This page provides general information only and does not constitute legal advice. Consult qualified legal counsel for classification and compliance obligations applicable to your organisation.

NIS2 compliance for industrial OT: IEC 62443 gap analysis and remediation

NIS2 imposes cybersecurity obligations on organisations with operational technology. PLCs, SCADA systems and industrial networks are explicitly in scope. We help you understand what is required, and implement it technically.

Or call directly: +31 299 705 078 · No sales pitch

IEC 62443-certified approachAudit report within 12 weeksTechnical and documentary remediationExperience in food, marine and process industry
Sectors

Your sector and NIS2

Each industrial sector has its own OT landscape, legacy systems and risk profile. We work across the following sectors:

Specialisations

Deep dives by domain

NIS2 compliance for OT spans multiple technical domains. Each has its own standards, risks, and implementation path.

The directive

What is NIS2?

NIS2 (EU Directive 2022/2555) is the successor to the original NIS Directive from 2016. It entered into force on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024. In the Netherlands this became the Cyberbeveiligingswet (Cbw).

The directive significantly expands the scope of its predecessor: more sectors, lower thresholds, and stricter requirements for risk management, supply chain security and incident reporting.

Article 21 explicitly requires covered entities to secure "network and information systems, including production technology". This means your OT floor is in scope, not just the office network.

Key dates
Dec 2022
NIS2 published in EU Official Journal
16 jan 2023
Entered into force
17 okt 2024
Transposition deadline: national laws in effect
2026+
First enforcement cycles expected
Scope

Who does NIS2 apply to?

Essential entities (Annex I)
  • ·Energy (electricity, oil, gas, district heating)
  • ·Transport (air, rail, water, road)
  • ·Banking and financial market infrastructure
  • ·Healthcare
  • ·Drinking water and wastewater
  • ·Digital infrastructure (DNS, IXPs, cloud)
  • ·ICT service management (B2B)
  • ·Public administration
  • ·Space
Important entities (Annex II)
  • ·Postal and courier services
  • ·Waste management
  • ·Chemical manufacturing and distribution
  • ·Food production, processing and distribution
  • ·Manufacturing (medical devices, electronics, machinery, vehicles)
  • ·Digital providers (online marketplaces, search, social media)
  • ·Research organisations
Size threshold: Generally applies to organisations with ≥50 employees or >€10M turnover, or those providing critical services regardless of size. Your own legal counsel should confirm your classification.
OT context

Why OT is not the same as IT

Long lifecycles

OT equipment runs for 20–30 years. Patching is not always possible. Firmware updates can void warranties, and process downtime is not an IT-style maintenance window.

Real-time constraints

PLCs operate on deterministic scan cycles of 1–10 ms. Security controls that add latency or unpredictability can directly disrupt process control.

Legacy protocols

Modbus, Profibus, OPC-DA: designed for reliability, not security. No authentication, no encryption. These systems were built assuming physical isolation.

The air gap is gone

Remote diagnostics, MES/ERP connectivity, cloud historians: every integration is a potential entry point. Most OT networks are no longer isolated in practice.

Physical consequences

A compromised PLC can cause equipment damage, production loss, environmental incidents, or personal injury. The blast radius is not just data: it is the plant.

Article 21 explicitly covers OT

NIS2 requires protection of "production technology", not just office IT. Regulators expect OT-specific risk management, not a copy-paste of IT security policies.

Our approach

IEC 62443 as the technical framework

IEC 62443 is the international standard for industrial cybersecurity. It aligns well with NIS2 article 21 requirements and is the framework GCG uses to structure OT security work.

01

Network segmentation

Zones and conduits conform to IEC 62443-3-3 and the Purdue Reference Model. L2–L3.5 segmentation with firewalls and a DMZ between IT and OT. Lateral movement contained.

02

PLC and SCADA hardening

Firmware updates where possible, role-based user management, removal of unused services, disabling legacy protocols where replaceable, and SCADA access control lists.

03

Secure remote access

Industrial VPN with MFA, NAC, and jump-server architectures. Tosibox, Ewon and Siemens SINEMA RC for machine-level access. Audit logging on every session.

04

OPC UA security

Certificate management, encrypted channels, and role-based access in OPC UA servers. Migration from OPC-DA where technically feasible without disrupting real-time performance.

05

Audit trails and monitoring

Logging of engineering changes, HMI access events and alarm history. Syslog forwarding to SIEM where applicable. NIS2 requires incident detection. Passive OT monitoring can help.

06

Supply chain security

NIS2 article 21(2)(d) requires managing risks from suppliers and service providers. We review OEM remote-access arrangements and third-party maintenance access points.

Deliverables

From scope to remediation

1
Scope determination
Are you in scope? Which regime, essential or important? Which sites and systems are covered?
2
Gap analysis
Current state vs. NIS2 article 21 requirements, mapped against IEC 62443 Security Levels 1 and 2.
3
Technical implementation
Segmentation, hardening, remote access, OPC UA security, executed by OT engineers, not generalist IT consultants.
4
Documentation & reporting
Risk register, security policy, network diagrams, and the evidence package a regulator or auditor expects.
5
Ongoing review
NIS2 compliance is a continuous obligation, not a one-time project. Annual or biannual reviews keep you current.

Frequently asked questions

Ready to start your NIS2 assessment?

A gap analysis starts with a technical intake. No obligations. We tell you honestly what the gaps are.