<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2233467260228916&amp;ev=PageView&amp;noscript=1">

NIS2: The directive that changes the rules of the game for OT security

Ommund Øvrelid Principal Solution architect at Cegal.
03/19/2026 |

The digitalization of critical infrastructure is accelerating - and with it, risks are increasing. The NIS2 directive is the EU's clearest signal yet that cybersecurity can no longer be treated as an add-on to ordinary operations; it must be built in as a core component of the business foundation. For Norwegian players in energy, water, industry, telecom, and other critical businesses, this means a new reality: stricter requirements, clearer responsibilities, and a significantly stronger focus on OT security.

This is more than a directive - it's a boost that modernizes Europe's entire digital backbone.

Why is NIS2 important - and why now?

The threat landscape against critical infrastructure has changed drastically. OT systems that were previously isolated and stable are now being connected to IT, cloud, and supplier environments to enable more data-driven operations. At the same time, the attack surface is increasing.

NIS2 therefore tightens requirements in a number of areas, including:

  • access management, logging, and encryption
  • secure development, operation, patching, and maintenance
  • emergency preparedness, incident management, and continuity
  • control of supply chains and integrations
  • documented risk management
  • systematic training

The consequences are significant: violations can lead to fines of up to €10 million or 2% of global turnover.

In Norway, NIS2 will be integrated into existing legislation, primarily the Security Act. Planned entry into force is July 1, 2026.

OT: From isolated technology to an attractive attack target

The most comprehensive shift is about OT. Traditionally, OT environments have been characterized by

  • minimal changes
  • very long equipment lifetime
  • strict segmentation
  • little or no internet access
  • availability has a higher priority than confidentiality

This reality is disappearing. Modern operations require data sharing, integration with IT, remote access, cloud-based analytics, and extensive automation. The sum is a perfect storm: OT systems that were never designed to be exposed to networks now find themselves on the front lines. Threat actors know this situation - and are actively exploiting it.

IT and OT must work together

Where IT has traditionally had confidentiality as its highest priority, OT has lived by the principle of "uptime first". With NIS2, these two worlds must be united - in a way that is secure, standardized, and well documented.

Businesses that want to:

  • automated processes
  • predictive maintenance
  • advanced analytics and machine learning
  • better utilization of operational data
  • more optimal and robust operations

are completely dependent on secure and controlled access to OT data. At the same time, NIS2 sets clear requirements for digital security to follow this data, all the way through the value chain.

You can't be truly data-driven without complying with NIS2 requirements for both OT and IT.

Edge computing: The bridge builder between IT and OT

One solution that is gaining increasing attention - and with good reason - is edge technology. Edge serves as a security and architectural principle that enables organizations to extract value from OT data without directly exposing OT environments.

With edge, you get:

  • data processing close to the data source
  • a buffer layer that reduces risk
  • Secure and controlled IT/OT integration
  • support for real-time analytics and AI
  • an architecture that builds resilience, not complexity

In short, Edge makes IT/OT convergence both possible and practical.

Five actions you should start now

Although the details of the legislation are still being refined, the direction is clear. Waiting is a poor strategy. This should be prioritized today:

1. Map OT systems, integrations, and dependencies
You can't protect what you don't know.

2. Get an overview of supply chains and third-party risks
The whole value chain needs to be secure - not just your own platform.

3. Standardize identity management, logging, and patching across IT and OT
Harmonization is a prerequisite for control.

4. Plan for secure data sharing - preferably with edge architecture
Data-driven operations must be combined with security "by design".

5. Start the NIS2 work early
This is a multi-year boost, especially for businesses with heavy OT.

Businesses that start now don't just strengthen security - they also gain a real competitive advantage.

NIS2 is a strategic opportunity - not just a regulatory requirement

It can be tempting to think of NIS2 as a comprehensive compliance program. In reality, the directive points to something businesses must deal with anyway: Modern, secure, and data-driven operations.

When IT and OT pull in the same direction, businesses achieve:

  • better security
  • more predictable operations
  • deeper insight and better decision-making
  • Closer collaboration across professional environments
  • higher maturity and increased robustness

For critical infrastructure, this is more than a legal requirement - it's good business.

As part of our leading domain knowledge in the power industry, Cegal has assembled a strong multidisciplinary team with an in-depth understanding of the challenges involved, and we are ready to help operators meet the requirements triggered by NIS2.
Do you need advisory support on NIS2 and OT security?

We are ready to help you.

Contact us

Related articles

Cyber Security
NIS2 - How to work with risk management
Daniel Andersson Senior Information Security Consultant,...
arrow
Cyber Security Energy Digitalization
What is NIS2 and what does it mean for you as a manager?
Ingrid Løvseter Business Consultant | Cyber Security...
arrow
Cyber Security Digitalization
How Cegal protect critical infrastructure from daily cyber...
Editorial staff
arrow