¿Qué es la directiva NIS2 y a qué empresas industriales aplica?

NIS2 (Directiva UE 2022/2555) es la norma europea que eleva el nivel mínimo de ciberseguridad en sectores críticos. Aplica a entidades esenciales e importantes con 50 o más empleados o más de 10 millones de euros de facturación que operen en sectores cubiertos, entre ellos energía, agua, alimentación, fabricación de productos críticos, química o transporte. Muchas plantas industriales entran como entidad importante.

¿Cuándo entra en vigor NIS2 en España?

El plazo europeo de transposición venció el 17 de octubre de 2024. España no llegó a tiempo y la transpone de forma escalonada: parte vía Real Decreto-ley 7/2025 y el resto con la Ley de Coordinación y Gobernanza de la Ciberseguridad, aún en tramitación, con plena aplicación e inspecciones esperadas a lo largo de 2026.

¿Cuáles son las obligaciones clave de NIS2 para una planta?

Gestión de riesgos de ciberseguridad sobre redes IT y OT, notificación de incidentes (alerta temprana en 24 h, notificación en 72 h e informe final en un mes), responsabilidad directa de la dirección sobre las medidas, formación, continuidad de negocio y seguridad de la cadena de suministro. El incumplimiento puede acarrear multas de hasta 10 millones de euros o el 2 % de la facturación global.

¿En qué se diferencia la seguridad OT de la seguridad IT?

En IT la prioridad es la confidencialidad de los datos; en OT la prioridad es la disponibilidad y la seguridad física del proceso. Los sistemas OT (PLC, SCADA, HMI) tienen ciclos de vida muy largos, no se pueden parar para parchear cuando se quiere y muchos protocolos industriales nacieron sin seguridad. Por eso OT necesita un enfoque propio, no copiar sin más las prácticas de IT.

¿Qué es la norma IEC 62443 y cómo se relaciona con NIS2?

IEC 62443 es el estándar internacional de ciberseguridad para sistemas de automatización y control industrial (IACS). Define el modelo de zonas y conductos, niveles de seguridad y requisitos para fabricantes, integradores y operadores. NIS2 fija el qué (gestión de riesgos y obligaciones legales); IEC 62443 aporta el cómo técnico para cumplirlo en el entorno OT.

¿Qué buenas prácticas de seguridad OT debería aplicar primero?

Empieza por inventariar todos los activos OT, segmentar la red separando IT de OT siguiendo el modelo Purdue y zonas IEC 62443, controlar y registrar los accesos remotos, gestionar el parcheo de SCADA y PLC con ventanas planificadas, y definir un plan de respuesta a incidentes con copias de seguridad probadas. Son las medidas con más impacto y menor coste relativo.

NIS2 and OT cybersecurity in industry

23 June 2026 · by Equipo Nexum

OT cybersecurity for industry has stopped being an IT matter and become a legal obligation. With the NIS2 directive, thousands of plants across the EU must protect their control networks —PLCs, SCADA, production lines— as rigorously as their data. This guide explains, without the hype, who is in scope, what it requires and where to start.

In one sentence: NIS2 forces you to manage cyber risk and report incidents; OT security is the technical practice that makes it possible on the shop floor, where an attack doesn't steal data —it stops the factory.

1 What NIS2 is and why it hits industry

The NIS2 directive (EU Directive 2022/2555, Network and Information Security 2) is the European law that raises the minimum cybersecurity level across the sectors deemed critical. It replaces and widens the old 2016 NIS: it multiplies the covered sectors, tightens the obligations and, above all, pulls manufacturing and industry firmly inside the regulated perimeter.

The shift for a plant is that protecting office computers is no longer enough. NIS2 also requires you to assess and protect the networks and information systems that run the production process: the SCADA that supervises the plant, the PLCs that move the line, the HMIs, the drives and the industrial network that connects them. In other words, the OT world (Operational Technology).

NIS2 is not an "IT" rule: it is a business-continuity rule. Ransomware that encrypts the SCADA doesn't leak a spreadsheet, it halts production —and the directive makes management answerable for preventing that.

