Translating NIS2's Risk Management Requirements to the OT Shop Floor

As the European Union’s NIS2 Directive takes hold across member states, CISOs are working hard to ensure compliance across their infrastructure. But organizations reliant on Operational Technology (OT), factories, energy grids, maritime ports, and other critical infrastructure, the real challenge lies well beyond the server room.

NIS2 mandates a risk-based measured approach to cybersecurity, requiring essential and important entities to implement “appropriate and proportionate technical, operational and organizational measures.” The catch? The directive however doesn’t distinguish between IT and OT environments. For European CISOs, this raises a pressing question: How do you translate the abstract risk management principles into practical security controls on the OT shop floor?

Why OT is often a compliance blind spot

Most OT environments were never designed with cybersecurity in mind. They prioritize availability and safety over confidentiality and integrity. Machines run on legacy PLCs long past their end-of-life, patching is infrequent due to uptime constraints, and asset visibility is notoriously poor or absent. Throw in a complex supply chain of vendors, integrators, and third-party maintenance providers to this mix, and it becomes clear: applying NIS2 to OT isn’t a matter of copy-pasting IT security controls and watching from a distance.

NIS2 Risk Management: Understanding the core requirements

To quickly recap, here are the key risk management obligations under NIS2 (Article 21):

· Risk analysis and documented policies for information system security.

· Incident handling procedures, including detection and response.

· Business continuity, including backup and disaster recovery.

· Supply chain security, covering outsourced services and suppliers.

· Security in network and information systems acquisition, development and maintenance.

· Vulnerability handling and disclosure.

· Policies and procedures to assess effectiveness of cybersecurity measures.

· Use of cryptography and encryption where appropriate.

Each of these requirements must be adapted for OT, and that’s often where most compliance strategies fall short.

A roadmap to OT-Centric NIS2 compliance

To help CISOs bridge the gap between policy, operations, responsibilities and process on the shop floor, here’s a 4-phase roadmap for OT-aligned NIS2 risk management.

Phase 1: Establish governance and OT-specific risk ownership

· Appoint an OT cybersecurity risk owner accountable to the CISO.

· Integrate OT into enterprise-wide cybersecurity governance frameworks.

· Establish a cross-functional NIS2 steering committee including OT engineers, safety officers, procurement, and IT security.

Recommendation: Map the responsibility model using RACI with clearly identified and mapped responsibilities to avoid ambiguity in incident response or vendor oversight. IEC 62443 can be used as a guide.

Phase 2: Conduct an OT risk and asset baseline

· Perform an OT asset inventory using a solution such as Shieldworkz and check to cover classification. Document devices, protocols, and network segments.

· Map threats and vulnerabilities across critical production zones (aligned to IEC 62443 zones and conduits).

· Utilize a tailored risk assessment framework such as ISO/IEC 27005 applied to OT, or MITRE ATT&CK for ICS) to model and prepare for scenarios like ransomware-induced downtime or remote supply chain compromise.

· Understand the current OT Security Level

Deliverable: Comprehensive OT Risk Register mapped to specific NIS2 controls along with likelihood-impact ratings.

Phase 3: Implement technical and organizational controls

· Maintain and update accurate inventory of all assets including legacy systems

· Deploy network segmentation, firewalls, and controls where feasible.

· Establish OT-specific detection capabilities (ICS-aware IDS, protocol anomaly detection. Consider a Network Detection and Response solution).

· Define and drill incident response playbooks for OT scenarios and document learnings.

· Build or update business continuity plans (regularly) to account for production downtime, failover, and manual fallback. Tie this with the incident response bit.

· Apply and track patching governance, including risk-based exception handling and compensating controls.

Note: The “appropriate” controls should factor in safety and uptime constraints unique to OT.

Phase 4: Sustain and improve

· Define KPI and KRI metrics to measure control effectiveness (for instance mean time to detect OT incidents, number of false positives, mean time to discover, percentage of patched critical assets among others).

· Conduct regular risk assessment audits through a proven OT security risk and gap assessment vendor, leadership readiness checks, policy effectiveness audits and incident simulations that cover the OT function.

· Ensure ongoing cybersecurity training for OT personnel on cyber hygiene and escalation paths.

· Implement a continuous vulnerability disclosure and remediation process management, in coordination with your national CSIRT.

· Ascertain the IEC 62443 Security Level check (Capability and Target)  

NIS2 for the shop floor: CISO checklist

Use this checklist to track your enterprise NIS2 alignment in OT environments:

CISO’s role in OT risk management

NIS2 has raised the bar for cybersecurity governance, and it’s no longer enough for CISOs to focus solely on IT. The most forward-thinking leaders are those who view NIS2 as a catalyst to unify IT and OT cybersecurity under a shared risk language.

Translating the governance policy to practice in the OT domain will take time, resources, training and cultural alignment. But the security and operational payoff, reduced downtime risk, better regulatory posture, and improved resilience, makes it a critical investment.

NIS2 on your mind? Talk to us to learn about proven and comprehensive NIS2 compliance measures. 

Interested in conducting an NIS2 readiness assessment? Talk to us