Request demo
September 21, 2023

The Impact of the NIS2 Directive on Operational Technology (OT) Businesses

The industrial digitalization that started over 20 years ago accelerated rapidly in recent years, particularly in the field of operational technology (OT). This evolution made critical infrastructure more connected but also more vulnerable to cyber threats.


From NIS to NIS2
NIS2 is a law
NIS2 for OT: Example use cases
OT business leaders need to act now
Secure your OT business with SSH Communications Security

From NIS to NIS2

To address this concern, the EU announced in 2022 an updated Network and Information Security (NIS2) directive - an enhanced version of the original NIS directive released in 2016, which imposes stringent cybersecurity requirements on organizations operating in the OT sector.

The NIS2 directive primarily supports the enhancement and standardization of the cybersecurity of EU member states, with a strong focus on strengthening cybersecurity measures for organizations. Especially those operating within critical infrastructure sectors, such as energy, transportation, manufacturing, waste management, food processing, water supply, healthcare, public administration, and finance.

The directive was adopted by the European Parliament and the European Council on November 15, 2022, and EU member states need to comply with the directive by October 17, 2024.  After this date, the compliance will be monitored and sanctioned on a national state level.

Knowing this exact timeline allows organizations a degree of control over their adoption roadmap and budgeting for elevated cybersecurity expenses. Because the new NIS2 requirements are complex and require many changes, it’s important for organizations to start working on meeting these requirements as soon as possible.

NIS2 is a law

NIS2-guide-01It is important to emphasize that NIS2 is not merely a recommendation or a regulation – it is a legally binding framework enforced across the EU, backed by administrative penalties and fines for non-compliance.

These fines can reach up to €10,000,000 or 2% of the organization’s annual global revenue. Moreover, organizations failing to adhere to the directive may undergo intensive audits over an extended period to verify their compliance.


NIS2 for OT: Example use cases


Utilities are vital to cities’ functioning and the well-being of their residents. Thus, protecting utilities against cyberattacks not only prevents possible devastating consequences but also helps safeguard the well-being, safety, and prosperity of the cities and residents.

According to the NIS2 directive utilities are increasingly connected to digital networks in cities, as such they are vulnerable to cyberattacks. In the event of a successful cyberattack, interconnected digital utilities and other critical infrastructure providers may fail to operate properly, which poses a significant risk of causing widespread harm to citizens.

Supply chain 

Most OT companies engage in partnerships with various stakeholders who have access to their networks and crucial data. As a result, OT organizations must evaluate the overall quality and robustness of all outsourced products and services from third parties.

This also includes considering cybersecurity measures and risks related to a company's management and leadership. OT businesses should consider not only their third-party products and services and their cybersecurity. But they also need to consider their own cybersecurity management and leadership practices.

According to NIS2, it is mandatory for OT companies to integrate cybersecurity risk management measures into their contractual agreements with their suppliers and service providers.

Obligation to demonstrate compliance 

The NIS2 directive makes it obligatory for OT companies to demonstrate compliance with this mandate, including compliance reports, dashboards of cyber activity, or live monitoring of activities.

OT business leaders need to act now

The NIS2 directive holds accountable not only organizations (fines, extensive audits, etc.) but also their leaders, including boards of directors and leadership teams.

C-level and board members must act now to ensure that their company complies with the NIS2 directive.

Secure your on- and off-site connections with SSH Communications Security

Don't know where to start from? Check out our Guide to NIS2 Compliance >>>

Ready to act? We at SSH Communications Security help organizations operating in the critical infrastructure sectors to meet the NIS2 requirements. Our vast experience in securing the OT industry can prove our commitment to quality and excellence.

 We can help you:

  • Manage roles, approve sessions, and restrict access to targets and sites. Manage on- and off-site secure access for third parties, remote operators, and maintenance engineers.
  • Manage access to IT as well as OT targets with protocols like SSH, RDP, HTTPS, or using any TCP/IP protocol prevalent in OT by granting access on a network level. We provide support for protocols or targets using OT proprietary technology.
  • Synchronize identities from multiple directories and map them automatically to the right roles (role-based access control, RBAC). Multi-factor authentication (MFA), audit trails, live monitoring, and session recording are also supported.

For OT industries (such as manufacturing, transportation, energy, waste management, water supply, and others), we offer a readily made solution - PrivX OT Edition, the digital gatekeeper for your secure access to remote maintenance and sites.

Learn more about the PrivX OT Edition here >>>

Recently, we have collaborated with EU partners in securing the development of Internet of Things (IoT) and Artificial Intelligence (AI) solutions within the industrial sector through significant collaboration within the CHARM ECSEL JU project sponsored by the European Union. Learn more about the CHARM project >

Related content:

NIS2-guide-01    NIS2-guide-overview-01    OT-ZT-Secure-access-01


Jani Virkkula

Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...

Other posts you might be interested in