NIS2 is not “just an IT regulation”. For organisations running industrial plants, production lines, site infrastructure or essential services, the key point is simple: security must also cover the systems that keep physical operations running, including OT, PLCs, HMIs, SCADA, industrial networks, engineering workstations and remote access.

The directive requires technical, operational and organisational measures that are proportionate to risk, along with governance, incident handling and business continuity obligations. In practice, that means a firewall or an antivirus product is not enough; you need a documented, reviewable and sustainable risk-management system.

Industrial electrical panel with circuit breakers and structured wiring
Industrial electrical panel: protection devices, breakers and structured wiring form the physical layer on which OT security measures are built. Photo: Pexels, free licence.
What NIS2 actually asks for
NIS2 imposes a risk-management and incident-reporting approach for essential and important entities. At EU level, the directive covers 18 critical sectors; in Italy, it was transposed through Legislative Decree 138/2024, and the ACN acts as the competent NIS authority. For entities in scope, registration on the ACN platform is scheduled from 1 December to 28 February each year.

NIS2 and OT: where the misunderstanding starts

The most common mistake is to assume that NIS2 is mainly about cloud services, data centres and classic information systems. In many industrial organisations, however, the main risk sits in the physical process: line stoppage, loss of control, quality degradation, maintenance disruption, uncontrolled remote access, missing recoverable backups, and untracked PLC changes.

The directive does not prescribe a single standard or a specific network architecture. What it does require is an appropriate and proportionate set of controls, based on an all-hazards approach that takes cyber incidents, operational errors, supplier dependencies, failures and service impact into account. In OT, that means building cybersecurity into plant operations instead of adding it as a separate layer afterwards.

Who should read this article

  • Plant managers relying on PLCs, HMIs, SCADA or industrial networks
  • System integrators and OEMs who need to demonstrate stronger technical and organisational maturity
  • IT/OT leaders building a NIS2 readiness roadmap
  • Management teams expected to approve, supervise and support cybersecurity measures

The 10 areas NIS2 puts at the centre

Article 21 of the directive defines the minimum areas for cybersecurity risk-management measures. In industrial terms, they translate into the following:

1. Risk analysisunderstand which OT assets and processes are truly critical
2. Incident handlingknow who does what when a cyber issue affects the plant
3. Business continuitybackup, disaster recovery, shutdown and recovery procedures
4. Supply chain securityvendors, remote maintainers, integrators, third-party software
5. Security across the lifecycleacquisition, development, maintenance, vulnerabilities and change
6. Effectiveness assessmentaudits, reviews, periodic checks, evidence
7. Cyber hygiene and trainingbasic rules, awareness and competence
8. Cryptographyused where appropriate without breaking operability or compatibility
9. HR security, access and assetsusers, roles, onboarding/offboarding, asset inventory
10. MFA and secure communicationsespecially for remote access and high-impact functions
Fibre optic cables connected to a network switch inside a rack cabinet
Network infrastructure: fibre optic cables and switches in a rack cabinet. Segmentation and traffic-flow control are among the core technical measures under NIS2. Photo: Pexels (Brett Sayles), free licence.

Practical NIS2 checklist for industrial plants

This is not a cosmetic compliance list. It focuses on controls that make operational sense in real plants.

1. OT asset inventory

  • Do you maintain an up-to-date inventory of PLCs, HMIs, SCADA, industrial switches, firewalls, engineering workstations, drives, IPCs and industrial wireless devices?
  • For each asset, do you know the model, firmware, plant function, criticality, technical owner, connections and dependencies?
  • Can you distinguish the assets that stop production from those with secondary impact?

Without an inventory, risk management remains theoretical. In OT, inventory should include not only devices but also data flows, engineering software, remote connections and maintenance media.

2. Network segmentation and OT/IT separation

  • Is the OT network separated from the office network through documented controls?
  • Do you have an industrial DMZ or at least a controlled exchange point?
  • Are critical lines or cells separated into zones or segments aligned with risk?
  • Are allowed flows between SCADA, historian, engineering workstations and PLCs reduced to what is strictly necessary?

Segmentation is one of the most practical ways to reduce lateral movement and contain the blast radius of an incident. In OT, that does not mean blocking everything; it means designing communication that is strictly necessary and reviewable.

Network patch panel with organised fibre optic cabling in a distribution cabinet
Patch panel and structured cabling in a network cabinet. Physical and logical separation between OT and IT zones starts with network infrastructure design. Photo: Pexels (Brett Sayles), free licence.

3. Secure remote access

  • Are vendor remote sessions approved per session rather than permanently available?
  • Do you use MFA for VPNs, jump hosts or remote support portals?
  • Are remote sessions logged and, where possible, recorded?
  • Do vendor accounts expire, stay role-limited and go through periodic review?

Many plants are exposed not because they were “hacked from the outside”, but because remote access remained open over time with shared credentials or without proper session control.

4. Backups and recovery that are actually tested

  • Do you maintain offline or segregated backups of PLC, HMI and SCADA projects, network configurations, users, certificates and engineering workstations?
  • Has recovery been tested for critical scenarios?
  • Do you know how long it would take to rebuild a cell or line after a compromise?

