NIS2 Directive
Overview
Part 1: Requirements for industrial remote access
The industrial landscape is changing rapidly as operational technology (OT) and information technology (IT) become increasingly interconnected. While this interconnectedness facilitates efficiency, monitoring and predictive maintenance, it also brings significant cybersecurity challenges. Among these challenges, securing remote access to industrial systems is paramount, as vulnerabilities can jeopardize safety, productivity and compliance. To address these growing risks, the NIS2 directive (1) prescribes security measures for industrial environments.
This post is the first in a series addressing the complexities of securing remote access in industrial environments. It focuses on the key requirements of the NIS2 directive and provides actionable steps to help organizations achieve remote access compliance.
Part 2: How to achieve compliance for industrial remote access according to IEC 62443
Here we will discuss how the IEC 62443 series of standards can support compliance with the NIS2 directive, particularly in the context of remote access.
Part 3: How to secure industrial remote access NIS2 IEC62443
Finally, we provide here detailed guidance on how to configure the Ewon Remote Access Service according to IEC 62443 recommendations to ensure NIS2 compliance.
Part 1: Requirements for industrial remote access
The growing importance of securing industrial remote access
Remote access to industrial systems is essential in modern operations. From real-time monitoring to remote troubleshooting, efficient remote access improves productivity and reduces downtime. However, it also exposes systems to unique vulnerabilities that traditional IT environments do not face.
Challenges in securing industrial remote access
- Cyber Threats
Industrial facilities are valuable targets for cyberattacks, including ransomware, unauthorized access and data breaches. The sophistication of these attacks has increased, making robust defenses essential.
- Outdated devices
Many industrial systems were designed with availability and reliability in mind, not cyber security. Weak authentication frameworks and outdated protocols in older systems further exacerbate the challenge.
- Compliance and regulations
Security standards such as ISA/IEC 62443, NIST 800-82 and ISO 27001 specify strict protocols for industrial cybersecurity. Meeting these compliance requirements is both critical and complex.
- Reliability and performance
Industrial processes require consistent and uninterrupted operation. Remote access solutions must not only be secure, but also avoid delays or interruptions.
What is the NIS2 Directive and what impact does it have on cybersecurity in industry?
The NIS2 Directive is a comprehensive update of its predecessor NIS and aims to strengthen cybersecurity across the European Union. NIS2 extends its scope to more sectors and requires essential and important companies to take proactive measures to secure their networks and information systems.
Article 21 of the NIS2 Directive requires companies to adopt risk-based approaches to cybersecurity, mitigate risks in the supply chain, implement robust defenses and establish incident reporting mechanisms. For industrial sectors, this will include how remote access to operational technologies (OT) is secured.
The key implications of NIS2 for industrial cyber security include
- Accountability for supply chain security
Organizations must ensure that external service providers comply with their established security requirements.
- Secure-by-design practices
Solutions must be designed and implemented with built-in security controls.
- Incident reporting requirements
Any cybersecurity incident affecting industrial facilities must be reported immediately to the relevant authorities.
Important NIS2 security requirements for remote access to industrial systems
The NIS2 directive prescribes a number of specific security controls for remote access to industrial systems. Implementing these measures improves security, ensures regulatory compliance and increases resilience to cyber-attacks.
