Compliance · For IT/OT managers and Plant Managers

OT cybersecurity and NIS2: what actually changes for plant operators.

Legislative Decree 138/2024 transposed NIS2 in Italy. Since late 2024 concrete obligations apply to essential and important operators — including a large slice of manufacturing, F&B at scale, mid-to-large automotive, and critical infrastructure. This guide explains what NIS2 means in plant terms, how IEC 62443 fits in as the technical reference, and the five minimum actions to put in place in the first 90 days. No legalese padding — just what to do, and in what order.

Published
11 min read
1 · NIS2

NIS2 in 60 seconds: who is in scope and from when.

NIS2 (EU Directive 2022/2555) is the second generation of the Network and Information Security Directive. It replaces NIS1, dramatically widens the scope, and introduces serious fines. Italy transposed it with Legislative Decree 138 of September 4, 2024, in force from October 16, 2024.

Two categories of in-scope entities, with proportional obligations:

  • Essential entities

    Energy, transport, banking, healthcare, water, digital infrastructure, public administration, parts of the agri-food and high-criticality manufacturing chain. Administrative fines up to €10 million or 2% of annual global turnover (whichever is higher).

  • Important entities

    Manufacturing (medical devices, electronic devices, machinery, motor vehicles, other regulated products), mid-scale food chain, research, postal services, waste management, chemicals, food manufacturing. Fines up to €7 million or 1.4% of global turnover.

  • Default size threshold

    For most sectors the threshold kicks in at 50 employees or €10 million in annual turnover. Below that, default exclusion. Above, in scope, save for sector exceptions.

  • ACN registry and deadlines

    In-scope entities had to register with ACN (the Italian national cybersecurity agency) by February 28, 2025. Anyone who missed the deadline but is in scope is already past the first regulatory milestone — the priority becomes minimizing fine exposure.

Common confusion: "NIS2 is only for big banks and utilities". False. Mid-to-large manufacturing (>50 employees, >€10M turnover) is in scope, often as "important entity". Wrong self-classification is the number-one cause of non-compliance discovered in audit.
2 · Definition

OT cybersecurity: why it isn't IT cybersecurity with a new label.

Your plant's IT lead knows how to protect office servers: firewall, antivirus, MFA, monthly patches. Applied to a 2010-era Siemens PLC, all of that either doesn't work or breaks production. OT (Operational Technology) cybersecurity has three constraints classic IT doesn't have:

  • Availability over confidentiality

    In IT the priority is data protection (Confidentiality > Integrity > Availability). In OT the priority flips (Availability > Integrity > Confidentiality). Stopping a line to push a patch usually costs more than the risk of leaking the valve temperature.

  • Extremely long lifecycles

    A PLC installed in 2008 can still be running in 2030. You can't assume an up-to-date OS, modern TLS, complex passwords. Security has to be built around the PLC you have, not by rewriting it.

  • Industrial-specific protocols

    Profinet, Profibus, Modbus, EtherCAT, OPC UA. Historically designed without authentication or encryption. An attacker on the OT network with physical cable access can inject false commands to the PLC. Protection comes from network segmentation and access control, not from "let's install antivirus".

3 · Framework

IEC 62443: the technical framework that turns NIS2 into practice.

NIS2 says "you must manage cyber risk". IEC 62443 says how. It is the international standard for cybersecurity of industrial automation and control systems (IACS). The documents that matter in practice:

  • IEC 62443-2-1 — Security program for asset owners

    For whoever runs the plant. Defines processes: assessment, risk management, policy, training, incident response. This is where every audit starts.

  • IEC 62443-3-3 — System security requirements and security levels

    Defines 4 levels (SL1-SL4). SL1 = casual breach protection. SL2 = low-resource attacker. SL3 = OT-specialist attacker with moderate resources. SL4 = state-level attacker. For most Italian industrial plants, SL2 is the realistic target for new installations.

  • Zones and conduits

    The core principle: split the OT network into zones (groups of assets with the same required security level) connected by conduits (controlled channels). Example: field zone (PLCs), supervision zone (SCADA/MES), office zone (IT). Between zones, industrial firewalls letting through only the authorised protocols and ports.

  • IEC 62443-4-2 — Component requirements

    Defines what a single PLC, drive, HMI, or gateway must do to be "secure". Useful at purchase time: asking the vendor for an IEC 62443-4-2 SL2 declaration is a sharp filter on serious suppliers.

4 · First 90 days

The five minimum actions to put in place in the first 90 days.

For a plant starting from zero or close to it (typical situation in mid-to-large Italian manufacturing), these five actions cover roughly 70% of the real risk and score well in an ACN audit. They are compatible with running plants — no major production stops needed if planned well.

  • 1 · OT asset inventory

    Everything starts here: a list of every PLC, HMI, drive, gateway, switch, and industrial PC on the OT network, with IP, brand, model, firmware. Without this list you don't know what to protect. Tools like Nozomi, Claroty, Tenable OT do it automatically; for smaller plants, manual inventory + passive Wireshark works.

