While an increasingly digitized world and interconnectivity bring enormous opportunities for cyber-related threats, the tenth edition of ENISA’s Threat Landscape reports cybersecurity attacks continued to increase in the second half of 2021 and 2022, not only in terms of vectors and numbers but also in terms of their impact. The complexity and scale of cybersecurity incidents are growing, as is their economic and social impact, and we’ve seen a new paradigm brought by the Russia-Ukraine crisis that further impacts critical infrastructure. Due to these circumstances, the European Union recently adopted the revised version (“NIS2”) of the Network and Information Security Directive (“NISD”), which provides legal measures to improve the overall level of cybersecurity in the EU, and among others, the EU-wide cooperation on incidents and threats.

NISD became the first EU-wide legislation on cybersecurity and the policy was adopted in 2016 to implement risk management and incident reporting obligations for specific entities. Also because of NISD, there today is a better understanding of the state of cybersecurity across Europe. The graph below was published by the EU Cybersecurity Agency (ENISA) and shows the damage related to the last single security incident experienced by the surveyed organisations.

ENISA’s 2021 NIS Investment Report reveals the average budget for NIS Directive implementation projects was approximately €175k and almost half of the organisations allocated €100k-€250k. When implementing the NIS Directive, 64% of surveyed organisations procured security incident & event log collection solutions, as well as security awareness & training services. NIS2 is further adopting new measures and widening the scope of rules.

What is the NIS2 Cybersecurity Directive?

  • Reinforced rules for a high common level of cybersecurity across the EU
  • Supervision for medium and large organizations across more than a dozen key sectors
  • Requires establishment of a higher level of mandatory, reviewable and sanctionable cybersecurity measures for risk management, security governance, incident reporting/recovery, resilience and network, system and application security
  • Requires risk reviews of security practices for major connected 3rd party services providers
  • NIS2 correlates with the CER directive (see below) and both seem to address the hybrid cyber-physical nature of OT

Currently, the directive is being prepared for official publishing by the EU parliament. It will then be adopted by national legislative bodies across the EU Member states and come into effect no later than 2024.

NIS2 is part of the EU’s cybersecurity strategy between 2020-2025 and coherently complemented by other policies. Especially relevant for operational environments is the Critical Entity Resilience (CER) directive which is closely interrelated with NIS2. Also, the EU Cyber Resilience Act (CRA) has significant consequences for vendors and service providers of operational equipment.

CER Directive:
Transposited in parallel to the NIS2 Directive, together they address current and future online and offline risks, from cyberattacks (NIS) to physical attacks and natural disasters (CER). The CER directive is, like NIS2, currently in final publication state. CER focuses on physical rather than digital resilience measures for critical entities. National authorities perform reviews and assess the effectiveness and accountability of the risk management process, they can also provide significant support to entities.

EU Cyber Resilience Act (CRA):
Is a legislative proposal to regulate a broad range of digital devices, their hardware, and solutions with embedded software and applications. It imposes obligations on manufacturers, importers, and distributors of these products across their life cycles. It also defines essential requirements for the design, development, production and operation of digital products and adds requirements for vulnerability and incident handling for manufacturers and obligations for operators.


NIS2 is the successor of the NIS Directive (NISD), which was the first EU-wide legislation on cybersecurity. It was published in 2016 and local application came into effect in 2018 from the national interpretations of NISD, we know that operational technology was in scope at least for the energy sector. All entities in scope, including their significant connected subcontractors, software, and service providers, should act now to prepare for compliance.

The entities in scope, including their significant connected subcontractors, and software and services providers, should act now to prepare for compliance.

When NIS2 becomes effective, all entities are obligated to report severe security incidents, undergo increased supervision, and ensure far-reaching organizational and technical measures are in place.



