Is your organisation working through NIS2 in an OT environment without a clear picture of where you stand? This article breaks down what the key areas actually require – and helps you assess whether your efforts are audit-ready.
How far along are you with NIS2, really? For organisations operating OT environments, implementation is particularly demanding, and the workload pulls in every direction.
The issue is rarely a lack of effort – it is the difficulty of maintaining a coherent overview. You may have a nagging sense that something has slipped through: will the full picture hold up when a regulator comes knocking?
This article gives you a clear view of what NIS2 specifically requires in an OT context, and what it actually means to have got it right. Along the way, we pose five questions to help you assess where you are in the process.
We have structured the various NIS2 requirements and measures into five core areas. This is a deliberate simplification that groups related requirements under a single heading – not to cut corners, but to make it easier to implement systematically.
This is also how we organise the requirements in our OT Workbench at NorthGRC.
If you would prefer more tailored guidance, our consultants can help you with the next steps in your NIS2 implementation.
A water utility and a software company may both fall within the scope of NIS2. But the reality of an OT organisation is fundamentally different – and that means the requirements land very differently too.
In an OT environment – whether you operate water supply, power generation, district heating or process manufacturing – systems are built for stability and operational continuity. Patchability and monitoring come second, and sometimes third.
A SCADA system may have a service life of 20 to 30 years. It was not designed to receive weekly security updates, and it cannot simply be taken offline for an hour of maintenance.
The consequences of a security incident are not limited to data loss either. They can include production downtime, supply failures and, in the worst case, physical harm.
Find out more about OT and NIS2: 5 Reasons NIS2 is harder for OT organisations than everyone else
That is what makes NIS2 complex for OT organisations: the requirements are the same as for everyone else, but the reality is entirely different. Meeting them requires adapting your approach to the specific conditions of an OT environment – not simply applying an IT security model directly.
NIS2 organises its requirements into five interconnected areas: governance, risk assessment, policies and procedures, controls and awareness, and reporting. These areas are interdependent: governance without risk assessment is meaningless, and policies without controls are just paper.
NIS2 should not be treated as a checklist you tick once – it is a structure that needs to be embedded in day-to-day operations.
The good news is that you are already under way: you are not starting from zero. The task now is to establish where you actually stand across all five areas – and whether your efforts form a coherent picture.
NIS2 is a leadership matter. It is not an IT project that can be delegated to your security manager and forgotten in the boardroom. The directive is explicit: boards and senior management bear personal responsibility. In cases of repeated non-compliance, it can go so far as to allow management members to be stripped of their authority.
What does this require in practice?
A dedicated security forum with clearly defined roles and a genuine mandate. Documented management training that builds real understanding of the threat landscape and accountability structure. And a model for how security is reported upward through the organisation – not just downward.
Learn how NorthGRC can give your leadership team the overview they need
Governance is the foundation for everything that follows. Without it, risk assessments, policies and controls have no anchor in leadership – and therefore no real weight.
Does your board and senior management have documented accountability for OT security – and does a dedicated security forum meet regularly with the mandate to act?
Risk assessment in OT is not the same as in IT – and this is one of the most common misconceptions in NIS2 work. In IT, risk is primarily about the confidentiality and integrity of data.
In OT, it is about availability, safety and the direct impact on physical processes. What happens if your water treatment plant loses control of its pumps, or if the control system goes down? What does a production halt cost per hour, per day, per week?
NIS2 requires you to map your assets – your systems, PLCs, SCADA systems, sites and critical suppliers – and assess the risks associated with each. The focus should be on societal consequences if something goes wrong, and on the likelihood that it will.
And assessing the risk is not enough. You need a risk treatment plan that shows what you are doing about the risks you have identified.
Read more: NIS2 Article 21: What does the risk assessment require – and what does it mean for OT?
It is difficult to prioritise what you have not mapped. Many OT organisations have conducted risk assessments based on physical threats – but cyber threats are rarely included.
