Loading
Blog

What OT Security Teams Need to Know About NIS2

NIS2 is here. Uncover what OT security teams need to know about compliance, expanded scope, and significant penalties to protect critical infrastructure.
Female engineer in orange hazard suit wearing white hard hat holding a laptop computer on the plant floor analyzing manufacturing equipment on the plant floor for NIS2 OT security compliance

What OT Security Teams Need to Know About NIS2

An increasingly digitized world offers more opportunities—and more risks. The reality is that a single breach in an interconnected supply chain can ripple across an entire region or industry. And now, the European Union (EU) is raising the stakes.

The updated NIS2 Directive is in effect. Building on the 2016 NIS Directive, it's the EU’s way of strengthening cybersecurity—and it’s directly affecting many OT and ICS environments that serve or directly operate in the EU.

This guide breaks down what’s changing under NIS2, how it impacts OT/ICS systems, and the practical steps you can take to stay compliant while minimizing downtime.

What NIS2 Means for OT/ICS Security Teams

NIS2 requirements apply to services deemed essential or important to the EU’s health, safety, or stability. These services now include industrial, manufacturing, waste management, or chemical organizations with operations in the EU.

Key Operational Implications of NIS2 for OT/ICS

Operational implications include more accountability, expanded coverage, mandatory minimum requirements, rigorous supply chain review, additional government support, and financial penalties.

Elevated Accountability

Prepare for significant fines and penalties for repeated non-compliance, including potential temporary suspension of C-Level and board members. Proactive OT security will be instrumental in keeping organizations on top of everything.

Expanded Sector Coverage

Expect supervision and enforcement by local authorities for medium and large organizations across over a dozen key sectors, many of which heavily rely on OT/ICS.

Mandatory Minimum Requirements

Establish, review, and actively enforce cybersecurity measures for incident reporting, risk management, and response/remediation. EU member states have the flexibility to impose even stricter requirements.

Rigorous Supply Chain Review

NIS2 mandates rigorous risk reviews of security practices for major connected third-party service providers, including Managed Security Services Providers (MSSPs). This is particularly vital for OT/ICS supply chains.

Increased Government Support

Entities facing major incidents without adequate security staffing can seek support from government authorities.

More Financial Penalties

Fines can reach at least 1.4% of global turnover or €7M for "important entities," and 2% of global turnover or €10M for "essential entities”—whichever is higher.

Who’s In Scope?

The latest NIS2 update introduces flexibility in scoping. While it allows entities to shift between stricter and lighter requirements, it also adds complexity with determining whether you’re in scope.

Key Scoping Elements for OT/ICS:

  • Size and sector: Medium and large-sized entities providing or carrying out services within the EU and active in NIS2 Annex I or II sectors.
  • Criticality:
    • Critical due to national/regional importance for the sector or service, or for other interdependent sectors within the Member State.
    • Sole service provider in the Member State, where the service is essential for maintaining critical societal or economic activities.
    • Trust services, public communication network providers, DNS.
  • Significant impact (Any Size): Service disruption could have a significant impact on public safety/security/health, or pose significant systemic risks, especially for cross-border impact.
  • Research activities: Member States may include critical research activities.
Diagram depicting entities responsibilities according to updated NIS2 regulations in Europe

NIS2 differentiates between essential and important entities, with essential entities facing increased security requirements, stricter supervision, and higher penalties.

Quick Check-Up Chart for OT/ICS Scope (Simplified):

Diagram depicting what entities are in scope of the updated NIS2 regulation in Europe

To determine if you are an essential or important entity, assess:

  1. Is your industry/sub-industry listed in Annex I or II? (See tables below).
  2. What is your company size? (Refer to the image detailing company size classifications – typically based on staff headcount and turnover/balance sheet total).