NIS2 comes with increased security requirements over NISD:

  • NIS2 is applicable to more sectors, approximately 10-folding the number of businesses in scope
  • This includes the supply chain security for critical subcontractors, essential software/libraries, also managed security services providers are now in scope
  • Essential entities will be regularly assessed, important entities are planned to be assessed only after a significant threat or incident occurred
  • Appropriate and immediate measures to prevent or remedy any cyber threats and restore the normal security level of the service must be established
  • Increase of cybersecurity risk management measures and reporting obligations
  • Management bodies of the entities should approve the cybersecurity risk measures, supervise their implementation and be accountable for non-compliance.
  • All entities are encouraged to share threat and vulnerability intelligence and leverage knowledge and experience to enhance capabilities to assess, monitor, defend and respond to cyber threats
  • Government bodies will establish or use an existing single point of entry for incident reporting, increase the national supervision and reporting obligations, stricter enforcement, liability and sanctions are imposed across the EU

Is OT security in scope of the NIS2 Directive?

With the extension of the sectors in scope to include manufacturing, it could be assumed the operational domain is covered by NIS2. However, OT Security has not been explicitly mentioned in any regulation. This changed in the 4th quarter of 2022. Several papers from EU regulators appeared, that explicitly include operational environments as part of the regulated cyberspace:

  • ENISA, for the first time, covers a chapter on OT Security in the actual 2022 NIS Investment report, also mentioning cyber-physical system security as an emerging topic
  • ENISA mentions Operational Technology in the 2022 Threat Landscape report
  • The increased interdependence between physical and digital infrastructure and the impact of cyber activities is appreciated in proposal notes of the upcoming CER Directive (final publication planned in parallel to NIS2)
  • Operational technology is defined in the regulation on cybersecurity requirements for products with digital elements (2022) and the related commission staff working document

Even when not explicitly mentioned, it can be assumed that operational technology is going to be in scope for NIS2. The character of digital threats but physical impact make OT Security a hybrid between the NIS and CER Directive.

What does that mean for the entities in scope?

We know there is already a skills shortage in cybersecurity and especially for OT, but there is a notorious lack of experts with a combined industrial operational risk understanding and security expertise. Entities and regulators will have to find ways to identify and evaluate the most efficient, automated, and integrated approaches for continuous and active management of risks, including OT. NIS2 will require organizations to understand their risks and actively manage their security measures. A one-time, project-based security investment into a single-dimensional technology without proper management integration will not be sufficient to cover the increasing requirements of multiple directives. A checklist for OT security technology evaluations can be found at the end of the document.

Checklist for NIS2 Directive

The checklist below serves as a guide to understanding if you’re in scope and what topics are regulated:

1. Sectors in scope

NIS2 introduces a new classification of entities in scope. If you’re considered essential, regulatory requirements will be slightly tighter than for important entities. Check the two lists below to see if you are considered in scope, and in which classification category. Subsectors with potential OT security-related regulation are marked with a cross, sectors without industrial environments are not covered in detail, and they are mentioned in brackets.

Essential Entities:

If your sector is considered essential, you might even be considered a critical entity by the CER directive. In this case, you will be also contacted by local authorities.

Industries classified as Essential Sectors in scope of NIS2

EnergyElectricityEnergy supply, selected Distribution System Operators, selected Transmission System Operators, selected Electricity Producers, nominated Electricity Market Operators and selected participantsX
Heating/CoolingDistrict heating or district coolingX
OilOperators of transmission pipelines, Operators of oil production, refining and treatment facilities, storage, and
transmission, selected Central oil stockholding entities
GasSelected Suppliers, selected Distribution system operators, selected Transmission system operators, selected Storage system operators, selected LNG system operators, selected Natural gas undertakings
HydrogenOperators of hydrogen production, storage, and transmissionX
TransportAirSelected Air carriers, selected Airport managing bodies, Air Traffic Control Services ProvidersX
RailSelected infrastructure managers, selected Railway undertakingsX
WaterSelected inland, sea and coastal passenger and freight water transport companies, selected Managing bodies of
ports, selected Operators of vessel traffic services
RoadSelected Road authorities, selected Delegated traffic management control regulations, selected Operators of
Intelligent Transport Systems
HealthPharma, Manufacturing, Laboratories, ServicesSelected Entities manufacturing medical devices considered as critical during a public health emergency, selected Healthcare Providers, EU reference laboratories, selected Entities carrying out research and development activities of medicinal products, selected Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.X
WaterDrinkSelected suppliers and distributors of water intended for human consumption, excluding those with majority of other general activityX
WasteSelected undertakings collecting, disposing, or treating urban, domestic, and industrial wastewater when essential part of the business.X
SpaceInfrastructure, ServicesSelected Operators of ground-based infrastructure, owned, managed, and operated by Member States or by private parties, that support the provision of space-based services.X
(Digital Infrastructure)(eg. selected providers of public electronic communications networks and services, Data Center Service
Providers), selected medicinal products, selected cosmetics, tobacco, narcotics,
(Banking and Financial Markets)
(Public Administration)


