The NIS2 Directive came into force in EU member states in October 2024, replacing the original NIS1 framework with significantly broader scope, stricter obligations, and — for the first time — management liability provisions that make company boards and executives personally accountable for cybersecurity compliance failures. In 2026, the first enforcement actions are materialising. Industrial operators across energy, water, manufacturing, and transport sectors are receiving formal assessments and, in some cases, orders requiring remediation or fines.

This analysis covers what changed under NIS2, what the practical obligations are for OT teams, and which gaps most commonly appear in the current enforcement cycle.

What Changed Under NIS2

Expanded scope. NIS1 applied to a narrow set of “operators of essential services” and “digital service providers.” NIS2 introduces a two-tier system — Essential Entities and Important Entities — and extends mandatory coverage to mid-sized organisations (50+ employees or €10M+ annual revenue) in critical sectors. Many manufacturing firms, logistics operators, and building automation service providers that were outside NIS1 scope are now in scope.

OT explicitly in scope. NIS2 Article 21 requirements explicitly apply to OT environments. This is a meaningful change from NIS1, where many regulators accepted interpretations that limited obligations to IT systems. Under NIS2, an energy utility’s SCADA network, a water authority’s PLC infrastructure, and a manufacturer’s industrial control network are subject to the same security obligation framework as their enterprise IT environments.

Supply chain security requirements. Article 21(2)(d) requires covered entities to address cybersecurity risks in their supply chains, including the security of relationships with direct suppliers and service providers. For OT environments, this translates to: vendor access controls (remote access management for ICS vendors and integrators), security requirements in procurement contracts for industrial equipment and software, and assessment of the security posture of major OT vendors and their update delivery processes.

Incident reporting timelines. The NIS2 incident reporting regime requires:

  • An initial notification within 24 hours of becoming aware of a significant incident
  • A more detailed incident report within 72 hours
  • A final report within one month

These timelines apply to “significant incidents” — broadly defined to include incidents that cause or are capable of causing operational disruption or significant economic damage. For OT environments, an attack on an industrial control system that affects production or process operation would typically meet the threshold.

Management liability. NIS2 Article 20 requires management bodies to approve cybersecurity risk management measures and take responsibility for compliance. In the event of a serious breach, regulators can hold management bodies — including the CEO and board — personally liable and prohibit individuals from management roles. This provision has no equivalent in NIS1 and changes the governance dynamic around OT security investment decisions.

Common Gaps in the Current Enforcement Cycle

Based on assessments being conducted under the first wave of NIS2 enforcement, several gap categories are repeatedly identified in OT-heavy organisations:

Asset inventory. Regulators assess whether organisations can demonstrate they know what OT assets they have, where they are, what software versions they run, and what their network connectivity is. Many industrial operators lack comprehensive, current OT asset inventories. Passive network monitoring tools (Claroty, Dragos, Nozomi) generate inventories automatically and are becoming de facto compliance evidence.

Network segmentation between IT and OT. NIS2 Article 21(2)(h) covers network security. Regulators are checking whether a clear, enforced separation exists between enterprise IT and OT networks — including whether remote access paths cross between them, whether shared IT/OT jump hosts exist, and whether OT devices are routable from corporate subnets.

Patch management documentation. Organisations need to demonstrate they have a documented process for tracking OT vulnerabilities, assessing their applicability, and managing patching with defined timescales. The absence of a formal process is a compliance finding even when no high-severity unpatched vulnerability is present.

Remote access controls. Third-party and internal remote access to OT environments is a common audit focus. Requirements include multi-factor authentication, session logging, time-limited access grants, and monitoring of remote sessions.

Incident response documentation. Many OT teams have informal incident response procedures. NIS2 requires documented, tested incident response plans that cover OT environments specifically — including escalation paths, communication procedures, and post-incident reporting obligations.

Practical Steps for OT Teams

  1. Confirm scope applicability with your legal/compliance function — which of your OT sites, subsidiaries, or operations fall under NIS2 as Essential or Important Entities in your member state.

  2. Conduct a gap assessment against Article 21 — the ten-point list of required security measures is a useful checklist for OT environments.

  3. Establish or formalise an OT asset inventory — automated discovery is the most practical path for large OT environments.

  4. Document your network architecture with explicit IT/OT boundary definitions and perimeter control descriptions.

  5. Stand up or update incident reporting procedures that account for the 24/72-hour timescales and identify the responsible contacts for notifications to the national CSIRT and competent authority.

References

Tags
NIS2NIS-DirectiveOT-complianceEU-regulationincident-reportingsupply-chaincritical-infrastructureenergywatermanufacturing