As organizations move to secure their most critical assets, Operational Technology (OT) —from industrial control systems to critical infrastructure—has come under increasing examination. Traditionally, cybersecurity focused on IT systems, leaving OT in a more isolated domain. However, the new NIS2 Directive marks a clear shift: cybersecurity is no longer limited to IT alone, and the highest levels of leadership are now held accountable for safeguarding both IT and OT environments. Christo Butcher, executive consultant at Fox-IT, sheds his light on these changes.
The expanded scope of NIS2
NIS2 recognizes that threats no longer differentiate between IT and OT systems. Instead of viewing them as separate silos, the Directive calls for an integrated cybersecurity strategy that covers all aspects of an organization’s infrastructure. This holistic view raises two key challenges:
- A broader regulatory net: OT processes often use legacy systems or specialized protocols, making them more difficult to secure. Under NIS2, these systems can no longer be treated as an afterthought.
- Heightened board-level responsibility: CEO-level accountability has grown beyond pure IT oversight, forcing leadership to understand and manage OT risks as part of the organization’s strategic planning.
“Many companies are unsure how to implement NIS2 due to its abstract nature. The directive’s broad scope means that while it sets the right tone for responsibility, it doesn’t provide directly actionable steps for companies to follow.” — Christo Butcher
Top-down responsibility for OT Security
Historically, CEOs and boards tended to delegate cybersecurity decisions. Today, NIS2 explicitly specifies that ultimate accountability resides at the top. This top-down approach applies directly to OT assets and processes. Christo adds to this:
“Before NIS2, it was too easy for CEOs to leave cybersecurity entirely to the CISO or IT department. NIS2 is very clear about this: the ultimate responsibility now lies with the top leadership.”
With NIS2, senior leadership must stay informed about OT risks, ensuring they allocate the necessary budgets and align organizational structures to protect critical industrial processes. While day-to-day implementation remains the responsibility of cybersecurity teams, NIS2 drives a more dynamic relationship: technical teams must be prepared to brief executives on OT risks, and executives must treat OT security as a strategic imperative.
Bridging the gap between strategy and operations
One of the greatest challenges in implementing NIS2 is translating its high-level mandates into concrete action plans for OT environments. Effective communication across organizational layers is critical. The Directive necessitates a cultural shift—where boards are conversant enough in key OT security issues to make informed decisions, and operational teams have the frameworks to articulate those issues clearly. Christo explains: “This tension is beneficial because it strongly encourages the ultimate decision-makers to understand and engage with the cybersecurity landscape. I foresee a productive development where both layers of the organization—the strategic leadership and the operational cybersecurity teams—must work towards a common understanding.”
While the CEO or board may not become OT experts overnight, they must grasp basic risk scenarios—ransomware, sabotage, or espionage—and how these attacks could disrupt critical operations. Conversely, OT managers and security teams must translate these scenarios into actionable insights and maintain an ongoing dialogue with leadership.
Segmentation and the role of Datadiodes
NIS2 highlights the importance of identifying and protecting an organization’s ‘crown jewels’—including essential OT processes. A key strategy here is network segmentation. Creating well-defined security zones makes it more difficult for attackers to move laterally within a network. Christo says:
“Segmentation is crucial in creating security zones within an organization. The goal is to minimize the blast radius of an incident, reducing the impact when something goes wrong. This approach allows for more detailed control and better risk management.”
In OT environments, segmentation often includes deploying DataDiodes to create a one-way data flow out of critical systems. By physically preventing data from traveling back into high-risk zones, DataDiodes add a layer of protection well beyond what standard firewalls can offer. Although not universally applicable, they are invaluable for isolating the most sensitive OT processes, preventing data manipulation, and hindering threat actors from pivoting across networks. Christo adds: “That’s why there is growing interest in straightforward, black-and-white security solutions that do offer high-security guarantees. DataDiodes are a clear example, providing much stronger security assurance because of their fundamental approach to security. Executives love that level of clarity!”
A continuous process in a changing landscape
OT security is never a one-and-done project. New threats emerge, systems evolve, and organizations must regularly reassess their posture. NIS2’s focus on top-down responsibility and places the onus on leadership to ensure that processes and technologies remain up-to-date and capable of defending against the ever-changing threat landscape.
By enforcing accountability at the highest levels, NIS2 aims to drive a cultural and operational shift in how organizations prioritize cybersecurity—particularly in domains like OT, where the stakes can be especially high.
Key takeaways
- OT in scope: NIS2 explicitly covers both IT and OT, elevating the importance of industrial and critical systems in an organization’s overall cybersecurity strategy.
- Board-level accountability: Leadership must understand OT risks and ensure robust defenses; accountability can no longer be handed off to technical teams alone.
- Collaborative culture: Effective implementation requires clear communication between executives, CISOs, and OT security teams—bridging strategy and operations.
- Segmentation & DataDiodes: Network segmentation and physical one-way data flows offer strong security measures that leadership can rely on, particularly for critical OT environments.
- Ongoing evolution: The threat landscape is dynamic. Organizations need to continuously adapt, guided by a top-down mandate and cross-functional collaboration.
NIS2 makes cybersecurity—across both IT and OT—an executive-level priority. As organizations align their operations with this Directive, the emphasis on segmentation, clear communication, and strategic accountability will help keep critical processes safe in an increasingly complex digital environment.