Important Entities:

Subsectors classified as Important Entities in scope of NIS2

Postal and courier servicesSelected postal service providersX
Waste managementSelected entities, carrying out waste management but excluding undertakings for whom waste management is not their principal economic activityX
Food production, processing, distributionAny food and drink business. Not a foot business ise. feed, live animals unless for human consumption, plants
prior harvesting
ManufacturingChemicalsSelected undertakings carrying out the manufacture, production and distribution of substances and articles.X
ManufacturingMedical DevicesEntities manufacturing medical devicesX
ManufacturingComputer, electronic and optical products...Entities that manufacture computers, electronic and optical products, electronic components and boards, loaded electronic boards, computers and peripheral equipment, communication equipment, consumer electronics, instruments and appliances for measuring, testing and navigation; watches and clocks, irradiation, electromedical and electrotherapeutic equipment, optical instruments and photographic equipment, magnetic and optical mediaX
ManufacturingElectrical equipment...Entities that manufacture electrical equipment, electric motors, generators, transformers and electricity distribution and control apparatus, batteries and accumulators, wiring and wiring devices, fiber optic cables, other electronic and electric wires and cables, wiring devices, electric lighting equipment, domestic appliances, non-electric domestic appliances, other electrical equipmentX
ManufacturingManufacture of machinery and equipment n.e.c.Entities that manufacture general-purpose machinery, engines and turbines (except aircraft), vehicle and cycle engines, fluid power equipment, other pumps and compressors, taps and valves, bearings, gears, gearing and driving elements, other general-purpose machinery, ovens, furnaces and furnace burners, lifting and handling equipment, office machinery and equipment (except computers and peripheral equipment), power-driven hand tools, non-domestic cooling and ventilation equipment, other general-purpose machinery n.e.c, agricultural and forestry machinery, metal forming machinery and machine tools, other special-purpose machinery, machinery for metallurgy, machinery for mining, quarrying and construction, machinery for food, beverage and tobacco processing, machinery for textile, apparel and leather production, machinery for paper and paperboard production, plastic and rubber machinery, other special-purpose machinery n.e.c.X
ManufacturingMotor vehicles, trailers, and semi-trailersEntities that manufacture motor vehicles, trailers and semi-trailers, bodies (coachwork) for motor vehicles, parts and accessories for motor vehicles, electrical and electronic equipment for motor vehicles, other parts and accessories for motor vehiclesX
ManufacturingTransport equipmentEntities that manufacture transport equipment, ships and boats, ships and floating structures, pleasure and sporting boats, railway locomotives and rolling stock, air and spacecraft and related machinery, military fighting vehicles, transport equipment n.e.c., motorcycles, bicycles and invalid carriages, other transport equipment n.e.c.X


You may still be impacted if:

  • Your sector is in one of the above lists and your business is considered (by your Member State) as of national importance. This can be the case when the services provided are essential, the entity is the sole provider, and a service disruption has an impact on public safety, security or health.
  • You have been identified as a critical entity by the CER directive. Critical entities are mandatorily also in scope of NIS2. Critical entities are contacted by local authorities.
  • You’re a major services provider to a client that is considered in scope of NIS2. In this case, you will not face mandatory duties but will require some cybersecurity practices, like a defined process for vulnerability disclosure and communication with the client. Providers of managed security services are in scope.

If you’re unsure, entities can reach out to ENISA for clarification. The EU agency will create and maintain a registry for essential and important entities for NIS2.

Member states can exclude areas of defense, national security, public security or law enforcement from the directive.


2. Business size

For the two main types of entities and with a focus on industrial environments, only medium and large enterprises are in scope.