Below are the 17 most important requirements for securing remote access:
| Category | Measure | Where in NIS2 Article 21 | Requirements for |
| Access controls | Ensure that the strength of authentication is appropriate. | (g) Basic cyber hygiene practices and cyber security training | Use strong, up-to-date authentication methods to protect remote access. |
| Access controls | Use multi-factor authentication. | (j) The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communications systems within the organization, as appropriate. | Secure remote access connections with MFA to add an additional layer of protection. |
| Access controls | Change credentials on first use. | (g) Basic cyber hygiene practices and cyber security training | Default passwords or credentials should be changed immediately after setup to minimize risk. |
| Access controls | Implement authentication procedures based on the principle of least privilege. | (i) Personal security, access control policies and asset management | Restrict user access to the systems and resources required for their tasks. |
| Access controls | Require reset of credentials and lockout of users after a predefined number of unsuccessful login attempts. | (g) Basic cyber hygiene practices and cybersecurity training | Set thresholds for failed login attempts and enforce automatic lockout to prevent brute force attacks. |
| Access controls | Ensure that authorization is obtained from the asset owner prior to any remote access connection. | (g) Basic cyber hygiene practices and cyber security training | Allow third-party providers to connect only after they have submitted an authorization request and received approval. |
| Category | Measure | Where in NIS2 Article 21 | Requirements |
| Incident handling | Use tools to monitor and log activities. | (b) Incident handling | Use tools to monitor and log all remote access activities to record responsibilities and identify threats. |
| Category | Measure | Where in NIS2 Article 21 | Requirements for |
| Network security | Network segmentation | (e) Security in the procurement of network and information systems | Implement segmentation and controls that strictly prevent unnecessary or unauthorized access. |
| Network security | Security patch management | Security patch management | Regularly update all software and firmware with the latest patches to address vulnerabilities. |
| Network security | Disable unneeded connections and services. | (g) Basic cyber hygiene | Reduce security risks by disabling unused services and ports. |
| Network security | Protect against unauthorized software. | (e) Security in the procurement of network and information systems | Enforce policies to prevent the installation or execution of unauthorized software on devices. |
| Network security | Grant only authorized devices access to the network. | (e) Security in the procurement of network and information systems | Implement controls to block unregistered or unauthenticated devices. |
| Category | Measure | Where in NIS2 Article 21 | Requirements for |
| Policies and procedures | Establish, implement and apply a policy and procedures related to cryptography. | (h) Policies and procedures for the use of cryptography and, where appropriate, encryption | Use of proven cryptographic methods for remote access. |
| Policies and procedures | The applications used in the automation solution are generally accepted by both the security and industrial automation industries. | (g) Basic cyber hygiene practices | Ensure that all applications in the automation solution are recognized and accepted by both the industrial automation and security industries. |
| Policies and procedures | Provide detailed instructions for installation, configuration, operation and termination of remote access. | (g) Basic cyber hygiene practices | Define and enforce strict measures for connections to IACS environments. |
| Policies and procedures | Regularly review identities and deactivate them when no longer needed. | (g) Basic cyber hygiene practices | Regularly review digital identities and revoke access for users who no longer need it. |
| Policies and procedures | Establish policies for the management of privileged accounts and system administration accounts. | (i) Personnel security, access control policies and asset management | Enforce strict policies for the management of high privilege accounts to prevent abuse or exploitation. |
Introducing a risk-based, security-focused approach
NIS2 compliance is not just about working through checklists, but about fundamentally improving the security of industrial systems.
Here are some practical steps industrial companies can take to implement a secure-by-design framework:
- Adopt industry standards
Align with standards such as ISA/IEC 62443, which provide actionable guidance for cybersecurity policies and technical controls.
- Conduct risk assessments
Regularly assess potential security vulnerabilities and implement risk-based mitigation strategies.
- Train your staff
Train employees and engineers in cybersecurity best practices to ensure proper handling of remote access technologies.
- Work closely with suppliers
Ensure that your machine builders and service providers integrate NIS2-compliant security measures into their solutions.
Securing the future of industrial cyber security
Remote access is the backbone of modern industrial operations, but its increasing importance also increases its potential risks. By adopting the security measures of NIS2 and utilizing established frameworks such as ISA/IEC 62443, industrial companies can protect their assets, ensure compliance and buildtrust with stakeholders.
Part 2: How to achieve compliance for industrial remote access according to IEC 62443
This second article in our series looks at how IEC 62443 standards can help organizations achieve NIS2 compliance - especially with regard to secure industrial remote access. Stay tuned - soon we will publish a detailed guide on how to configure Ewon Remote Access Services according to IEC 62443 and NIS2.
Navigating the changing cybersecurity landscape
The NIS2 Directive addresses the growing cybersecurity risks faced by EU Member States. It introduces a risk-based framework with stricter requirements for incident reporting, supply chain monitoring and business continuity. Non-compliance can result in significant penalties, making it critical for industrial companies to implement mature and auditable security programs.
IEC 62443 is the global standard for the safety of industrial automation and control systems (IACS). Originally developed by the International Electrotechnical Commission (IEC) in collaboration with the International Society of Automation (ISA), the framework provides comprehensive guidelines for plant owners, service providers, system integrators and component manufacturers. It describes a layered defense approach that is particularly effective for securing networks, systems and remote access channels.
Important components of IEC 62443 for remote access security
The IEC 62443 series includes several important standards:
- IEC 62443-2-1: Specifies cybersecurity risk management and incident response planning programs for asset owners.
- IEC 62443-2-4: Defines security requirements for service providers, including secure design, deployment, maintenance and remote access.
- IEC 62443-3-2: Guides organizations through risk assessment and determination of required security levels.
- IEC 62443-3-3: Describes mandatory technical security controls, including those specific to remote access.
- IEC 62443-4-1 / 4-2: Focuses on secure product development and security at component level.
Together, these standards provide end-to-end accountability across the entire OT cybersecurity lifecycle.