Annex I Sectors (Essential Entities - High Risk for OT/ICS):

Sector Subsector Type
Energy Electricity Energy supply, selected Distribution System Operators, selected Transmission System Operators, selected Electricity Producers, nominated Electricity Market Operators and selected participants
District heat/cooling Operators for district heating or district cooling
Oil Operators of transmission pipelines, Operators of oil production, refining and treatment facilities, storage, and 
transmission, selected Central oil stockholding entities
Gas Selected Suppliers, selected Distribution system operators, selected Transmission system operators, selected Storage system operators, selected LNG system operators, selected Natural gas undertakings
Hydrogen Operators of hydrogen production, storage, and transmission
Transport Air Selected Air carriers, selected Airport managing bodies, Air Traffic Control Services Providers (ATC)
Rail Selected infrastructure managers, selected Railway undertakings
Water Selected inland, sea and coastal passenger and freight water transport companies, selected Managing bodies of 
ports, selected Operators of vessel traffic services
Road Selected Road authorities, selected Delegated traffic management control regulations, selected Operators of 
Intelligent Transport Systems
Health Pharma, Manufacturing, Laboratories, Services Selected Entities manufacturing medical devices considered as critical during a public health emergency, selected Healthcare Providers, EU reference laboratories, selected Entities carrying out research and development activities of medicinal products, selected Entities manufacturing basic pharmaceutical products and pharmaceutical preparations
Water Drink Selected suppliers and distributors of water intended for human consumption, excluding those with majority of other general activity
Waste Selected undertakings collecting, disposing, or treating urban, domestic, and industrial wastewater when essential part of the business.
Space Infrastructure, Services Selected Operators of ground-based infrastructure, owned, managed, and operated by Member States or by private parties that support the provision of space-based services.
B2B ICT Services Managed Services Providers (MSP), Managed Security Services Providers (MSSP)
Digital Infrastructure (eg. selected providers of public electronic communications networks and services, Data Center Service 
Providers), selected medicinal products, selected cosmetics, tobacco, narcotics
Banking, Financial Markets, Public Administration Not in the focus of this document

Annex II Sectors (Important Entities - Significant Risk for OT/ICS):

Sector Subsector Type
Postal and courier services   Selected postal service providers
Waste management   Selected entities, carrying out waste management but excluding undertakings for whom waste management is not their principal economic activity
Food production, processing, distribution   Entities engaged in wholesale distribution, industrial production and processing of any food and drink. Not a food business (for example, feed, live animals unless for human consumption, plants prior to harvesting)
Manufacturing Chemicals Selected undertakings carrying out the manufacture, production and distribution of substances and articles.
Medical Devices Entities manufacturing medical devices
Computer, electronic and optical products Entities that manufacture computers, electronic and optical products, electronic components and boards, loaded electronic boards, computers and peripheral equipment, communication equipment, consumer electronics, instruments and appliances for measuring, testing and navigation; watches and clocks, irradiation, electromedical and electrotherapeutic equipment, optical instruments and photographic equipment, magnetic and optical media
Electrical equipment Entities that manufacture electrical equipment, electric motors, generators, transformers and electricity distribution and control apparatus, batteries and accumulators, wiring and wiring devices, fiber-optic cables, other electronic and electric wires and cables, wiring devices, electric lighting equipment, domestic appliances, non-electric domestic appliances, other electrical equipment
Manufacture of machinery and equipment n.e.c. Entities that manufacture general-purpose machinery, engines and turbines (except aircraft), vehicle and cycle engines, fluid power equipment, other pumps and compressors, taps and valves, bearings, gears, gearing and driving elements, other general-purpose machinery, ovens, furnaces and furnace burners, lifting and handling equipment, office machinery and equipment (except computers and peripheral equipment), power-driven hand tools, non-domestic cooling and ventilation equipment, other general-purpose machinery n.e.c, agricultural and forestry machinery, metal forming machinery and machine tools, other special-purpose machinery, machinery for metallurgy, machinery for mining, quarrying and construction, machinery for food, beverage and tobacco processing, machinery for textile, apparel and leather production, machinery for paper and paperboard production, plastic and rubber machinery, other special-purpose machinery n.e.c.
Motor vehicles, trailers, and semi-trailers Entities that manufacture motor vehicles, trailers and semi-trailers, bodies (coachwork) for motor vehicles, parts and accessories for motor vehicles, electrical and electronic equipment for motor vehicles, other parts and accessories for motor vehicles
Transport equipment Entities that manufacture transport equipment, ships and boats, ships and floating structures, pleasure and sporting boats, railway locomotives and rolling stock, air and spacecraft and related machinery, military fighting vehicles, transport equipment n.e.c., motorcycles, bicycles and invalid carriages, other transport equipment n.e.c.