2 Who it applies to: essential and important entities

NIS2 sorts the obligated organisations into two categories, with different supervision and penalty regimes:

🔴

Essential entities (EE)

High-criticality sectors: energy, drinking water, transport, banking, health, digital infrastructure. Proactive supervision and fines up to EUR 10M or 2% of global turnover.

🟠

Important entities (IE)

Manufacturing of critical products, food, chemicals, waste management, digital services. Reactive supervision and fines up to EUR 7M or 1.4% of turnover.

As a rule of thumb, NIS2 applies if your organisation operates in one of the covered sectors and has 50 or more employees or more than EUR 10 million in turnover per year. Many factories and process plants fall in as an important entity, even if they don't see themselves as "critical infrastructure".

Even if your plant sits below the thresholds, the knock-on effect is real: if you are a supplier to an obligated entity, they will impose security requirements by contract. The supply chain is one of NIS2's pillars.

3 State of transposition across the EU

The European deadline to transpose NIS2 into national law expired on 17 October 2024. Many Member States missed it —the Commission issued reasoned opinions to most of them in 2025— and are bringing it in through national laws on staggered timelines:

Spain is transposing in stages (Royal Decree-Law 7/2025 plus a pending Cybersecurity Coordination and Governance Act), with full enforcement expected in 2026.
France missed the deadline and is enacting its national law, with enforcement phased over 2025-2026.
Bulgaria adopted its NIS2 law (amendment to the Cybersecurity Act, State Gazette No. 17), in force from 13 February 2026.

The practical message is clear: the national law still being finalised is no excuse to wait. The core obligations (risk management and reporting) are already set in the directive, and a plant's technical adaptation takes months. Whoever starts now arrives on time. For official guidance, refer to your national CSIRT and to the EU agency ENISA.

4 Key obligations you must meet

NIS2 is not a checklist of products but a set of management obligations. These are the ones that hit an industrial plant hardest:

Obligation	What it means for your plant
Risk management	Assess and treat cyber risk across IT and OT networks: inventory, segmentation, access control, backups, encryption.
Incident reporting	Early warning within 24 h, notification within 72 h and a final report within 1 month.
Management accountability	The management body approves and oversees the measures, and is personally liable for compliance.
Training	Regular awareness for staff, including management.
Continuity and response	Business-continuity plans, crisis management and tested backups.
Supply chain	Assess the security of suppliers and integrators.

Non-compliance is costly: up to EUR 10 million or 2% of global turnover for essential entities, and up to EUR 7 million or 1.4% for important ones. More importantly, accountability sits with management, not just the systems department.

5 IT vs OT: why industrial security is different

The most expensive mistake is applying office-IT recipes to the plant. IT and OT have opposite priorities, and that changes everything:

Criterion	IT	OT (industrial)
Priority	Data confidentiality	Availability and physical safety of the process
Life cycle	3-5 years	15-25 years (PLC, SCADA)
Patching	Frequent, near-automatic	Planned windows; often can't be stopped
Protocols	Designed with security	Legacy industrial, often without encryption or auth
Impact of a failure	Data leak or loss	Production halt, physical damage, risk to people

That is why you can't "copy and paste" the IT model onto the factory. A heavy antivirus can take down an HMI; rebooting a device to update it can stop a whole line. OT security needs its own approach that understands the production process —the same knowledge used to design a SCADA system or to compare SCADA versus HMI.

6 OT security best practices (and where IEC 62443 fits)

Meeting NIS2 on the plant floor translates into concrete technical measures. The reference standard is IEC 62443, the international cybersecurity standard for industrial automation and control systems (IACS): while NIS2 sets the what (legal obligations), IEC 62443 provides the how with its zones and conduits model. These are the highest-impact practices:

OT asset inventory

You can't protect what you don't know. Catalogue every PLC, HMI, SCADA, drive and switch on the industrial network.

Network segmentation

Separate IT from OT using the Purdue model and IEC 62443 zones. An office breach must not reach the line.

Access management

Controlled and logged remote access, least privilege and MFA for supplier maintenance.

Planned patching

Update SCADA and PLCs in shutdown windows, with prior testing. Where patching isn't possible, compensate with segmentation.

Monitoring and backup

Detect anomalies on the OT network and keep tested, safely stored copies of PLC programs and SCADA projects.