That is precisely the connection regulators will be looking for.
Have you mapped your OT assets and suppliers, and do you have a risk treatment plan that shows what you are doing about the findings?
NIS2 sets two requirements on the policy front: one overarching OT information security policy that frames the entire effort, and 13 topic-specific policies covering everything from incident handling and backup to access control, cryptography and supplier management.
These are supplemented by procedures for the full lifecycle of systems – from procurement through to decommissioning.
This is not an unmanageable task – but it takes more than good intentions. A policy only functions when it has an owner, has been approved by management, and is actively followed and regularly reviewed.
Learn how NorthGRC makes it easier to keep your policies in order
If your backup policy was last updated three years ago, it is not a control. At worst, it is actually a vulnerability – because it creates a false sense of security around the idea that "we have a policy for that".
Policies are an organisation's commitment to good security – to itself and to the authorities that oversee it. That commitment needs to be one that can actually be kept.
Do your policies have an owner, an approval date and a review cycle – or are they documents no one can quite remember where to find?
There is an important difference between having documented controls and having implemented controls – and that is precisely the distinction NIS2 addresses. An access control policy that has not been rolled out is not a control. A segmentation design that has never been implemented is not a security measure.
NIS2 requires you to demonstrate that your controls actually work in practice.
Awareness is a standalone requirement and deserves to be treated as such. Employees and managers who have never received OT security training are a risk, not an asset.
They need to understand the specific threats facing industrial systems, recognise social engineering, and know the incident procedures that are particular to OT environments. That applies to both the people at the SCADA screen and the managers who carry overall system responsibility.
Read more: Why 95% training completion is not the same as 95% security
This is where the paperwork either becomes real security – or is exposed as nothing more than paper.
Can you demonstrate that your controls are implemented and working – and when did your employees last receive OT-specific security training?
The fifth area ties the previous four together: how well equipped are you to document, communicate, and act on your security posture?
This involves two things:
Internally: management must receive ongoing, meaningful reporting on security status. Biannual status meetings with impenetrable technical slides will not cut it. Reporting needs to give a clear picture of risks, progress and open items.
Externally: you need a functioning notification chain in case something goes wrong. NIS2 requires an initial notification to the relevant authority within 24 hours, a more detailed report within 72 hours, and a final report no later than one month after the incident.
That may sound manageable – but many organisations discover too late that they lack clear roles, documented procedures and the right contact points. If that only becomes apparent in the moment when speed matters most, the consequences for the organisation can be severe.
Learn how NorthGRC makes incident handling and reporting easier to manage
Reporting can feel like unnecessary bureaucracy – but it is what makes governance meaningful, and it is exactly what regulators will examine in practice.
If an incident occurs tomorrow, does everyone know who decides whether it is significant – and who notifies the authorities within 24 hours?
NIS2 does not require a perfect security posture across every area in order to be compliant. It requires that you have approached your risks systematically and can demonstrate that your efforts are proportionate to the threat landscape you actually face.
What matters is not having done everything – it is knowing where you stand and having a plan for what remains. And you do not have to get there alone.
NorthGRC's OT Workbench is built to break NIS2 requirements into structured, clearly defined tasks and to track your progress and gaps. In doing so, the platform creates precisely the kind of overview that is otherwise so difficult to achieve.
Our OT Workbench has been developed specifically for OT organisations working with NIS2. It organises the five requirement areas into a unified annual cycle, gives you a clear view of your implementation status, and makes it straightforward to document, prioritise and follow up – without losing track along the way.
The OT Workbench also provides visibility across your supply chain, supports you with risk assessments, and guides you toward action and reporting in the event of a security breach.
If you need support with a gap analysis or ongoing GRC assistance, our consultants can take you from where you are today to where you need to be. We advise, help you get started, and carry out GRC work on your behalf – when that makes more sense than building the capacity in-house.
Ready to see what OT Workbench can do for your NIS2 implementation? Watch a full walkthrough of the workbench or read more here.