Even if not explicitly listed in Annex I or II by sector or size, you may still be in scope if:

  • You are a major service provider to a NIS2-in-scope client. While not facing direct mandatory duties, you will require cybersecurity practices like vulnerability disclosure and client communication. Managed Security Services Providers (MSSPs) are explicitly in scope.
  • Member States may exclude areas of defense, national security, public security, or law enforcement from the directive's requirements.

Anticipated Impact on OT/ICS Security Operations

As NIS2 continues to take effect, OT and ICS security managers face increasing pressure to deliver. Here’s what these evolving mandates mean for operations moving forward.

Increased Security Maturity Expectations:

Government authorities will gain a deep understanding of effective measures within your industry, leading to a higher common baseline for expected security maturity. This translates to increased demands on your OT security program.

Efficient Risk Management Mandate

Active risk management is no longer optional. This requires not just detecting but continuously assessing and responding to risks, optimizing cost and time efficiency within your OT operations.

NIS2 Is Not the End

NIS2 is a stepping stone in the EU’s strategic cybersecurity objectives. Expect further initiatives, increased requirements, and potentially higher fines in the future.

Recently published measures from an EU member state indicate that NIS2 compliance will necessitate a significant uplift in security maturity (approaching CMM Level 3-4). This demands a proactive approach to understanding and managing risks, encompassing not only incident detection but also robust remediation actions and measurable security management efficiency.

Immediate Actions for OT/ICS Security Teams

Now is the time to move beyond planning and into execution. Here are the critical next steps to help drive compliance and build resilience.

1. Review Your Compliance Efforts

Assess security risks based on all relevant assets, review your security risk management and incident detection and response management capabilities, and define local/regional (EU)/global responsibilities. There are solutions like Verve® by Rockwell Automation that can help to evaluate and resolve security issues.

2. Close the Gaps

Identify OT-accepted security solutions based on their security coverage, work efficiency, and operational costs. Get a demo and run a pilot before selecting a vendor. There are OT security solutions for different maturity available; go with the one that covers regulatory compliance as well as internal requirements. Keep in mind that you will probably need to grow into a higher maturity level over time, make sure the investment is sustainable, and the solution doesn’t have to be replaced after two years because requirements have increased. The more integrated the solutions are, the more efficient (time/effort/cost) security management is.

3. Prepare for Security Controls

As of 2025, detailed NIS2 security requirements have been published by several EU Member States, and implementation is actively underway across critical sectors. While the directive sets minimum baseline controls, many local authorities have introduced sector-specific interpretations and enhanced guidance to raise security maturity expectations.

ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443, providing a clearer picture of what practical implementation should look like in OT/ICS environments.

4. Involve CISOs and Board Members

NIS2 makes it clear—personal accountability is on the table. The EU is continuing to roll out strict cybersecurity rules. And if your organization isn’t prepared, regulators will step in. Staying ahead of the requirements now can help you avoid bigger problems down the road.

Receive the latest insights on NIS2 within the manufacturing space with our NIS2 Compliance landing page.

Learn More

NIS2 and Related Regulations: A Holistic View for OT/ICS Teams

Critical Entities Resilience (CER) Directive:

Relevance to OT/ICS Teams

The CER Directive works alongside NIS2 by targeting risks to physical infrastructure—like power disruptions, sabotage, or extreme weather events. While NIS2 focuses on digital threats, CER ensures that your physical systems and operational processes are also resilient.

What You Need to Know

As of October 2024, national authorities started identifying critical entities and reviewing their risk management processes. This means your physical and cyber resilience plans will go under review—including how you protect OT environments, maintain uptime, and coordinate emergency response. Expect increased collaboration with regulators and a push to integrate physical and cyber risk strategies.

