Regulatory Playbook
NIS2 Directive
The OT CISO's NIS2 Readiness Assessment Toolkit
The Only NIS2 Compliance Framework Built Specifically for Operational Technology Environments
Most NIS2 compliance guidance was written by IT security professionals for IT environments. If you're running a manufacturing plant, an energy facility, a water utility, or an oil and gas installation, you already know that applying IT-centric frameworks to operational technology is like using the wrong wrench - it looks right until something breaks.
This toolkit was built differently. Developed by Shieldworkz OT/ICS cybersecurity practitioners with field experience across European critical infrastructure, the NIS2 Readiness Assessment Toolkit is the only structured, operationally grounded assessment framework designed from the ground up for OT and ICS environments. It bridges the gap between what NIS2 requires and what industrial operators can actually implement - safely, without disrupting live processes.
Why This Toolkit Matters
NIS2 entered into force on 16 January 2023 with a Member State transposition deadline of October 2024. Unlike its predecessor, NIS2 doesn't separate IT and OT obligations. The directive's Article 21 requirements apply explicitly to industrial control systems, SCADA platforms, distributed control systems, PLCs, RTUs, engineering workstations, historians, and the communication networks connecting them.
That means your CISO is accountable. Your board is accountable. Under Article 20, management bodies - boards of directors and equivalent governance structures - can face personal liability for serious compliance breaches. Essential entities in energy, water, transport, manufacturing, and chemicals face the strictest obligations, including proactive supervisory oversight, 24-hour early warning requirements for significant incidents, and fines of up to €10 million or 2% of global annual turnover.
The challenge for most OT security leaders isn't awareness of NIS2. It's that the available guidance doesn't translate to environments where:
Patching a PLC isn't a 30-day exercise - it requires vendor qualification, a maintenance window, and engineering sign-off. Active vulnerability scanning can crash legacy controllers. Safety Instrumented Systems must remain segregated from general OT networks. Asset inventories are incomplete because half the equipment was commissioned before modern asset management existed. And flat OT networks that evolved over decades bear no resemblance to the zone-and-conduit architectures that NIS2-aligned frameworks assume. This toolkit was written for that reality.
Why You Should Download This Toolkit Now
If your organisation operates critical infrastructure and falls under NIS2 as an Essential or Important Entity, the regulatory clock is already running. National competent authorities across EU Member States are moving from guidance publication into active supervisory posture. The question isn't whether you'll be assessed - it's whether you'll be ready when you are.
Beyond regulatory exposure, the threat environment justifies urgency on its own terms. OT-targeted incidents rose sharply through 2025, with ransomware groups active across more than 119 distinct criminal clusters and approximately 3,300 industrial organisations impacted. Threat actors including sophisticated nation-state-aligned groups are actively pre-positioning in European critical infrastructure through IT/OT boundary weaknesses, remote access paths, and supply chain vectors. The same infrastructure gaps that expose you to NIS2 sanctions expose you to operational shutdown, physical process disruption, and - in the most severe cases - safety events.
This toolkit gives you a structured baseline to understand where you actually stand, not where you hope you stand.
Key Takeaways From the Toolkit
A 20-Domain OT-Specific Assessment Framework Covering everything from governance and leadership through to safety-security integration and regulatory compliance management - each domain tailored to the industrial environment with assessment questions, evidence requirements, scoring criteria, and remediation guidance that reflect the realities of legacy OT systems.
The OT NIS2 Readiness Maturity Model A five-level maturity model calibrated to industrial cybersecurity - not IT security - recognising that progression in OT environments is constrained by operational availability, legacy system constraints, and engineering change management requirements. Know where you stand and what Level 3 (the minimum NIS2 compliance baseline) actually requires from your specific environment.
NIS2 Article 21 Control Mapping A cross-reference matrix linking all 20 assessment domains to NIS2 Article 21 requirements, with expected evidence and primary risk indicators. This is what a national competent authority inspector will be looking for. Having it mapped before they arrive changes the conversation.
A Residual Risk Assessment Framework Residual risk scoring across four dimensions - cyber risk, operational risk, safety risk, and regulatory exposure - with a sample residual risk register covering the highest-priority OT attack scenarios. This is the language boards need to make informed risk acceptance decisions.
OT Incident Preparedness Scenarios Dedicated preparedness assessments for six specific OT incident types: ransomware attacks on OT environments, supply chain compromises, engineering workstation compromise, PLC and controller manipulation, safety-impacting incidents, and remote access abuse. Each scenario is mapped to NIS2 Article 23 reporting obligations.
A Prioritised Remediation Roadmap A 90-day sprint targeting critical gap closure and quick wins, followed by a structured six-month core control deployment programme and twelve-month maturity measurement cycle. Practical, sequenced, and operationally realistic - not a theoretical framework that ignores the constraints of running a live industrial facility.
Board-Level Reporting Templates Ready-to-use executive dashboard and board reporting templates that translate OT cyber risk into the operational, financial, and regulatory language that Article 20 governance requires. Your board needs to understand risk well enough to provide meaningful oversight - these templates make that conversation possible.
How Shieldworkz Supports Your NIS2 Journey
Shieldworkz is a specialist OT/ICS cybersecurity company. We work exclusively in industrial environments - manufacturing, energy, oil and gas, utilities, transport, pharmaceuticals, chemicals, water, and defence. Our practitioners bring field experience from hundreds of OT security assessments across European critical infrastructure, combined with regulatory knowledge developed through active engagement with the NIS2 compliance landscape across multiple Member State jurisdictions.
When you work with Shieldworkz, you're not getting an IT security firm that has added "OT" to its service list. You're engaging practitioners who understand that passive network monitoring is required because active scanning crashes PLCs, that compensating controls for unpatched legacy systems need to be both technically credible and safety-compatible, and that meaningful NIS2 governance means more than getting a policy document board-approved.
Our support across the NIS2 lifecycle includes OT security assessments and gap analysis using this toolkit's methodology, NIS2 regulatory compliance advisory including Member State transposition tracking, OT threat intelligence and advisory briefings, network architecture and segmentation design, incident response retainer and deployment, and managed OT security monitoring.
We also provide a resource library of regulatory playbooks, remediation guides, and OT threat advisory reports - available to qualified organisations through shieldworkz.com. The H1 2026 OT Threat Advisory, referenced throughout this toolkit, is available separately and provides the intelligence context for the threat scenarios and detection priorities covered in this assessment framework.
Download the Toolkit & Book Your Free Expert Consultation
The OT CISO's NIS2 Readiness Assessment Toolkit is available to qualified organisations in critical infrastructure sectors at no cost. Fill out the form to download your copy and begin your NIS2 readiness assessment.
If you'd prefer to start with a conversation, book a free consultation with a Shieldworkz OT security practitioner. We'll walk you through the assessment methodology, discuss where your sector's specific challenges sit, and help you identify the quick wins - actions that can materially reduce your NIS2 exposure within 30 days.
NIS2 compliance in OT environments is complex. But it's not unachievable, and the cost of not taking it seriously is now quantified in euros and personal liability.
Download your copy today!
Get our free NIS2 Directive: The OT CISO's NIS2 Readiness Assessment Toolkit and make sure you’re covering every critical control in your industrial network
