NIS2 explicitly extends the cyber security requirements for critical infrastructures to operational technology (OT) - i.e. control systems (ICS), OT environments. The reason: due to the growing automation of attacks and networking of IT and OT, for example via remote maintenance or cloud connections, industrial systems have long since become the primary target for cyber criminals.
Companies with OT responsibility must now clarify the following three key questions:
What specific obligations does NIS2 create?
Which technical measures now have priority (segmentation, monitoring, patch management)?
Which standards and tools will support implementation?
NIS2 is not a recommendation, but is mandatory and verifiable for OT companies that:
Are active in the EU or operate branches there,
provide services for critical infrastructure within the EU,
are involved in supply chains that fall under the NIS2 regulation.
This makes cyber security a binding management responsibility with clear requirements for risk management, reporting processes and securing the value chain.
At its core, NIS2 obliges OT companies to take action in two key areas: systematic risk management and clearly defined reporting processes for security incidents. Both together form the basis for resilient and verifiable cyber resilience.
Companies must systematically check OT systems and assess cyber risks in a comprehensible manner.
The focus is particularly on
Availability and integrity of control systems such as PLCs and SCADA
Remote maintenance access such as VPN and RDP
Supply chain risks such as third-party risks and firmware updates
Significant incidents must be reported to the competent authority within 24 hours. For Switzerland, this is the Federal Office for Cyber Security (BACS), in Germany the Federal Office for Information Security (BSI) and in Austria the Federal Ministry of the Interior (BMI) as central contact points for cyber incidents.
"The NIS2 Directive applies to operators of essential services, including organizations operating industrial control systems (ICS) and OT environments. It imposes obligations to implement risk management, report security incidents and secure supply chains." - EU Digital Strategy, NIS2 Implementation Guidance.
A well-founded assessment of the current situation creates the basis for effective implementation of the NIS2 requirements and shows where specific deviations exist and which measures should be prioritized.
OT networks used to be considered "isolated" and therefore less at risk. However, current developments and business requirements have changed this:
IT/OT convergence: this means that OT systems are now networked with corporate IT and cloud services and are therefore vulnerable to attack.
Increasing attacks! According to BACS, OT-specific cyberattacks are on the rise in Switzerland. Especially in the area of ransomware and sabotage.
Increasing regulatory pressure: NIS2 extends the scope to operators of EU-related critical infrastructures.
NIS2 targets specific security vulnerabilities that are also widespread in OT environments in the DACH region:
Many control systems (PLCs) run with outdated software for which security updates are no longer available. Attackers use unclosed CVEs to move laterally in the network.
NIS2 requirement: Regular risk assessments and compensatory measures.
External service providers often access OT systems via insecure VPN or RDP connections - without multi-factor authentication (MFA) or time limits. With the risk of credential theft and ransomware attacks (e.g. via leaked service accounts).
NIS2 requirement: MFA and least privilege for all remote access (EU NIS2 Art. 21 Para. 3).
Many companies are not fully aware of their OT assets - let alone their security status. The risks: undetected attacks, compliance gaps and inefficient incident response.
NIS2 requirement: Documentation obligation for all critical assets (EU NIS2 Art. 20).
Practical tip: Use passive asset discovery tools to create a real-time inventory of your OT environment - without production risk and analyse the status quo of the digitalization of your OT processes.
Implementing the NIS2 directive requires a structured, step-by-step approach in order to anchor regulatory requirements in organizations efficiently, comprehensibly and sustainably. The aim is to reduce risks at an early stage, build technical resilience and at the same time ensure verifiability for audits.
A clearly structured 5-point plan sets priorities and bundles the key areas of action into an actionable roadmap.
Immediate measures - quick wins with a high impact
▪️ Clarify responsibilities by appointing a person responsible for NIS2 (e.g. CISO or OT manager) and ensure that management recognizes the urgency.
▪️ Harden remote access, check all remote maintenance access such as VPN, RDP and third-party accounts and implement MFA and least privilege.
▪️ Create a preliminary asset inventory (as a precursor to a full inventory) using passive network scans to build a baseline of OT assets.
Short term - lay the foundation
▪️ Create a complete OT asset inventory. Complete the preliminary inventory using scans in maintenance windows and classify the assets according to criticality.
▪️ Carry out initial risk assessment with focus on availability risks and use ISA/IEC 62443 as a framework.
Medium-term - build technical resilience
▪️Netzwerksegmentierung in accordance with ISA/IEC 62443. Divide the OT network into zones and conduits and implement firewall rules between the zones.
▪️OT-Monitoring and SIEM integration by feeding OT-specific telemetry (Modbus, DNP3, OPC UA) into the SIEM/OT-SOC.
Long-term - ensure sustainable compliance
▪️Supplier security assessments by checking third-party providers for security standards (e.g. ISO/IEC 27001) and anchoring the most important security clauses in contracts.
▪️Develop OT-specific incident response playbooks for ransomware and sabotage and test them at least once a year.
▪️Risk evaluation in accordance with ISA/IEC 62443. Define security levels (SL-T) for assets, create zone models and document residual risks.
Governance and reporting - verifiability for audits
▪️Document measures, log risk assessments and carry out changes and incident response tests.
▪️Prepare incident reports and create procedures/templates for reports to the BACS.
▪️Perform annual OT incident simulations and test ransomware scenarios and the failure of critical control systems.
NIS2 is more than just a mandatory program. When implemented correctly, the directive becomes a catalyst for a resilient OT security architecture.
Companies that take a risk-based and structured approach to NIS2 not only create regulatory security, but also operational advantages:
1. reduced regulatory risk,
2. increased resilience to cyber-attacks and
3. improved transparency of critical OT assets and dependencies.
The decisive factor here is not the speed of implementation, but its quality. Individual measures fall short if they are not embedded in a clear overall strategy. Only the interplay of transparency, prioritization and tested processes creates real resilience.
Our key recommendations:
Close security gaps in a targeted manner, especially for remote access and privileged accounts, and establish a company-wide MFA.
Establish or update an OT asset inventory and classify critical assets, including risk assessment in accordance with ISA/IEC 62443.
Implement network segmentation consistently (e.g. zone models, firewall rules).
Check supply chain risks (e.g. ISO/IEC 27001 assessments) and make them binding in security clauses.
Develop specific OT incident response playbooks and test them regularly (e.g. ransomware, sabotage).
IoT/OT environments that deal with NIS2 at an early stage and in a structured manner not only strengthen compliance, but also create the basis for a long-term resilient and controllable security strategy. Our experts will be happy to discuss structured NIS2 implementation with you without obligation.
Keep your finger on the pulse of digital security: discover exciting developments, in-depth analyses and the most important news from the world of cyber security. Subscribe to our blog updates and get the latest insights delivered straight to your inbox - compact, relevant and always one step ahead.
Caption: Image generated with AI