EU Cyber Resilience Act (ECRA):

Relevance to OT/ICS Teams

The ECRA transitioned into law in December 2024 and introduces mandatory cybersecurity requirements for any products with digital components. This includes OT systems, industrial devices, and embedded software.

What You Need to Know

Enforcement starts in December 2027—but you should start reviewing your digital supply chain now. The ECRA demands secure-by-design product development, vulnerability management, and ongoing support from vendors. This means tighter vetting of device manufacturers and stronger supply chain oversight for components running in critical ICS environments.

ENISA NIS360 2024 Report: What OT/ICS Data Reveals

The ENISA NIS360 2024 assesses the maturity and criticality of sectors deemed highly critical under the NIS2 directive. Equipped with data from within the scope sectors and insights from Eurostat, the goal of this analysis is to assist member states and national authorities in uncovering gaps and prioritizing efforts.

Insight 1: Cybersecurity Maturity Levels Are Mixed

The report reveals that electricity ranks among the most mature sectors due to targeted regulations like the Network Code on Cybersecurity. Other critical infrastructure sectors lag significantly behind.

Gas, oil, district heating and cooling, and hydrogen subsectors show considerably lower maturity levels, with entities struggling particularly with legacy OT systems integration and post-incident response capabilities. Maritime transport also faces similar challenges with outdated OT systems making it vulnerable to cyberattacks, despite its vital role in global trade. This disparity highlights that regulatory frameworks and sector-specific guidance are crucial drivers of cybersecurity maturity in OT environments.

Insight 2: Two OT/ICS Sectors Are in the Risk Zone

The following highly critical sectors are in the risk zone: Maritime and gas. Based on the report, here is what each sector should focus on.

Maritime

  • Prioritize OT vulnerability assessments
  • Implement secure-by-design principles for new deployments or upgrades
  • Develop and test your incident response plans for cross-border incidents

Gas

  • Strengthen post-incident response plans and test them regularly
  • Collaborate with electricity and manufacturing sectors
  • Focus on securing the supply chain

NIS2 Compliance Requirements: An OT/ICS Implementation Guide

Duty to Provide Entity Contact Details:

  • Action: Ensure accurate and up-to-date contact information is registered with ENISA.
  • Tactics: Designate a primary point of contact for NIS2 communications within your OT/ICS security team. Establish a process for updating changes within three months. Foreign corporations providing services in the EU must designate a representative.

Reporting Obligations for a Potential Severe Incident:

NIS2 places significant emphasis on rapid and effective incident reporting, with tight deadlines and potential sanctions for non-compliance. This is a critical area for OT/ICS, where incidents can have cascading physical and economic impacts.

What Constitutes a "Severe Incident" for OT/ICS:

  • Severely impacting operational services.
  • Imposing significant financial loss (for example, production downtime, equipment damage).
  • Significant immaterial or material impact on personnel or the entity itself.

Supervision, Enforcement, Fines, and Penalties: The Stakes for OT/ICS

NIS2 establishes a tiered supervisory and enforcement regime, with "essential entities" facing a stronger supervisory regime than "important entities." However, both types can face significant consequences for non-compliance.

Supervision: What to Expect for Your OT/ICS Operations:

  • Baseline for All Entities:
    • Coordinated supervision with the entity’s legal representative.
    • Includes both on-site and off-site inspections of your OT/ICS infrastructure and security practices.
    • Authorities can request information and evidence of security policy implementation to assess compliance.
  • Additional for Essential Entities:
    • Regular and ad-hoc audits, including evidence collection for your OT security posture.
    • Random, unplanned checks by authorities of your industrial systems.

Enforcement of Violations: Remediation and Directives for OT/ICS:

Should supervision reveal compliance violations, enforcement actions will be initiated.

  • For All In-Scope Entities, Local Authorities Can:
    • Issue warnings.
    • Issue binding instructions to remediate incidents within a specified deadline (crucial for OT incident response).
    • Order to cease infringing activities and make findings public, providing direct guidance.
    • Order the implementation of security audit recommendations within a deadline.
    • Impose administrative fines.
  • Additional Enforcement for Essential Entities Includes:
    • Temporary prohibition to exercise managerial function at the CEO or legal representative level (underscoring executive accountability for OT security).
    • Designation of a monitoring officer to oversee compliance within your organization.
    • Issuing binding instructions to prevent incidents, with strict deadlines for implementation and reporting.

