The NIS2 Directive is one of the most important cybersecurity regulatory changes in Europe in recent years. Its goal is to ensure that affected organizations establish a consistently higher level of protection for their network and information systems.
However, the regulation is not only an IT issue. The impact of NIS2 is especially important for companies operating industrial automation, manufacturing, technological or infrastructure systems. In these environments, cybersecurity is not only about protecting data, but also about production processes, machines, equipment and, in many cases, operational safety.
What is NIS2, and why is it important?
NIS2 is a European Union cybersecurity directive that sets stricter requirements for organizations operating in several critical sectors. Its purpose is to help affected organizations manage cybersecurity risks more consciously, prepare for incidents, and implement appropriate technical, organizational and operational measures.
In Hungary, the requirements related to NIS2 appear through national cybersecurity regulations. Among other things, affected organizations must identify their electronic information systems, classify them into security classes, and prepare for the related audits.
NIS2 is therefore not a one-time administrative task, but the development of a long-term operational and security mindset.
What are EiR, OT and OT EiR?
An EiR, or electronic information system, is a system used for managing, processing, storing or transmitting digital data. Most organizations first think of classic IT systems: servers, email systems, ERP systems, file servers or workstations.
OT, or Operational Technology, refers to systems that control, measure or monitor physical processes. This includes, for example, PLCs, SCADA systems, HMI panels, industrial communication networks, measurement systems, sensors, actuators and production line control systems.
An OT EiR is an electronic information system that operates in an OT environment or is directly connected to industrial, manufacturing, technological or infrastructure processes. Examples include a SCADA system, a PLC network, an industrial data collection system or an IT/OT connection point.
Why is OT important for NIS2 compliance?
Based on our experience, many organizations treat preparation for NIS2 primarily as an IT project. This is understandable, but in an industrial environment it is not sufficient.
OT systems are increasingly connected to corporate networks, remote access solutions, data collection systems and even cloud-based services. This enables more efficient operation, but it also creates new risks.
The consequences of an OT incident may be very different from those of a traditional IT incident. It may not only involve data loss or service disruption, but also production downtime, incorrect technological operation, defective production, equipment damage or even occupational safety risks.
For this reason, OT systems cannot be ignored when preparing for NIS2 compliance. In an industrial company, the OT environment is often the foundation of actual operation.
Why does OT require a different mindset than IT?
The cybersecurity approach of IT and OT differs significantly.
In the IT world, regular updates, endpoint protection, access management rules, logging and vulnerability assessments are standard practices. In OT environments, however, the priorities are different. Continuous availability, process stability, safe machine operation and production continuity are often the primary considerations.
Restarting or updating an office system is usually a manageable operational task. In the case of a system controlling a production process, however, a poorly timed modification can cause significant downtime or technological problems.
OT systems often include long-lifecycle devices, older operating systems, vendor-specific solutions and special industrial communication protocols. Understanding and handling these safely requires automation, technological and operational experience as well.
OT is often a blind spot even for highly qualified IT professionals
Based on our experience, OT is often a “blind spot” even for the most qualified IT professionals. This is not a professional shortcoming, but a result of the fact that the OT world operates according to a different logic than classic IT environments.
Assessing the risks of a PLC program, a SCADA architecture, an industrial network topology, a production line control system or a technological maintenance connection requires not only IT knowledge, but also automation and process technology expertise.
At MODIM Mérnöki Kft., we therefore focus on this topic as automation engineers, not as classic IT specialists. We do not aim to replace IT professionals, but to complement their expertise with our own knowledge.
We believe that successful NIS2 preparation requires cooperation between IT and OT. IT professionals bring corporate IT, networking, access management and cybersecurity experience, while we, as automation engineers, complement this with practical knowledge of industrial systems, control systems, technological processes and OT environments.
The two fields should not work instead of each other, but together, strengthening one another to create real and workable NIS2 compliance.
How can MODIM Mérnöki Kft. help?
At MODIM Mérnöki Kft., we place strong emphasis on handling OT systems with the right professional approach from the perspective of NIS2 compliance.
Our colleagues continuously participate in training programs to support our partners with up-to-date knowledge in preparing industrial automation systems for cybersecurity requirements. As automation engineers, we do not only consider regulatory expectations, but also the real operation, limitations and risks of industrial environments.
We can support our partners in areas such as:
- identifying OT systems and OT EiRs,
- reviewing industrial networks and automation systems,
- mapping IT/OT connection points,
- identifying OT-focused risks,
- supporting NIS2 preparation tasks,
- planning technical and organizational measures,
- preparing OT-specific documentation and action plans.
Our goal is to ensure that OT systems do not remain a hidden area during NIS2 compliance preparation. In an industrial organization, cybersecurity can only be complete if the technological and automation environment also receives the necessary attention.
Summary
NIS2 compliance is not only an IT task. In industrial environments, OT systems can form an important part of electronic information systems, making their identification, assessment and protection essential.
OT requires a different mindset than classic IT. It is not enough to examine these systems only from an IT perspective, because they affect physical processes, machines and production environments.
At MODIM Mérnöki Kft., we approach this field as automation engineers who also work with cybersecurity. We do not intend to replace IT professionals, but to work together with them, complementing each other’s expertise, in order to help our partners prepare their OT systems for the requirements of NIS2.
