In the industrial world, regulatory compliance has often been viewed as a form of checkbox exercise. Or to put it more succinctly, a sort of a hurdle for IT to clear while the "real work" of production continues on the shop floor. But with the full implementation of the NIS2 Directive across Europe its time to look way beyond checkboxes to enable verifiable compliance that can be sustained over a period of time.

If you are an operator of essential or critical and public facing services, you no longer just need to get a satisfactory score for OT security; you need auditable, risk-based resilience. As many of us know, for the Operational Technology (OT) environment, there is no better "how-to" guide for meeting these legal requirements than the IEC 62443 series.

Before we move forward don’t forget to check out our previous blog post on “Observed reduction in Chinese APT Operations amid 2026 PLA purge,” here.

The NIS2 mandate vs. The IEC 62443 blueprint

NIS2 is the cybersecurity law of the land. It tells you what you must achieve: robust risk management, incident reporting, risk ownership and supply chain security. While it is detailed on the overall recommendations, it is notoriously light on technical specifics.

IEC 62443 is the technical blueprint for industrial cybersecurity. It provides the granular controls and process requirements for Industrial Automation and Control Systems (IACS). By aligning your OT security program with IEC 62443, you aren't simply following a standard. You are actually building a strong risk aware foundation for legal defense that proves you’ve met the "state-of-the-art" requirement in NIS2.

Mapping the controls: How to comply

To move from words to steps, we must look at Article 21 of NIS2, which mandates ten specific security measures. Here is how IEC 62443 provides the "how-to" for the most critical pillars:

1. Risk analysis and information system security

NIS2 requires a proactive risk-based approach.

• The IEC 62443 Solution: IEC 62443-3-2 becomes relevant here. It mandates a "Zones and Conduits" approach. By partitioning your plant into zones based on risk and criticality, you can apply a higher Security Level (SL) to your most vital assets or crown jewels (like safety controllers) while maintaining lower levels for less critical systems. Such a granular approach helps delineate the security requirements allowing teams more breathing space to look into the specific needs of assets as part of a group.  

2. Supply chain security

This is easily among the toughest parts of NIS2. You are now responsible for the security of your vendors as well.

• The IEC 62443 solution: Require your suppliers to be IEC 62443-4-1 (Secure Product Development) and 4-2 (Technical Component Requirements) certified. This shifts the burden of proof to the manufacturer, ensuring that the PLCs and HMIs you buy are "secure by design." Vendors should maintain HBOMs and SBOMs that are clear about the origin of various components and the product itself.  

3. Incident handling and business continuity planning

When things go wrong, NIS2 demands a rapid, structured and documented response.

• The IEC 62443 Solution: IEC 62443-2-1 provides the framework for an OT-specific Cybersecurity Management System (CSMS). Unlike standard IT response plans, it focuses on maintaining high availability and physical safety without compromising any parameter.

4. Basic cyber hygiene and MFA

NIS2 explicitly mentions Multi-Factor Authentication (MFA) and hygiene.

• The IEC 62443 Solution: Foundational Requirement 1 (FR1) in IEC 62443-3-3 clearly specifies the technical controls for privilege and access management including Identification and Authentication. It provides the roadmap for implementing robust access control in environments where traditional MFA might break legacy real-time processes. IEC 62443-3-3 treats this requirement as a basic one.

Actionable implementation

If you are starting your NIS2 compliance journey in 2026, do not try to do everything in one go. Instead we recommend you follow the below sequence:

• Define your "System under Consideration" (SuC): Use 2-1 to scope what falls under NIS2. Don't forget your remote access gateways and IIoT sensors.

• Conduct trainings on IEC 62443 and NIS2 to increase actionable awareness among employees

• Conduct a high-level risk and gap assessment: Use 3-2 to identify your "Crown Jewels." Group them into zones.

• Determine Target Security Levels (SL-T): For each zone, decide if you need SL-2 (protection against simple hacks), SL-3 (protection against intentional hackers), or SL-4 (protection against nation-states).

• Perform a Gap Analysis: Compare your current capabilities (SL-A) against your targets (SL-T) using the technical requirements in 3-3. This gap list becomes your NIS2 investment roadmap.

NIS2 carries significant penalties for non-compliance, including personal liability for C-suite executives. In the eyes of a regulator, a "best effort" approach isn't enough anymore. By adopting IEC 62443, you move from a "vague hope" of security to a quantifiable, auditable posture that protects both your production line and your legal standing.

Need help with your regulatory compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Test drive our OT security platform here.

Download our OT security for on-site maintenance checklist, here.