  • Medium enterprises: 50-250 employees, 10-50m revenue, up to 43m EUR balance
  • Large enterprises: >250 employees, >50m revenue, >43m EUR balance
  • Special entities of national importance: Any size

If at this point, you are in scope, you must provide contact details:

  • Initially notify ENISA of your entity name, addresses of main and other legal establishments in the EU, and up-to-date contact details, including email addresses and telephone numbers within 12 month
  • Foreign corporations not established in the EU but providing services (e.g., data center and content providers) must provide a designated representative contact
  • Update of changes within 3 months the change became effective

If you are not in scope, you can still participate and report significant incidents, cyber threats or near misses on a voluntary basis.


3. Regulatory requirements

Like NISD, NIS2 only provides a minimum mandatory set of measures to cover. These are not necessarily interconnected or even directly related. In many cases, additional steps, processes, or security functions lay in between. Security measures are not specified in detail. This is normal for EU directives; they only describe a broad outcome and allow national legislations to choose the desired level of detail they regulate. Later, there will also come an implementing regulation for NIS2 with more detailed requirements, which are binding to the Member states. The following list contains minimum mandatory areas of coverage for all entities, exceptions are mentioned. As a general rule, essential entities are subject to a stronger supervisory regime, while important entities are subject to lighter supervisory: They have no initial obligation to systematically document compliance with cybersecurity risk management requirements, up to the point of a major incident or threat happens. At that point, they will be supervised.

The image below gives an overview of the minimum required and reviewed cybersecurity measures (orange), and additional requirements (blue boxes) to be NIS2 compliant.



  • Cybersecurity risk management measures (see below) are defined and implemented
  • The measures are approved by management bodies which are also held accountable for non-compliance
  • Specific training to apprehend security risk and its impact on operations
  • If non-compliance is detected, without undue delay, necessary corrective measures should be taken to bring the service concerned into compliance


Minimum cybersecurity risk management measures

All entities must take appropriate and proportionate technical and organizational measures to manage the cybersecurity risks posed to the security of networks and information systems. These measures shall ensure the level of security is related to the risk presented. Especially systems that are used in the provisioning of services shall be considered. All measures and respective non-compliance is accounted for by management.

The following measures represent the minimum requirements to be covered:

  • Risk analysis
  • Information system security policies
  • Incident handling (prevention, detection, and response to incidents)
  • Business continuity and crisis management
  • Supply chain security with suppliers or service providers
  • Security in network and information systems acquisition, development, and maintenance
  • Vulnerability handling and disclosure. This includes vulnerabilities specific to each supplier and service provider, overall quality of products, and cybersecurity practices of their suppliers and service providers including their secure development procedures.
  • Auditing of policies and procedures to assess the effectiveness of cybersecurity risk management measures
  • Use of cryptography and encryption for data protection
  • New measures can be added based on cyber threats, technological developments, or sectorial specificities

Supply chain security risks are defined as the relationship between entities and their suppliers and where both, supplier and customer are targeted. Relationships can be in the digital and physical worlds.

Supply chain includes:

  • Subcontractors and service providers
  • Open-source or 3rd party libraries and software packages that are required for operations to function
  • 3rd party infrastructure used
  • 3rd party managed security services providers
  • For the OT domain, this could also include major 3rd party engineering offices that configure and maintain industrial equipment

Quick checklist for the first steps:

  • Relevant assets are detected to a very high degree within the appropriate timeframe. Does this also apply for OS-based and embedded systems in OT?
  • Security policies are documented, communicated and assessed.
  • Is a process to report (potential) significant incidents in place?
  • Assets in scope have been identified, are monitored, and vulnerabilities and threats are managed.
  • The entity is capable to identify, monitor and alert, and possesses capabilities to respond to a threat.
  • A ticketing system to manage and document incident detection triage and response are in place.
  • Critical processes and their assets are known, documented and security measures are in place.
  • Supply chain risks are identified and mitigating measures are in place.
  • Can evidence from a security management system be relied on for industrial assets?


Incident reporting obligations

Incident reporting, government support, and information sharing across entities are among the main areas of regulation. The importance of the topic is reflected in tight deadlines and can become subject to sanctions. A notification does not make the notifying entity subject to increased liability.

