NIS-2 for Operational Technology: Identifying, managing and mitigating risks

Many companies have so far focused their cybersecurity priorities on traditional IT, even though attacks are increasingly targeting areas where production, plant control and critical processes take place. The European Union’s NIS 2 Directive shifts the focus towards a company’s value-adding processes and thus towards OT (Operational Technology) security.

By the time the directive comes into force in Germany in December 2025 at the latest, OT security will become mandatory, auditable and business-critical for numerous organisations. Operational Technology has become more interconnected and complex – those who fail to act now risk downtime, regulatory consequences and financial losses.

Why OT systems are particularly vulnerable

Legacy systems are in widespread use

Many control systems have been running stably for decades, but without a security architecture. Patching is difficult or even impossible. At the same time, connectivity and pressure to integrate are increasing – an environment in which attackers often encounter ‘unpatched’ systems. Consciously managing these risks is a core requirement of NIS-2.
IT and OT convergence expands the attack surface

Digitalisation is erasing previous dividing lines: condition monitoring, remote support and central control rooms are increasingly linking OT to IT networks. A lack of segmentation, outdated protocols or uncontrolled maintenance access are sufficient to compromise production networks – often via service providers as an indirect entry point.
T attacks have an immediate impact

Attacks affect not only data but also physical processes: manipulated control commands, process interruptions, safety risks for staff, production stoppages and supply chain issues. The extent of the damage is correspondingly high and difficult to limit.

Sectors with critical infrastructure and continuous operational processes are particularly affected: energy, transport, water, healthcare, chemicals, food production and the manufacturing industry.

Ready to talk? Contact us

auto_stories

A comprehensive KPMG collaborative study on security strategies, maturity levels and the practical use of AI.

Download now

What NIS-2 specifically requires

NIS-2 adopts a governance approach that integrates technology, organisation and processes. The following are particularly relevant for OT:

Risk management: systematic risk analyses, clear responsibilities, documented measures.
Network segmentation and monitoring: separation of zones and lines, anomaly detection, continuous monitoring; effectively supplemented by OT-IDS to strengthen detection and monitoring capabilities.
Access & identity management: Role models, multi-factor authentication (MFA), restrictive remote access – these requirements apply not only to internal staff but also to external maintenance partners and access by technical identities.
Incident response: mandatory reporting within 24 to 72 hours, risk-based playbooks taking OT into account, clear decision-making and escalation chains.
Patch & Vulnerability Management, including mitigation measures where updates cannot be applied during live operations.
Awareness and Training: OT-specific training for operational teams and technical managers.

NIS-2 as a lever for modernisation: Compliance is mandatory – resilience is the added value

In future, companies must demonstrate that processes have been implemented, documented and regularly practised. This effort has various positive effects, including reduced downtime, more robust supply chains and greater operational reliability. OT security becomes a business case – and a clear differentiator in critical sectors.

Companies that systematically expand and optimise their OT security now achieve three outcomes:

Regulatory security

Traceable processes, clear responsibilities, documented compliance.
Technical resilience

Segmentation, continuous monitoring and structured vulnerability management.
Operational stability

Well-rehearsed response processes, predictable crisis management, lower follow-up costs in the event of an emergency.

NIS-2 thus serves not only to meet minimum standards, but also accelerates the modernisation of long-overdue OT landscapes.

NIS-2 in practice: What companies should be doing now

Affected companies had to complete registration with the BSI for relevant sectors by 6 March. Central to this is an impact analysis to precisely identify the relevant business areas and facilities. This forms the basis for governance structures, responsibilities and future auditability.

In parallel, reporting channels for security incidents must be established and regularly practised – both internally and externally. Many organisations are only just beginning this process, whilst others have started implementing measures but are encountering complexity and resource constraints. A clear roadmap and the involvement of senior management – which NIS-2 explicitly places under their responsibility – are crucial.

The OT security journey comprises five stages: awareness-raising, roles and responsibilities, basic technical measures, response capability, and sustainable integration into governance and operations. Each stage builds on the previous one and delivers measurable progress.

Companies should now

complete their registration and impact assessment,
define roles and responsibilities,
provide mandatory training for senior management,
establish reporting channels and conduct exercises,
and systematically develop the OT security architecture.

This creates a security architecture that meets regulatory requirements whilst also ensuring technical resilience and operational stability – a robust foundation for OT operations and compliance under NIS 2.

Contact: Konstantin Schäfers - Manager, Cyber Security & Resilience