5 reasons NIS2 is harder for OT organisations than for everyone else

NIS2 places unique demands on OT organisations. We break down the 5 biggest NIS2 OT compliance challenges – and what you can actually do about them.

The relationship between NIS2 and OT can feel like trying to fit a square peg into a round hole. The root of the problem is that NIS2 was designed with IT environments in mind – and OT is a fundamentally different world. In IT, information security calls the shots. In OT, there is one non-negotiable priority: keeping operations running.

OT systems are built for one purpose: uninterrupted operation. When NIS2 now demands documented risk management, rapid incident reporting, and board-level accountability, it creates tensions that the IT world has never faced in the same way.

With the right structures and procedures in place, a successful implementation is entirely achievable – once you understand the challenges.

In this article, we walk through the five biggest NIS2 challenges for OT organisations: what they mean in practice, and what you can do about them.

1. Without asset documentation, there is no real risk assessment

NIS2 requires a risk assessment covering all systems and data flows. That sounds manageable – until you ask the critical question: Have you actually documented what is running on your OT network?

For many organisations, the honest answer is no. PLCs installed fifteen years ago, HMI systems that were never centrally registered, communication protocols nobody has documented since the plant was commissioned. That is not negligence – it is the legacy of decades in which operational stability always took precedence over documentation.

Under NIS2, the consequences are clear: you cannot assess the risk of systems you have not documented, you cannot monitor traffic from devices you do not know exist, and you cannot demonstrate compliance for assets you have never registered.

Read also: NIS2 Article 21: What does the risk assessment require – and what does that mean for OT?

Cybersecurity firm Dragos, which focuses exclusively on the OT sector, documented in its OT Cybersecurity Year in Review (2023) that 80% of its customers lacked adequate visibility across their OT network – significantly hampering both incident detection and effective response.

What can you do?

• Establish a structured asset inventory for your OT environment using passive network monitoring that listens only to existing traffic, thereby avoiding disruption of vulnerable OT protocols.
• Supplement passive monitoring with a manual walkdown of the facility. Draw on any existing technical documentation, drawings, and service logs.
• Prioritise critical systems and processes first. A complete asset inventory is not required from day one, but getting started is essential – because everything else in NIS2 compliance depends on knowing what you have.
  

2. NIS2 requires security measures that can halt production in OT environments

Operational stability is the cornerstone of OT, and availability and functional safety take precedence over everything else. That means the standard security tools from the IT world – patching, configuration changes, and multi-factor authentication – are either technically impossible or come with production stoppages that can cost hundreds of thousands of dollars per hour.

In OT environments with safety-critical functions, an incorrect configuration change can also pose a genuine physical risk. NIS2 does not account for that reality, yet it still demands appropriate security measures. That requires an OT-specific approach.

What can you do?

• Use compensating controls when direct patching is not possible. Isolate vulnerable systems through network segmentation, restrict access to them, and increase traffic monitoring to and from them. This is a recognised approach in standards such as IEC 62443 and NIST SP 800-82.
• Map your existing maintenance windows and planned production shutdowns. Schedule security updates during the periods when the cost of downtime is lowest.
• Avoid transplanting IT security practices directly into your production environment. Security in OT is about risk-based decisions shaped by operational reality.

Read also: NIS2 and OT security: How far have you come with implementation – and is it enough?

3. The vendor with remote access is also a security risk

OT organisations depend on a complex web of vendors: OEM manufacturers, system integrators, service engineers with remote access to critical plant, and software suppliers whose update cycles are measured in years, not months. NIS2 requires you to manage the security risks across all of them.

The problem is that you rarely have a free choice.

Many OT systems require highly specialised vendors, with only one or two qualified providers in the entire market. That limits your negotiating position and makes it harder to impose security requirements without risking the relationship.

Remote access is one of the most underestimated attack vectors in OT environments. Many organisations have granted a double-digit number of vendors access to critical systems – often through solutions that have never been reviewed from a security standpoint.

The Kaseya attack in 2021 illustrated precisely what supply chain vulnerabilities can mean in practice: a single compromised vendor hit up to 1,500 organisations globally in one go, including 14 in the UK. In OT environments, the potential for physical consequences is far greater than in a purely IT-based scenario.

What can you do?