The process consists of these steps:

  1. An incident or threat is identified
  2. Initial notification is sent by an entity within 24 hours
  3. Authorities sent an initial response within 24 hours and provide guidance on mitigation measures
  4. Intermediate report on relevant status updates sent by the entity on request by authorities
  5. A final incident report is sent by an entity (within one month after notification)

What incident to notify?

  • An incident that caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned
  • An incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses
  • An incident having a significant impact on the provision of the services
  • Any significant cyber threat that those entities identify that could have potentially resulted in a significant incident (near misses)
  • Indication whether the incident is presumably caused by unlawful or malicious action

The NIS2 specification for a significant incident is expected to be related to the number of users affected by the disruption of an essential service, the duration of the incident and the geographical area affected by the incident.

Who and when to notify?

  • The national competent authority or CSIRT’s
  • Recipients of the services (incidents and potential incidents)
  • Without undue delay, within 24 hours after having become aware of the incident

A final incident report must be sent no later than one month after the submission of the notification. It must at least include:

  • A detailed description of the incident, its severity and impact
  • Type of threat or root cause that likely triggered the incident
  • Applied and ongoing mitigation measures
  • Whether the incident is caused by unlawful or malicious action

Quick checklist for reporting readiness:

  • A representative is defined, has the authority to take decisions on its behalf, exercise control and ensure compliance with the obligations
  • Has a NIS2 incident communication process been defined, communicated and trained?
  • Has incident detection and response been trained?
  • Can evidence be provided to government bodies?
  • Vulnerabilities, threats and incidents are detected. At which quality? Is the process automated?
  • Is the organization capable to identify the root cause? Does this include attack time and path?
  • Does the OT response allow operators on-site to approve changes to their equipment?


Prepare for supervision of national authorities

Supervision is a national task and NIS2 substantially increases the coverage and requirements for entities. At this checkpoint, essential entities face tighter requirements than important entities. For important entities, regulatory interference and subversion are only triggered, when a severe impact or threat (or indication of one) occurs.

Member States, with their national competent authorities, are exercising their supervisory tasks in relation to the entities, and have the power to subject all entity types to:

  • On-site inspections and off-site supervision after an incident occurred or a threat becomes public
  • Targeted security audits
  • Security scans
  • Requests for any information necessary to assess cybersecurity measures like documented cybersecurity policies and compliance with the obligation to notify ENISA of entity name and contact details
  • Requests to access data, documents, or any information necessary to perform their supervisory tasks

Additional supervision to subject essential entities to:

  • On-site inspections, off-site supervision and random checks without any cause (incident)
  • Regular audits
  • Provide evidence of implementation of cybersecurity policies
  • Provide results of security audits carried out by a qualified auditor and the respective underlying evidence

At the EU level, ENISA develops and maintains a European vulnerability registry and a peer-review system to assess (and harmonize) member states requirements, obligations and methodology.


Power of national authorities

So far, we have looked at the regulation from the entity’s viewpoint. NIS2 regulates many aspects of the national and joint cybersecurity governance between member states, but we will focus on regulated topics that directly impact entities. The list below gives an idea of the level of detail the directive seeks to cover.

National authorities define and establish bodies for the governance of entities in scope. They oversee NIS2 regulatory compliance and will establish a single point of contact for cybersecurity and supervision. They also assure all entities share cybersecurity information that aims to prevent, detect, respond to or mitigate incidents.

Sorted by impact, competent authorities from member states exercise supervisory tasks and have the power to:

