What NIS2 Is and Why It Matters for OT
The Network and Information Security Directive 2 (NIS2, formally Directive (EU) 2022/2555) is the European Union's updated mandatory cybersecurity framework for critical infrastructure and essential service providers. It entered force on 16 January 2023 and became enforceable in EU member states in October 2024, replacing the original NIS Directive (NIS1) from 2016. NIS2 is not a voluntary standard — it is binding EU law transposed into national legislation across all 27 member states, with member state supervisory authorities empowered to impose significant financial penalties and, in cases of persistent non-compliance, management liability.
For OT security practitioners, NIS2 matters because it is the first major EU regulatory instrument to explicitly and specifically address operational technology, industrial control systems, and cyber-physical environments at scale. NIS1 focused primarily on IT network security. NIS2 extends requirements to the physical systems that run critical infrastructure — and its definition of "network and information systems" explicitly includes OT and SCADA environments.
Scope: 18 Sectors and 160,000+ Entities
NIS2 dramatically expanded the scope of the original directive. NIS1 covered 7 sectors; NIS2 covers 18, divided into two categories that determine the level of regulatory scrutiny:
Highly Critical Sectors (Annex I) — Subject to proactive supervision: Energy (electricity, oil, gas, hydrogen, district heating), Transport (air, rail, water, road), Banking and financial market infrastructure, Health (hospitals, labs, pharma), Drinking water, Wastewater, Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs, electronic communications), ICT service management (B2B MSPs and MSSPs), and Public administration.
Other Critical Sectors (Annex II) — Subject to reactive supervision: Postal and courier services, Waste management, Chemicals, Food, Manufacturing (medical devices, computers, electronics, machinery, vehicles), Digital providers (online marketplaces, search engines, social networks), and Research organizations.
The entity threshold is deliberately broad: medium and large enterprises (50+ employees or €10M+ turnover) operating in covered sectors are presumptively within scope. Smaller entities may be included if they are the sole provider of a critical service in a member state. The result is that NIS2 applies to an estimated 160,000+ entities across the EU — compared to roughly 10,000 under NIS1. Non-EU companies providing services to covered entities or operating EU-based infrastructure are also subject to the directive through their EU establishment or service delivery.
What Changed from NIS1
NIS2 is not an incremental update to NIS1 — it is a substantive expansion in scope, technical requirements, and enforcement rigor. The key changes relevant to OT environments are:
Supply chain security is now an explicit, mandatory requirement. NIS2 Article 21 requires covered entities to address security in their supply chains and supplier relationships — including OT vendor access, industrial software integrity, and hardware component provenance. This is a direct response to incidents like SolarWinds and the operational technology campaigns that followed.
Incident reporting timelines are significantly shorter. NIS2 requires an early warning to the competent authority within 24 hours of becoming aware of a significant incident, a formal incident notification within 72 hours, and a comprehensive report within one month. For OT environments where incident investigation is complex and attribution is slow, these timelines require pre-existing incident response procedures, not improvised response.
Management accountability is explicitly addressed. NIS2 requires that management bodies of covered entities approve cybersecurity risk management measures and oversee their implementation. Management bodies can be held personally liable for persistent non-compliance — a provision with no equivalent in NIS1.
OT-Specific Requirements Under NIS2
Article 21 defines the minimum cybersecurity risk management measures that covered entities must implement. For OT environments, the relevant requirements include: risk analysis and information system security policies; incident handling procedures; business continuity and crisis management; supply chain security measures covering OT vendors and remote access; network security, including segmentation of OT and IT networks; access control policies and asset management; use of cryptography and encryption where applicable; and human resources security including cybersecurity training.
These requirements do not prescribe specific technical controls — NIS2 is a framework directive that establishes objectives, with member state authorities and sector-specific bodies defining implementation guidance. However, ENISA (the EU Agency for Cybersecurity) has published implementing guidance that consistently references IEC 62443 as the preferred technical standard for OT environments. Organizations implementing IEC 62443 controls at appropriate Security Levels are well-positioned to demonstrate NIS2 compliance.
Penalties and Enforcement
NIS2 penalties are substantial and graduated by entity type. For entities in Annex I (highly critical sectors), maximum administrative fines are €10 million or 2% of total global annual turnover, whichever is higher. For Annex II entities, the maximum is €7 million or 1.4% of global annual turnover. Individual member states may set higher maximum penalties in their national transposition.
The enforcement model is also differentiated. Annex I entities are subject to ex ante (proactive) supervision — competent authorities can conduct audits and inspections without waiting for an incident. Annex II entities are subject to ex post (reactive) supervision, meaning enforcement typically follows a reported incident or complaint. In practice, energy, transport, and health sector operators are facing active regulatory scrutiny regardless of incident status.
Non-EU Companies and Extraterritorial Scope
A significant and frequently overlooked aspect of NIS2 is its application to non-EU companies. Any organization that provides covered services to EU entities — including North American OT vendors providing remote access support, cloud service providers hosting EU critical infrastructure data, or industrial software providers whose platforms run EU energy or manufacturing operations — may need to establish an EU representative and comply with NIS2. This extraterritorial reach is analogous to GDPR's approach and should be evaluated by any global organization with EU critical infrastructure exposure.