OT Is Already a Standard Part of NIS2 Supply Chain Certification

In recent months, we have increasingly seen Operational Technology (OT) being described as a “new area of focus” within NIS2. That is understandable. Production lines, packaging machinery, industrial installations, warehouse automation, access control systems, and other forms of operational technology represent a growing cybersecurity risk across Europe.

What many organisations do not realise, however, is that OT has long been a standard component of the NIS2 Supply Chain certification approach.

NIS2 is not just about IT

The assumption that NIS2 only concerns IT is incorrect. The European NIS2 Directive explicitly adopts an “all hazards approach”. This means that not only traditional IT systems must be secured, but also operational processes, physical infrastructure, and OT environments that are essential to organisational continuity.

This is where significant risks often lie in practice

Many organisations have made solid progress in securing their Microsoft 365 environments, firewalls, and endpoints. Yet at the same time, production lines, industrial controllers, OT networks, and external maintenance connections are often still running with outdated passwords, insufficient network segmentation, or limited monitoring.

In some cases, OT systems are even directly or indirectly accessible from the internet. Research into industrial control systems continues to show that OT environments worldwide still contain large numbers of vulnerabilities.

ENISA: OT and Supply Chain Security are part of NIS2

The European cybersecurity agency ENISA has consistently emphasised that OT and supply chain security are integral components of NIS2. Multiple ENISA publications explicitly reference ICT/OT supply chain cybersecurity, governance, monitoring, and supplier responsibilities.

For that reason, OT has been incorporated into NIS2 Supply Chain certification standards from the outset—not only from a technical perspective, but also at organisational and governance level.

This includes, among other things:

security of operational systems and industrial equipment;
management of external access to OT environments;
suppliers and maintenance providers with access to production systems;
segmentation between IT and OT networks;
backup and business continuity measures;
access management and physical security;
risks associated with software updates and remote management;
awareness among employees and leadership;
supply chain risks relating to OT suppliers.

For many sectors, this is essential. Consider logistics, manufacturing, food production, chemicals, energy, infrastructure, water management, and healthcare. OT disruption can have immediate consequences for production, service delivery, and wider societal continuity.

Supplier risks make OT even more relevant

ENISA also stresses that NIS2 is not solely about internal security measures, but equally about demonstrable control over supplier and supply chain risks.

This directly affects OT, as many operational systems rely heavily on external software vendors, maintenance providers, system integrators, and specialised technology companies.

In practice, we often see that OT has remained outside cybersecurity governance for years—not due to reluctance, but because OT has traditionally been viewed as “engineering”, “operations”, or “facilities”, rather than as part of cybersecurity governance.

NIS2 fundamentally changes that.

OT Is not an optional add-on

It is therefore important for organisations to understand that OT is not a separate extension or optional module within NIS2 Supply Chain certification. It is already embedded as a standard part of the framework.

This is precisely because operational technology forms the core of business continuity for many organisations.

While awareness of OT is now rapidly increasing across Europe, this has been a core part of the NIS2 Supply Chain certification framework from the very beginning.