe have once again underscored the importance of cybersecurity. For entities in energy, transport, manufacturing, water management, and other critical sectors, NIS2 isn't just an IT compliance exercise. It's a fundamental mandate to secure the industrial control systems (ICS), SCADA, and PLCs that lie at the heart of industrial operations. An incident here isn't about a data breach; it's about production halts, environmental damage, lasting supply chain disruptions and potential threats to public safety.
If you haven't extended your NIS2 strategy to the plant floor, you're not just unprepared but you're exposed. Our NIS2 guide will break down what NIS2 means for OT and provide a practical roadmap for preparedness.
Before we start, would you like to explore the fastest path to NIS2 compliance? Then check out Fast Track from Shieldworkz.
Why does OT sing a different tune when it comes to NIS2 compliance?
Super imposing IT security principles directly to an OT environment is a well-known recipe for failure. These systems operate under a completely different set of priorities and constraints:
Availability and safety first: Unlike IT, where confidentiality is often king, OT's primary directive is to maintain uptime and ensure physical safety. A security measure that requires rebooting a critical controller or introduces latency could be a non-starter.
Legacy and complex systems: OT environments are filled with legacy equipment that may be decades old, running on unsupported operating systems, and incapable of being patched without significant risk to operations.
Proprietary protocols: Industrial networks often use specialized protocols (e.g., Modbus, DNP3, PROFINET) that standard IT security tools don't understand, making them blind to threats.
The prevalent myth of the "Air Gap": The long-held belief that OT networks are isolated is now dangerously outdated. IT/OT convergence, remote vendor access, and even transient devices like USB drives have shattered this illusion.
Lack of resources: Most OT security teams are under staffed or do not have the capability to deal with complex threats
NIS2 recognizes these realities by demanding a contextual risk-based approach. It doesn't prescribe specific technologies but mandates that organizations take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. For OT, this means translating the directive's requirements into actions that align with and respect the unique nature of industrial environments.
Key NIS2 requirements translated for the plant floor
Let's now look at the four core pillars of NIS2 and what they equate to in an OT context.
Risk management and governance
NIS2 Says: Management bodies must approve and oversee cybersecurity risk-management measures. They are now directly accountable.
OT Translation: Your C-suite and board need to understand (and sign off on) the risks associated with an unsecured production line, not just an unsecured database. This requires conducting OT-specific risk assessments that map cyber threats to physical consequences (for instance a ransomware attack on an HMI leading to a $1M/day production loss). Governance must include clear ownership for OT security, which may be a shared responsibility between the plant manager and the CISO.
Incident management and reporting
NIS2 articulates: Significant incidents must be reported to the relevant authorities within strict timelines (an initial warning within 24 hours).
What does it mean for OT: The 24-hour window is a massive challenge in OT. How do you even detect a sophisticated incident on the plant floor in time? This requires an OT-specific Incident Response (IR) plan. Who do you call when a PLC behaves erratically? How do you safely isolate a compromised segment without triggering a shutdown? You need OT-aware monitoring tools and must conduct regular tabletop exercises involving both IT security teams and plant engineers.
Supply chain security
NIS2 articulates: Organizations must address security risks throughout their supply chain, including relationships with suppliers and service providers.
What does it mean for OT: Your OT supply chain is complex. It includes the vendors who manufactured your controllers, the system integrators who installed them, and the third-party technicians who maintain them. You must ask:
What are the cybersecurity standards of my industrial equipment vendors?
How do we secure remote access for our maintenance partners?
Is the system integrator’s laptop secure before it’s plugged into our control network? Your procurement and legal teams must be involved in vetting vendors and embedding security clauses into contracts.
Basic cyber hygiene and resilience
NIS2 articulates: Implement baseline security practices, including asset management, behaviour and communication visibility, access control, and employee training.
What it means for OT: This is the foundation.
Asset inventory: You cannot protect what you cannot see. Start with a comprehensive inventory of all your OT assets—every PLC, HMI, sensor, and network switch.
Network segmentation: Use the Purdue Model as a guide to segment your OT network from the corporate IT network and create zones within the OT environment to contain potential breaches.
Access control: Implement strict controls on who can access and modify control systems. This includes physical security and logical access.
Training: Train plant operators and engineers on OT-specific threats, such as the dangers of plugging unauthorized USB drives into an engineering workstation.
A 6-Step roadmap to OT Security for NIS2 compliance
You don’t have to feel overwhelmed? Here are some actionable steps you can take to start your NIS2 compliance journey:
Assess your scope: First, determine if your organization falls under the "Essential" or "Important" entities defined by NIS2. If you're in a designated sector, you are in scope.
Discover and map your OT assets: Deploy passive monitoring tools designed for OT environments to build a complete asset inventory and visualize your network topology and data flows.
Conduct an OT-specific IEC 62443-based risk and gap analysis: With your asset inventory in hand, assess your current security posture against the key requirements of NIS2. Identify the gaps in your risk management, test and improve incident response, and add technical controls where required.
Develop a prioritized compliance roadmap: You can't fix everything at once. Prioritize your remediation efforts based on risk. Focus on foundational controls first: network segmentation, secure remote access, and developing an OT incident response plan.
Foster IT/OT collaboration: Create a cross-functional team with representatives from IT, cybersecurity, engineering, and plant operations. Building a culture of shared responsibility is the only way to achieve sustainable security and compliance.
Form a team: To lead the project with adequate expertise and vendor collaboration
Don't wait for an incident to prove NIS2's point
Lastly, NIS2 is not just another regulation to check off a list. It is a powerful driver for building true operational resilience and it does bring value to multiple aspects of an organisation. By treating the security of your OT environment with the seriousness it deserves, you not only move towards compliance but also protect your revenue, your reputation, and the physical processes at the heart of your business.
The time for treating OT security as an afterthought is over. Start your journey to NIS2 preparedness today.