Factors Influencing Enforcement Actions and Penalties:

When determining enforcement actions and penalties, authorities will consider:

  • The severity of the infringement (for example, repeated violations, failure to notify or remediate significant OT incidents, obstruction of audits, providing false information).
  • The duration of the infringement.
  • Previous infringements.
  • Material/non-material damage caused and users affected (for example, impact on critical services, public safety).
  • Intent or negligence.
  • Measures taken to prevent or mitigate damage.
  • The level of cooperation with authorities.

Quick Checklist for First Operational Steps in OT/ICS:

In addition to the preceding action items, here is a quick checklist OT security teams can use to get started with NIS2.

  • Asset detection and inventory: Are all relevant assets, including OS-based and embedded systems in OT, detected to a very high degree within an appropriate time frame?
  • Policy and procedures: Are security policies documented, communicated, and regularly assessed for effectiveness across your OT environment?
  • Incident reporting process: Is a clear, well-understood process in place to report potential significant incidents (as defined by NIS2) within your OT operations?
  • Vulnerability and threat management: Have all in-scope OT assets been identified, are they continuously monitored, and are vulnerabilities and threats actively managed?
  • Response capabilities: Is your entity capable of identifying, monitoring, alerting, and possessing the capabilities to respond effectively to OT threats?
  • Ticketing and documentation: Is a ticketing system implemented to manage and document incident detection, triage, and response within your OT/ICS security workflow?
  • Critical process security: Are critical OT processes and their associated assets known, documented, and protected by appropriate security measures?
  • Supply chain risk management: Are supply chain risks for your OT/ICS components and services identified, and are mitigating measures actively in place?
  • Reliable evidence: Can evidence from your OT security management system be relied upon for industrial assets during audits and assessments?

The Verve by Rockwell Automation Standard: Architecting OT/ICS Security for NIS2 Success

Verve by Rockwell Automation doesn't just help detect risks—it empowers teams to actively manage and remediate them across complex OT environments. This operational intelligence is key to achieving and sustaining NIS2 compliance.

What sets Verve apart is its ability to gather detailed, asset-related security information while also enabling remediation. That means you can move beyond simply identifying risks to taking informed action that closes gaps and strengthens defenses.

For many OT teams, resources are limited. Verve streamlines the process by collecting risk data from across the OT environment, analyzing it, and providing prioritized recommendations. A small expert team can then orchestrate a strategic response, while local operations teams remain in control of execution. This balance ensures organizations can improve security maturity without overwhelming staff or budgets.

Watch our video series to learn how to strengthen your operations against emerging threats while ensuring compliance.

Video
New Regulatory Landscape for Cybersecurity in Industry

The landscape of standards and laws affecting manufacturers is undergoing significant transformation, spurred on by the pressing concerns of security and the integration of Artificial Intelligence. Understanding and complying with these evolving regulations is crucial for ensuring robust security protocols within industrial settings, and avoiding costly sanctions.

Video
Navigating the Impact of the European Directive NIS2 on Manufacturers

The European Directive NIS2 marks a significant change in the regulatory framework, especially for manufacturers operating in the European Union. This directive aims to enhance cybersecurity measures across critical sectors, including manufacturing. As a result, it is set to transform the industry's approach to security and make it more robust.

Video
Effective Cybersecurity and NIS2 Compliance First Requires Organizational Trust

Trust is critical in fortifying cybersecurity measures and ensuring adherence to NIS2 regulations. However, many companies still underestimate their cybersecurity posture. To enhance cybersecurity measures, it is essential to bridge the gap between IT and OT systems and build trust. Without trust, even the best efforts to implement remote monitoring, early warning systems, and other security measures will ultimately fail.

Published August 19, 2025

You may also be interested in

Loading
Loading
Loading
Loading