• Map your critical vendors and rank them by the access and influence they have over your OT environment. NIS2 does not require all vendors to be treated equally – it requires you to work on a risk basis.
• Introduce contractual security requirements for critical vendors. Where vendor dependency is strong, the question is less about switching suppliers and more about documenting the risk and compensating for it technically.
• Keep remote access under tight control: logging, time-limited sessions, and MFA as a minimum.
• Have a plan for what you will do if a critical vendor is compromised – including whether you could realistically switch suppliers or whether you need an emergency procedure ready instead.

4. When is an incident actually an incident? In OT, the answer is not straightforward

NIS2 introduces clear reporting deadlines: 24 hours for an initial notification to the authorities in the event of a "significant incident", 72 hours for an updated report, and one month for a final comprehensive report. But before you can report, you have to have detected that something is wrong. And that is where the first real problem for OT organisations arises.

In IT environments, a ransomware attack is usually hard to miss. In OT environments, a compromised system may manifest as minor deviations – a production machine running slightly outside its tolerance, a sensor delivering data with a marginal delay. Without OT-specific monitoring, an incident can go undetected for weeks.

The second problem is the assessment itself. Article 23 of NIS2 defines a "significant incident" as one that has caused, or is capable of causing, serious operational disruption or significant losses.

For OT organisations, that assessment is particularly challenging because even a brief incident can have enormous consequences. A short production stoppage can trigger delivery failures across an entire supply chain. A compromised control system can threaten personal safety.

In practice, this means that the threshold for what constitutes a significant incident is, for many OT organisations, far lower than you might initially assume. And that increases the risk of either over-reporting or under-reporting in good faith.

What can you do?

• Implement monitoring tools designed for OT environments that understand industrial protocols. Generic IT security tools do not detect OT-specific attack patterns.
• Define in advance what a "significant incident" concretely means in your OT context, and which scenarios trigger the reporting obligation. That is a leadership task, not a technical exercise.
• Establish clear procedures for who escalates, who assesses, and who notifies the authorities.
• Practise it. A tabletop exercise once a year – running through a scenario from detection to reporting – will reveal the gaps before a real incident does.

5. NIS2 starts in the boardroom – and that is a shift many organisations are not ready for

NIS2 is the first EU directive to explicitly place cybersecurity responsibility on senior leadership. Board members and executives can be held personally liable for non-compliance and, in serious cases, temporarily barred from holding management positions.

For many OT organisations, this is a fundamental shift. Cybersecurity has traditionally been a technical operational matter, typically owned by the IT department and far from the board's day-to-day agenda.

The result is often a well-known deadlock: leadership does not understand OT risks well enough to prioritise them, and OT professionals lack the language and tools to communicate risk in a way that lands in a boardroom.

ECSO research shows that insufficient leadership engagement and inadequate budgets are among the most frequently cited barriers to NIS2 compliance across European organisations.

What can you do?

• Use NIS2's management accountability requirements to move cybersecurity out of the IT budget and onto the strategic agenda with dedicated funding.
• Give leadership regular, accessible risk briefings that translate OT risks into business terms: downtime, production losses, reputational damage, and fines.
• Consider an external gap analysis as your starting point. It gives leadership a fact-based foundation for making prioritised decisions – without requiring board-level technical expertise.
• Remember that NIS2 is not only a risk. It is also an opportunity to secure the backing and resources that OT security work has long needed.

OT's 5 NIS2 challenges are connected

It is tempting to treat the five challenges as separate projects – but they are inextricably linked. That also means a single step forward rarely solves just one problem. As you gain control of your asset inventory, risk assessment, vendor management, and incident response, they all become easier.

The challenges are connected – and so are the wins. NIS2 compliance also brings increased resilience against operational disruption in the event of a cyberattack or other crisis.

It is also worth remembering that NIS2 is not an all-or-nothing project. It does not demand perfection from day one – it requires you to demonstrate that you are working systematically and on a risk basis. And that starts with a clear picture of where you stand today.

Would you like help mapping your current NIS2 maturity in OT? NorthGRC offers structured gap analyses for manufacturing and supply organisations.

We also have a dedicated OT workbench that brings compliance, risk management, and incident handling together in one place – giving you a single, clear picture of where you stand, and a single place to keep all your documentation.