  • 2 · OT/IT network segmentation

    Industrial firewall (Stormshield, Fortinet, Siemens Scalance) between office and OT networks. Only necessary flows pass through (e.g. MES to ERP, SCADA to historian). No PLC reachable directly from the office network, ever. Typical cost: €5-15k for a mid-size plant.

  • 3 · Access hardening on PLCs and SCADA

    Default passwords changed (yes, we still find "siemens/siemens" on 2024 plants). Personal, named SCADA users — never shared. Audit log active on SCADA and MES — who did what, when. On modern PLCs (S7-1500): enable "know-how protection" to block unauthorised upload/modify.

  • 4 · Backup and disaster recovery

    Back up PLC programs, HMI configurations, SCADA server images — to storage outside the OT network (not on the same network that might be compromised). Documented restore tests at least annually. Ransomware on the IT network must not be able to also compromise OT backups.

  • 5 · Incident response procedure

    A 2-5 page document saying: who does what in the first 30 minutes of a suspected cyber incident, who gets notified, how the zone is isolated, how ACN is notified within 24/72 hours (NIS2 obligation). Annual test as a tabletop — no field drill needed, a 2-hour meeting with a plausible scenario is enough.

These five actions are not "compliance theatre". They are the five things a real attacker hits first. With them in place you've already made the plant an inconvenient target — most opportunistic attackers move to the next one.
5 · IOMA

How we support NIS2 and OT cybersecurity in plants.

IOMA is not an audit firm — we don't sell paper. What we do: technical assessment on the real plant, architectural design to cover IEC 62443 and NIS2 requirements, implementation of the measures (segmentation, hardening, user management on SCADA and MES), support during ACN audits or supply-chain due diligence from enterprise customers.

ARIA — our MES/SCADA platform — is built with native audit log, role-based user management, field-level isolation via ARIA Connector. The plant application layer is pre-aligned to IEC 62443 by design, not patched on top.

FAQ

Frequently asked questions on NIS2 and OT cybersecurity

Questions Plant Managers ask before starting an MES/SCADA project.

How do I know if NIS2 applies to me?

Three filters in sequence: (1) is my sector listed among essential or important entities in Legislative Decree 138/2024 (Annexes I and II)? (2) do I exceed 50 employees or €10M annual turnover? (3) does my activity have actual significance for the listed sector? Three yeses and you're in. When in doubt (e.g. supplier of components for a regulated chain), the safe pattern is to register with ACN — better registered than past the deadline.

I missed the February 28, 2025 registry deadline. What do I risk?

Technically you are in breach of the registration obligation. ACN has shown a gradualist approach so far — no mass-fining campaign yet. The priority is regularising now: register, complete self-classification, kick off the assessment. The first fines will likely target significant unnotified cyber incidents, not registration delays.

What's the difference between NIS2 and IEC 62443?

NIS2 is a legal norm (what you must do by law). IEC 62443 is a technical standard (how to do it concretely on the plant floor). ACN inspections check NIS2 obligations; but to demonstrate compliance on an industrial site, the reference tool is IEC 62443. They are complementary, not alternatives.

What does an OT cybersecurity assessment cost on a mid-size plant?

Typical range: €8-25k for a single plant with 1-3 production lines, excluding remediation work. The five minimum actions (inventory, segmentation, hardening, backup, incident response) typically add another €20-60k depending on plant age and starting PLC inventory completeness. Multi-plant: scales well because architecture and procedures replicate.

Can I be NIS2-compliant without spending on software?

Technically yes — NIS2 is product-agnostic. In practice no, beyond one line: manual hardening, paper audit logs, Excel-based user management don't scale past 1-2 machines. An MES/SCADA with native audit log and role-based user management (such as ARIA) removes most of the manual work that otherwise becomes the audit's failure point.

Are small companies (under 50 employees) fully exempt?

Default yes — out of mandatory NIS2 scope. Exceptions: if you are a critical supplier of an essential entity (e.g. sole-source component for a utility), you can be pulled in via supply chain. Plus, many enterprise customers are asking for IEC 62443 alignment from small suppliers — even when you're not legally bound, losing a customer because you aren't aligned becomes a business problem.

Are ARIA and IOMA's solutions IEC 62443 compliant?

ARIA is designed following IEC 62443-3-3 SL2 principles (audit log, user management, segmentation, PLC communication via dedicated connector). We do not yet have third-party IEC 62443-4-2 certification on the product — it is on the roadmap. We integrate already-certified components (industrial firewalls, managed switches) and our architecture supports auditable SL2 deployments.

Go deeper

Related pages if you're working through a compliance path.

Services · OT cybersecurity

Assessment, segmentation, hardening, NIS2 support. From plants with 2000s-era PLCs to greenfield SL2 sites.

ARIA · MES/SCADA with native audit log

Role-based user management, audit log on every operator action, PLC communication isolated via ARIA Connector. Aligned to IEC 62443 by design.

Resources · MES vs SCADA for Plant Managers

Understanding the difference is the prerequisite: without an MES with an audit log, most NIS2 obligations become impossible to demonstrate.

Let's talk

Got a project in mind?

Tell us about your idea or your operational challenge. Our team is ready to listen and propose the right technology fit.

Let's talk about your project