The NIS2 Directive (Network and Information Security Directive 2) is the new European cybersecurity framework that entered into force in January 2023, with mandatory transposition into Member States. It replaces and strengthens the NIS1 Directive, significantly expanding its scope—notably to OT infrastructure and supply chains.

Who Is Affected? NIS2 applies to essential entities and important entities across 18 sectors, including:

  • Energy (electricity, oil & gas, hydrogen)
  • Transport (aviation, rail, maritime, road)
  • Healthcare
  • Drinking Water & Wastewater
  • Digital Infrastructure
  • Food & Agriculture
  • Manufacturing (chemicals, medical devices, electronics, etc.)

Specific OT Obligations:

  • Risk Assessment: Explicitly cover OT systems and Cyber-Physical Systems (CPS)
  • State-of-the-Art Cybersecurity Measures: Asset management, network segmentation, incident detection, business continuity plans
  • Supply Chain Management: Secure relationships with suppliers and subcontractors with access to critical systems
  • Incident Notification: 24-hour early warning notification, followed by detailed reports within 72 hours and comprehensive assessments within 1 month
  • Governance: Executive leadership involvement, management training, and direct board-level supervision

Penalties: Up to €10 million or 2% of global annual turnover for essential entities.

Real Impact for OT: NIS2 mandates measurable cyber maturity across industrial environments. It aligns with standards like IEC 62443 and requires treating OT with the same rigor as IT—while respecting OT’s unique operational constraints.