Response plan

A clear procedure to detect, contain and report (24 h/72 h), rehearsed before the incident happens.

The Purdue model organises the network into levels —from the field (sensors and actuators) to management (ERP)— and helps decide what talks to what. IEC 62443 refines it with zones (groups of assets at the same security level) and conduits (the controlled communications between them). Combining both is today the basis of any defensible OT architecture, and dovetails naturally with practices such as predictive maintenance, which also lives on that industrial network.

Keep reading

Frequently asked questions

What is the NIS2 directive and which industrial companies does it apply to?

NIS2 (EU Directive 2022/2555) is the European law that raises the minimum cybersecurity level in critical sectors. It applies to essential and important entities with 50 or more employees or more than EUR 10 million turnover operating in covered sectors, including energy, water, food, manufacturing of critical products, chemicals or transport. Many industrial plants fall in as an important entity.

When does NIS2 come into force?

The EU transposition deadline was 17 October 2024. Several Member States, including Spain and France, missed it and are transposing it in stages through national laws, with full enforcement and inspections expected during 2025-2026. Check your country's specific law, as competent authorities and exact dates vary.

What are the key NIS2 obligations for a plant?

Cybersecurity risk management across IT and OT networks, incident reporting (early warning within 24 h, notification within 72 h and a final report within one month), direct management accountability for the measures, training, business continuity and supply-chain security. Non-compliance can lead to fines of up to EUR 10 million or 2% of global turnover.

How does OT security differ from IT security?

In IT the priority is data confidentiality; in OT the priority is availability and the physical safety of the process. OT systems (PLC, SCADA, HMI) have very long life cycles, cannot be stopped for patching on demand and many industrial protocols were born without security. That is why OT needs its own approach rather than blindly copying IT practices.

What is the IEC 62443 standard and how does it relate to NIS2?

IEC 62443 is the international cybersecurity standard for industrial automation and control systems (IACS). It defines the zones and conduits model, security levels and requirements for vendors, integrators and operators. NIS2 sets the what (risk management and legal obligations); IEC 62443 provides the technical how to meet it in the OT environment.

Which OT security best practices should I apply first?

Start by inventorying all OT assets, segmenting the network to separate IT from OT following the Purdue model and IEC 62443 zones, controlling and logging remote access, managing SCADA and PLC patching with planned windows, and defining an incident response plan with tested backups. These are the measures with the highest impact and lowest relative cost.

The bottom line

NIS2 turns OT cybersecurity into a named obligation: risk management across the industrial network, incident reporting on tight deadlines and management accountability. It is not an IT project but a plant-continuity one —and the technical adaptation takes months, so it pays to start now.

The good news is that the first measures (inventory, segmentation, access) are the highest-impact ones and rest on process knowledge, not on buying boxes. See how we approach it in our secure SCADA systems.

Is your plant ready for NIS2?

We help you inventory, segment and secure your OT network —from PLC to SCADA— aligned with NIS2 and IEC 62443, without stopping production. Tell us about your case.

Talk to an OT security expert

Nexum Blog

25 Jun 2026

Industrial robot price: 2026 buyer's guide

How much does an industrial robot cost in 2026: arm price by type, brand, payload and reach, integration costs and ROI. A clear guide to budgeting.

Read article

10 Apr 2026

Industrial Automation in Madrid: The Complete Guide 2026

Comprehensive Guide to Industrial Automation in Madrid: SCADA, Robotics, Electrical Panels, BMS, and Production Lines. Criteria for Choosing an Integrator.

Read article

26 Jun 2026

BMS for industrial buildings: cost & grants

How much a BMS costs in an industrial building (€15,000–120,000) and which IDAE grants, Next Generation funds and CAE certificates can finance it.

Read article

NIS2 and OT cybersecurity in industry

1 What NIS2 is and why it hits industry

2 Who it applies to: essential and important entities

3 State of transposition across the EU

4 Key obligations you must meet

5 IT vs OT: why industrial security is different

6 OT security best practices (and where IEC 62443 fits)

Frequently asked questions

The bottom line

Related articles

Industrial robot price: 2026 buyer's guide

Industrial Automation in Madrid: The Complete Guide 2026

BMS for industrial buildings: cost & grants