  • Shape the directive
    • Define certain maximum fines
    • Lay out cybersecurity risk management and reporting obligations
  • Enforcement
    • Issue binding instructions
    • Cease conduct that is non-compliant with the obligations
    • Order entities to bring their risk management measures and/or reporting obligations in compliance
    • Order entities to implement the recommendations provided as a result of a security audit
    • Order entities to make public aspects of non-compliance
  • Supervision for both entity types
    • Impose administrative fines on essential and important entities
    • Ensure entities take appropriate and proportionate technical and organizational measures to manage cybersecurity risks
    • Ensure that entities notify the national competent authorities or the CSIRTs of any cybersecurity incident having a significant impact on the provision of the service they provide
    • Request information necessary to assess the cybersecurity measures adopted by the entity, including documented cybersecurity policies
    • Request access data, documents or any information necessary for the performance of their supervisory tasks
  • Essential entity supervision
    • Have obligation to continuously supervise essential entities
    • Suspend the concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements
    • Establish a deadline with essential entity to take the necessary action, remediate deficiencies, comply with the requirements of those authorities
    • Request evidence from essential entities of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence
  • Support
    • Provide crisis management for large scale incidents
    • Empower CSIRT’s (Computer Security Incident Response Teams) to monitor cyber threats, vulnerabilities and incidents at national level, provide early warning of cyber threats, vulnerabilities and incidents, responding to incidents in essential and important sectors
    • Request information on initial entity registration


What can essential entities do to cover NIS2?

Entities should use the directive to develop and establish an OT security organization, a collaborative IT-OT approach is most effective when harmonized. The following steps can be performed if no security management is in place yet:

  1. Obtain support from management (GM, CISO, COSO or director operations) and approval of management accountability at a national level for an OT security program to comply with NIS2.
  2. Determine your security governance model. In most cases, companies have central governance, local key stakeholders and local operations.
  3. For IT security-driven governance that covers IT and OT, make sure the operational site is included and collaborated with from early stages on. Without OT support, the cybersecurity initiative is not going to be effective.
  4. Identify stakeholders from the business, CISO and COSO (Chief Operational Security Officer), OT and IT, legal, and HR.
  5. Perform a brief business impact analysis to identify critical industrial processes, supporting processes and critical vendors from the supply chain with impact your service delivery.
  6. For budget and risk estimates, use survey data (ENISA NIS investment report, threat reports). Consider outage costs, loss of production, add recovery and the efforts needed to get back to normal operation, add estimated NIS2 penalty costs and damage to connected businesses.
  7. Define a security policy that describes processes for asset inventory and asset management, network segmentation, vulnerability and patch management, change management, general security baselines, user access and password management, monitoring and logging, incident management with the detection-analysis-response process, antivirus, use of cryptography, backup and recovery. Evaluate solutions (see section below).
  8. Based on the critical industrial processes from 5 above, identify related systems, components, networks and controllers and their ownership
  9. Identify relevant 3rd party providers for NIS2-related services, review contracts for security coverage, and make changes to the procurement process when necessary
  10. Assign responsibility for NIS2 to existing roles on location and process level
  11. Evaluate the business impact from 5 above, define a high-level business continuity plan, make sure recovery measures are considered
  12. Make sure there is a documented NIS2 incident management, incident communications and improvement process in place and relevant roles are defined, aware and trained
  13. Perform a self-assessment, followed by internal or external audit and train remediation of findings
  14. Prepare for an audit by your local government body


How Verve supports clients in their NIS2 coverage

No matter where you are in the cybersecurity journey from a basic understanding to more mature adoption, it’s critical to significantly increase your level of defense and reliability with an end-to-end solution to assist with the cybersecurity risk and incident reporting measures.

NIS2 comes with a substantial expansion of cybersecurity risk management and governance requirements, the existing gap of security labor especially in operational cybersecurity will require effective, integrated and automated solutions to be adopted in operational environments. These solutions must be flexible enough to be adapted to different risk scenarios and organizational capabilities.

Verve’s approach delivers distinct benefits in operational environments:


Deep asset visibilityCapture visibility of all OT assets in depth (OS-based, embedded, network-based,etc.). Capture a centralized view across sites and vendors.

NIS2-relevant for granular asset visibility across countries, plants, vendor equipment, security aspects, rapid identification of all relevant assets governance-, risk or compliance management has to be applied for, provides always up-to-date base library for assets, and capability to link assets to critical processes.

asset inventory


Better risk management360-degree risk score of assets (patch, vulnerabilities, users/accounts, passwords, encryption used, AV status, etc.) in single, central console. Enables trade-offs of best risk remediation.

NIS2-relevant for defining risks and developing measures, threat-, vulnerability- and risk detection, monitoring and maintaining system and network security, incident detection, critical change detection, helps identify corrective measures for auditing and compensating controls (especially important for often limited OT environments), integration of 3rd party information like OEM vendor patch recommendations.

