Operational technology (OT) vendors are accelerating product roadmap changes to align with open interoperability standards as enforcement of the EU's NIS2 Directive tightens across industrial and manufacturing sectors. The convergence of regulatory timelines and growing retrofit demand is forcing mid-market manufacturers to make concrete investment decisions around OT certification, supply chain cybersecurity governance, and secure communications architecture-or face penalties of up to €10 million or 2% of global annual turnover.
Background
The Network and Information Security Directive 2 (NIS2) is the EU's updated cybersecurity framework, replacing the original NIS Directive from 2016. It aims to harmonize and strengthen cybersecurity across 18 critical sectors, including energy, transport, health, and manufacturing. Effective since January 2023, NIS2 required EU member states to transpose it into national law by October 17, 2024, with full compliance expected by mid-2025.
NIS2 expanded the list of covered sectors and introduced a size-cap rule: medium and large organizations in listed critical sectors are automatically in scope, and member states can designate smaller entities with high-risk profiles. Sectors explicitly relevant to OT and industrial control systems (ICS) include energy, oil and gas, water, transport, manufacturing, health, and chemical processing. The directive divides covered entities into Essential Entities (EE) and Important Entities (IE), with essential entities facing more intensive supervision and stricter enforcement.
New regulations-including NIS2 in the EU, NIST 800-82 updates in the U.S., and the Cyber Resilience Act-are expanding compliance obligations for industrial and critical infrastructure operators. The EU's NIS2 Directive and U.S.-UK joint OT guidance together underscore a converging international approach to OT cybersecurity, one that prioritizes asset transparency, accountability for third-party risk, and operational resilience across interconnected digital and physical systems.
Details
The compliance pressure is catalyzing a specific technical shift: accelerated adoption of open interoperability standards in brownfield OT environments. For most industrial companies, the primary challenge in meeting NIS2 requirements is not understanding the directive but implementing the technical architecture required for aging brownfield environments. NIS2 strongly promotes the use of cryptography and secure authentication, yet nearly all legacy industrial protocols transmit data in plain text without any security. Vendors are responding by deploying integration layers that connect to legacy devices using native protocols and convert data into OPC UA-the open, encrypted, and authenticated industrial data-exchange standard that has become the de facto bridge between legacy OT and NIS2-compliant architectures.
The Open Process Automation Forum's (OPAF) O-PAS standard focuses on safety, discoverability, testability, interchangeability, and other elements that support interoperability. OPAF's primary focus is adopting existing industry standards, and O-PAS security requirements derive from the ISA/IEC 62443 series. The ISA/IEC 62443 series constitutes the only globally consensus-driven, end-to-end standards suite dedicated to safeguarding industrial automation and control systems (IACS), establishing a unified vocabulary, risk model, and control framework for industrial cybersecurity across manufacturing, energy, building automation, medical devices, and transportation.
ENISA has released updated resources mapping NIS2 obligations to global cybersecurity frameworks such as ISO/IEC 27001, NIST CSF, and IEC 62443, providing a clearer picture of what practical implementation looks like in OT/ICS environments. Vendors seeking to position products as NIS2-ready are increasingly pursuing formal IEC 62443-4-1 certification. Microchip Technology, for example, was recently certified by UL Solutions to the IEC 62443-4-1 Maturity Level 2 (ML2) standard, demonstrating that its product development process meets globally recognized secure-by-design criteria. The certification provides audit-backed assurance that products are developed under a mature, repeatable, and independently verified cybersecurity framework. IEC 62443-4-1 defines the requirements for a secure development lifecycle (SDL), including threat modeling, secure design practices, rigorous implementation controls, verification and validation, and long-term defect and patch management.
Supply chain cybersecurity is emerging as one of the most operationally demanding provisions. Industrial leaders are now responsible for assessing and ensuring the cyber hygiene of every third-party vendor, system integrator, and OEM that interacts with their operations. As digitalization deepens, interdependence across the value chain has made supply chain cybersecurity risks more pronounced, with 60% of data breaches originating from third-party vendors. For OT owners, the highest-risk suppliers include PLC/SCADA vendors, system integrators, cloud providers hosting engineering workstations, remote maintenance providers, and third-party sensor manufacturers.
According to ENISA's Technical Implementation Guidance (v1.0, June 2025), in-scope organizations must create a supply chain security policy setting minimum security requirements for suppliers and vendors. The policy must be communicated directly to suppliers and integrated into procurement and outsourcing processes. It should influence supplier selection criteria by evaluating cybersecurity practices, the ability to meet security requirements, and the quality and resilience of relevant ICT products and services.
Incident reporting timelines present a further technical challenge for plants relying on aging OT systems. Meeting NIS2's 24/72-hour incident reporting window is practically impossible through manual audits alone. Legacy OT systems were built for availability, not for logging or alerting. Any significant cyber incident must be reported to the competent authority within 24 hours of detection, with detailed updates required within 72 hours and a final post-incident report within one month.
The compliance burden falls acutely on mid-market manufacturers. Organizations face multiple barriers, including lack of awareness, technical complexity, financial constraints, and regulatory uncertainty. According to CISA, cost pressures stem from high procurement costs and licensing fees for secure-capable components, further exacerbated by complex solutions that drive operators toward external assistance for deployment and maintenance. Complexity increases through poor integrator contracts, proprietary protocols, and unclear manufacturer guidance, while operational risk is driven by limited visibility, legacy infrastructure limitations, and interoperability issues.
Outlook
As of 2025, several EU member states have published detailed NIS2 security requirements, and implementation is actively underway across critical sectors. Vendors that fail to demonstrate IEC 62443-aligned product development and open-protocol interoperability risk exclusion from procurement processes as manufacturers embed security standards directly into contracts and RFQs. Companies that embrace open, secure standards stand to gain a competitive advantage, while those that remain in closed, proprietary ecosystems face significant hurdles. Across the sector, the combination of regulatory enforcement and rising cyberattack volumes-global cyberattacks rose approximately 21% in Q2 2025 year-over-year, with Europe recording the highest regional increase-is expected to accelerate consolidation around certified, interoperable OT platforms through 2026.
