The NIS2 directive is reshaping cybersecurity obligations for Dutch manufacturers. For organisations operating OT environments — bioreactors, clean rooms, industrial control systems — the implications go far beyond IT governance.
Operational technology environments prioritise availability and safety above all else — a stark contrast to IT's traditional confidentiality-first approach. When an IT system goes down, business operations are disrupted. When an OT system fails, physical consequences can include equipment damage, environmental incidents, or risks to human safety.
This fundamental difference means NIS2 compliance in OT requires a different playbook than IT compliance. You cannot simply extend your IT security policies to the production floor. The protocols are different, the update cycles are different, the risk calculus is different.
For critical infrastructure in the operational technology space, the IEC 62443 set of standards provides the most practical framework for implementing NIS2 requirements. IEC 62443 is dedicated to asset owners and operators, covering risk assessment, security policies, network architecture, access control, incident response, and security testing.
The most relevant standard is IEC 62443-2-1, which addresses security program requirements for IACS asset owners. It maps directly to NIS2's requirements for risk-based security measures, supply chain security, incident notification, access controls, and operational continuity.
First, understand your scope. NIS2 applies to large and medium-sized organisations in critical sectors including manufacturing, energy, and healthcare. If you operate industrial control systems, you are almost certainly in scope.
Second, start with network segmentation. The Purdue Reference Model provides a layered architecture that naturally aligns with IEC 62443's zones and conduits concept. Separating your corporate IT from your production OT is not optional under NIS2 — it's the baseline.
Third, address your supply chain. NIS2 requires that entities account for the vulnerabilities of their suppliers and service providers. For OT environments, this means assessing the security posture of every vendor with remote access to your industrial systems.
Compliance with NIS2 in OT environments requires expertise at the intersection of industrial cybersecurity, regulatory frameworks, and practical network architecture. The key is to start with what IEC 62443 already provides — a structured, auditable approach to securing industrial automation and control systems — and map it directly to NIS2's obligations.
Compliance architect working at the intersection of GxP compliance, OT/IT security, and digital transformation.
Also writes at HiddenCove
We're practitioners, not sales people. Reach out for a direct conversation about your specific situation.
Schedule a conversation