OT systems and NIS2

With the new Cyber Security Act transposing the NIS2 Directive likely to come into force on 1 November 2025, a new legal obligation arises for many organisations to ensure an adequate level of protection not only for ICT systems, but also for operational technologies (OT) such as SCADA, PLC, DCS, sensors, robotic systems and other industrial controllers.

OT systems differ from ICT systems in their longer device life cycle, low tolerance for outages and latency, the use of proprietary communication protocols, an emphasis on continuity and physical security of operation, and they were not expected to be connected to the Internet.

However, as OT systems are increasingly interconnected with ICT infrastructure in practice, they logically become vulnerable to cyber threats.

Not only because of the obligations arising from the new Cyber Security Act, it is therefore necessary to implement appropriate security measures in the area of OT systems, such as (i) a complete inventory of OT devices, including the protocols and firmware versions used, (ii) network segmentation, i.e. physical or virtual OT vs ICT zoning, (iii) access control, i.e. at least multi-factor authentication, (iv) continuous monitoring and detection of anomalies and, of course, (v) preparation of an adequate response to cyber incidents and events.