This page provides general information only and does not constitute legal advice. Consult qualified legal counsel for classification and compliance obligations applicable to your organisation.
NIS2 compliance for industrial OT: IEC 62443 gap analysis and remediation
NIS2 imposes cybersecurity obligations on organisations with operational technology. PLCs, SCADA systems and industrial networks are explicitly in scope. We help you understand what is required, and implement it technically.
Or call directly: +31 299 705 078 · No sales pitch
Your sector and NIS2
Each industrial sector has its own OT landscape, legacy systems and risk profile. We work across the following sectors:
Deep dives by domain
NIS2 compliance for OT spans multiple technical domains. Each has its own standards, risks, and implementation path.
The international framework for securing industrial automation and control systems. Security Levels, zones, conduits.
IACS Unified Requirements E26 and E27 apply NIS2-aligned cybersecurity to ship systems and offshore installations.
Critical infrastructure under Annex II. Batch control, dosing systems, HACCP-integrated SCADA in scope.
Discrete and process manufacturing under Annex II. PLC-level hardening, MES/ERP segmentation, remote maintenance access.
What is NIS2?
NIS2 (EU Directive 2022/2555) is the successor to the original NIS Directive from 2016. It entered into force on 16 January 2023. Member states were required to transpose it into national law by 17 October 2024. In the Netherlands this became the Cyberbeveiligingswet (Cbw).
The directive significantly expands the scope of its predecessor: more sectors, lower thresholds, and stricter requirements for risk management, supply chain security and incident reporting.
Article 21 explicitly requires covered entities to secure "network and information systems, including production technology". This means your OT floor is in scope, not just the office network.
Who does NIS2 apply to?
- ·Energy (electricity, oil, gas, district heating)
- ·Transport (air, rail, water, road)
- ·Banking and financial market infrastructure
- ·Healthcare
- ·Drinking water and wastewater
- ·Digital infrastructure (DNS, IXPs, cloud)
- ·ICT service management (B2B)
- ·Public administration
- ·Space
- ·Postal and courier services
- ·Waste management
- ·Chemical manufacturing and distribution
- ·Food production, processing and distribution
- ·Manufacturing (medical devices, electronics, machinery, vehicles)
- ·Digital providers (online marketplaces, search, social media)
- ·Research organisations
Why OT is not the same as IT
Long lifecycles
OT equipment runs for 20–30 years. Patching is not always possible. Firmware updates can void warranties, and process downtime is not an IT-style maintenance window.
Real-time constraints
PLCs operate on deterministic scan cycles of 1–10 ms. Security controls that add latency or unpredictability can directly disrupt process control.
Legacy protocols
Modbus, Profibus, OPC-DA: designed for reliability, not security. No authentication, no encryption. These systems were built assuming physical isolation.
The air gap is gone
Remote diagnostics, MES/ERP connectivity, cloud historians: every integration is a potential entry point. Most OT networks are no longer isolated in practice.
Physical consequences
A compromised PLC can cause equipment damage, production loss, environmental incidents, or personal injury. The blast radius is not just data: it is the plant.
Article 21 explicitly covers OT
NIS2 requires protection of "production technology", not just office IT. Regulators expect OT-specific risk management, not a copy-paste of IT security policies.
IEC 62443 as the technical framework
IEC 62443 is the international standard for industrial cybersecurity. It aligns well with NIS2 article 21 requirements and is the framework GCG uses to structure OT security work.
Network segmentation
Zones and conduits conform to IEC 62443-3-3 and the Purdue Reference Model. L2–L3.5 segmentation with firewalls and a DMZ between IT and OT. Lateral movement contained.
PLC and SCADA hardening
Firmware updates where possible, role-based user management, removal of unused services, disabling legacy protocols where replaceable, and SCADA access control lists.
Secure remote access
Industrial VPN with MFA, NAC, and jump-server architectures. Tosibox, Ewon and Siemens SINEMA RC for machine-level access. Audit logging on every session.
OPC UA security
Certificate management, encrypted channels, and role-based access in OPC UA servers. Migration from OPC-DA where technically feasible without disrupting real-time performance.
Audit trails and monitoring
Logging of engineering changes, HMI access events and alarm history. Syslog forwarding to SIEM where applicable. NIS2 requires incident detection. Passive OT monitoring can help.
Supply chain security
NIS2 article 21(2)(d) requires managing risks from suppliers and service providers. We review OEM remote-access arrangements and third-party maintenance access points.
From scope to remediation
Frequently asked questions
Ready to start your NIS2 assessment?
A gap analysis starts with a technical intake. No obligations. We tell you honestly what the gaps are.