360degree risk assessment

Rapid response and remediation with integrated actionsIntegrated change, patch, configuration, software, user, and other remediation actions. Faster mean-time-to-remediation, lower patch downtime.

NIS2-relevant for active measures like threat and incident prevention and response, response orchestration capability, patch prioritization capability, increased cyber resilience, provides flexibility in developing most effective measures at OS, application or network level.


Lower labor costs Centralize analysis of all endpoints (and integrate with enterprise IT) but enable local control over actions. Expert resources to deploy and manage.

NIS2-relevant as it allows highly effective operation models with central governance and local execution, helps with IT-OT collaboration, harmonizes security with fewer efforts, and accounts for operational and security risks.

Operationally safe & efficientBuilt-in OT safeguards and operational benefits such as improved network and system reliability. Tested across all OEM vendor systems.

NIS2-relevant for providing security without introducing new operational risks.

Several regulatory requirements can be covered with technology in a semi or fully automated way. However, technology is only as good as the underlying organizational process, and the revised directive will require both entity types in scope to prepare a risk and security management that is backed by organizational processes. Simply acquiring technology as a security project is not going to be good enough with NIS2. In industrial environments, the workload is high today already, so the overall security coverage, reliability and capability to automate will mostly likely impact its success.


Here’s a quick checklist when evaluating OT cybersecurity solutions:

  • OT coverage

    • Is enough security context information provided to identify compensating controls?
    • Are industrial controllers, OS-based endpoints and network gear (dis-)covered?
    • How many OEM brands do you have? How OT vendor agnostic is the security solution?
    • Are OEM vendor recommendations considered for patching?
    • Can patch deployments and security changes be approved? Also by operations on site?
    • Is bandwidth usage minimal and can security communication be fine-tuned?
    • Does the solution adapt to the existing operational processes or does the organization need to adapt to the technology?
    • Does the solution work in air-gaped environments?
  • Security coverage

    • Which security measures are covered out of the box, which can be integrated, and which must be covered with additional solutions?
    • What quality and reliability is the security data provided?
    • Is an integrated security picture provided across different security software solutions?
    • Is the technology generating alerts on all relevant events?
    • What types of actions are supported? Can they be orchestrated?
    • What percentage of the security policy can be reviewed by the solution?
    • What capabilities support a secure operation of the solution, its data and its user access?
    • Can incidents not only be detected but also remediated across vendors in an OT-accepted way?
    • How comprehensive is the solution in its coverage for protect, detect, respond, recover? How much does it add to the process resilience?
    • Is the solution capable to detect and take the NIS2 directive related measure such as:
      • a reliable, actual asset library
      • patch- and vulnerability management,
      • would a locally compromised asset be identified?
      • can changes be detected and orchestrated?
      • can user access be reviewed?
  •  Efficiency

    • How much is and can be automated?
    • How actionable are the alerts generated?
    • How much additional workload is added to organizational processes?
    • What is the false positive/negative rate when discovering existing vulnerabilities and applying patches?
    • What is the performance from threat detection to remediation? How long does it take to do that across a single plant, all plants in a region, or globally?
    • How many solutions would be required to perform an incident detection and response with compensating measures across two plants?
  • Completeness

    • Are all relevant asset types, their vulnerabilities and patch level in scope identified? In which time frame?
    • To which percentage is OT-specific equipment included?
    • Are solution benefits agreed by operations?

Verve Industrial Protection has a successful track record in assisting industrial companies to increase their maturity relative to different security standards through our professional design, and support services as well as by deploying the Verve Security Center.



NIS2 Webinar

Download our webinar for a deeper dive into the NIS2 Directive.

Watch now

Related Resources


Addressing New ICS/OT Cybersecurity Regulations

How to achieve a successful and efficient programmatic response to the current and future regulatory environment for ICS/OT cyber security.

Learn More

4 Components to Rapidly Improve & Measure OT Security

Here's how to demonstrate progress and improvement on key security metrics over time in OT cyber security environments.

Learn More

Designing the Right OT Governance Structure & Approach

Align IT and OT security initiatives to make progress against a chosen standard for an efficient and effective cyber security program.

Learn More