NIS2 explicitly refers to backup management, disaster recovery and crisis management. In a plant, the right question is not “do we have backups?” but “can we really recover?”.

”Server
Server room with rack cabinets and monitoring station. Backup and disaster recovery require dedicated infrastructure, periodic testing and documented recovery procedures. Photo: Pexels, free licence.

5. Change management and versioning

  • Is every PLC, HMI, SCADA or industrial network change approved, logged and reversible?
  • Do you keep a baseline of the software that is actually running in production?
  • Do engineering workstations follow a coherent export, review or versioning process?
  • Can anyone download changes online, or is role separation enforced?

NIS2 does not name Git, TIA Portal or any specific tool. But it does require controls around development, maintenance, effectiveness and governance. In OT, change management is one of the clearest signs of maturity.

6. Vulnerability and patch management with OT logic

  • Do you have a process to assess vulnerabilities, vendor advisories and remediation priorities?
  • Are patches tested before deployment on critical systems?
  • When patching is not immediately possible, do you apply compensating measures such as segmentation, tighter access rules or disabling unnecessary services?

In OT, patching does not always happen the day an update is released. But “we never patch OT” is not a defensible strategy either. The decision needs to be documented, risk-based and tied to compensating controls.

7. Hardening engineering workstations

  • Are workstations running TIA Portal, SCADA tools or vendor software dedicated and separated from normal office use?
  • Do users operate with least privilege, or is everyone a local administrator?
  • Are USB usage, browsers, email, unnecessary software and external connectivity governed?
  • Are engineering workstations included in backup, logging and access-control scope?

The engineering workstation is often the most sensitive point in the plant: it has technical visibility, high privileges and the ability to change the process. Treating it like a standard office PC is a mistake.

8. Logging, monitoring and anomaly visibility

  • Do you collect events from firewalls, VPNs, jump hosts, SCADA servers, historians and critical Windows systems?
  • Do you have at least basic visibility into logins, configuration changes, errors and remote connections?
  • Are there thresholds or alerts for anomalous behaviour?

NIS2 does not mandate a specific SIEM, but an organisation with no visibility will struggle to show effective incident handling.

9. Vendors and supply chain

  • Do contracts with integrators, maintainers and software suppliers include minimum security rules?
  • Do you know which remote links, support tools, cloud dependencies and operational responsibilities exist?
  • Can you quickly suspend or limit supplier access if needed?

Supply chain security is explicitly addressed by the directive. In OT, that includes the parties providing remote support, commissioning and application updates.

10. Incident plan with realistic timing

  • Who decides whether an OT incident is significant?
  • Who collects technical evidence, and who manages communication with management, CSIRT, authorities and customers?
  • Do you have a process that can at least follow the reporting logic of 24 hours, 72 hours and one month?

Incident reporting is not something to improvise during a disruption. It needs predefined roles, escalation paths, contacts and minimum classification criteria.

The three most common mistakes in industrial plants

Weak approach

“We have a firewall, so we are covered”
“OT systems are never patched”
“The vendor remote connection stays open because it is convenient”
“We have backups, but we never tested restore”
Mature approach

Risk-based controls tied to real operational dependencies
Segmentation, governed remote access and plant baselines
Compensating measures where immediate patching is not possible
Tested recovery and defined incident roles

Management involvement is not optional

One of the most important elements of NIS2 is that management bodies must approve cybersecurity measures, supervise their implementation and receive adequate training. That changes the language of the project: OT cybersecurity is no longer just a technical department topic, but a governance responsibility.

In practice, that means budgets, priorities, planned outages, vendor rules, change processes and incident-response decisions cannot remain informal.

A minimum 90-day roadmap

Weeks 1-2map OT assets, remote access, engineering software and current backups
Weeks 3-4classify lines, cells and systems by operational criticality
Weeks 5-6define minimum segmentation, jump hosts, MFA and vendor rules
Weeks 7-8formalise backup/recovery, change management and incident handling
Weeks 9-10enable baseline logging and review engineering workstations
Weeks 11-12collect evidence, assign responsibilities and prepare governance documentation

Quick final checklist

If you want a serious first check today, verify these 8 points first:
1. up-to-date OT asset inventory
2. minimum segmentation between OT, IT and remote access
3. MFA and session approval for vendors
4. recoverable backups of PLC/HMI/SCADA/engineering workstations
5. plant baseline and change log
6. vulnerability/patch process with compensating measures
7. minimum logging on firewalls, VPNs, servers and critical workstations
8. incident workflow ready for 24h / 72h / 1 month reporting

Our take

In industrial environments, NIS2 should not be read as a pure compliance checklist. It is an opportunity to clean up areas that often grew by stratification: weak segmentation, always-on vendor access, unverified backups, untracked PLC changes and unclear ownership across IT, maintenance and automation.

The organisations that gain the most from NIS2 will not be those that write the most policies, but those that genuinely connect governance, OT architecture, change management and operational continuity.

Do you want to understand how close your plant already is to NIS2 expectations in OT?

Contact us for a practical technical assessment — we review architecture, remote access, engineering workstations, backups, logging and remediation priorities.

Official resources and useful guidance