How IEC 62443 aligns with NIS2 requirements
The table below shows how key components of IEC 62443 can be mapped to specific NIS2 security requirements. This practical correspondence supports a structured approach to compliance:
1. risk management and security measures
NIS2 requirement: Implementation of risk-based security measures.
| IEC standard | Standard Description |
| IEC 62443-2-1 | Describes cybersecurity risk management programs. |
| IEC 62443-3-2 | Helps with risk assessment and the definition of security levels for industrial systems. |
| IEC 62443-4-2 | Contains security requirements for individual components. |
2. security of the supply chain
NIS2 requirement: Ensuring cyber security in the supply chain.
| IEC standard | IEC standard Description |
| IEC 62443-2-4 | Defines security requirements for service providers (e.g. integrators, suppliers). |
| IEC 62443-4-1 | Defines safe product development procedures. |
| IEC 62443-3-3 | System and network security control. |
3 Incident reporting and response
NIS2 requirement: Report incidents to national authorities within 24 hours (initial report) and 72 hours (detailed report).
| IEC standard | IEC standard Description |
| IEC 62443-2-1 | Requires asset owners to have incident response and recovery plans in place. |
| IEC 62443-2-4 | Requires service providers to have incident response and recovery plans. |
4. access control and identity management
NIS2 requirement: Enforce strict access controls and identity management.
| IEC standard | Standard Description |
| IEC 62443-3-3 | Enforces security controls for systems and networks. |
| IEC 62443-4-2 | Specifies security requirements for individual components. |
5 Business continuity and resilience
NIS2 requirement: Ensuring business continuity in the event of cyber incidents.
| IEC standard | Standard Description |
| IEC 62443-2-1 | Requires backup, disaster recovery and business continuity planning for IACS environments by asset owners. |
| IEC 62443-2-4 | Requires backup, disaster recovery and business continuity planning for IACS environments by service providers. |
Practical mapping of IEC 62443 and NIS2 for industrial remote access
To effectively secure industrial remote access, organizations can map IEC 62443 practices directly to specific NIS2 guidelines.
Key mappings include:
| Chapter | Category | Measure | NIS2 Article 21 | IEC62443-2-1 | IEC62443-2-4 | IEC62443-3-3 |
| 3.1 | Access controls | Ensure that the strength of authentication is appropriate. | (g) Basic cyber hygiene practices and cyber security training | USER1.11 | SP.09.05 | SR1.7 |
| 3.2 | Access controls | Use Multi-Factor Authentication | (j) the use of Multi-Factor Authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate | USER1.9 | SP.03.07 RE(1) | SR1.1 RE(2) |
| 3.3 | Access controls | Change of credentials at the beginning | (g) basic cyber hygiene practices and cybersecurity training | USER1.1 | SP.09.07 | SR1.5 |
| 3.4 | Access controls | Implement authentication procedures according to the principle of least privilege. | (i) human resources security, access control policies and asset management | USER1.5 | SP.03.08 | SR2.1 |
| 3.5 | Access controls | Requires the resetting of login credentials and the locking of users after a predefined number of failed login attempts. | (g) basic cyber hygiene practices and cybersecurity training | USER1.15 | --- | SR1.11 |
| 3.6 | Incident handling | Use tools to monitor and log activities. | (b) incident handling | EVENT1.6 | SP.08.02 | SR2.8 |
| 3.7 | Access Controls | Ensure that authorization is obtained from the asset owner prior to any remote access connection. | (g) basic cyber hygiene practices | NET3.2 | SP.07.04 | SR1.13 RE(1) |
| Chapter | Category | Measure | NIS2 Article 21 | IEC62443-2-1 | IEC62443-2-4 | IEC62443-3-3 |
| 3.8 | Network security | Network segmentation | (e) security in network and information systems acquisition | NET1.1 | SP.03.02 RE(2) | SR5.1 SR5.2 (with RE) |
| 3.9 | Network security | Security patch management | (g) basic cyber hygiene practices | COMP3.2 | SP11.xx | --- |
| 3.10 | Network security | Disable unneeded connections and services | (g) basic cyber hygiene practices | COMP1.1 | SP.03.05 | SR7.7 |
| 3.11 | Network security | Protection against unauthorized software | (g) basic cyber hygiene practices | COMP2.1 | SP.10.05 | SR3.2 |
| 3.12 | Network security | Allow only authorized devices to access the network | (e) security in network and information systems acquisition | USER 1.19 | SP.03.08 RE(3) | SR1.2 |
| Chapter | Category | Measure | NIS2 Article 21 | IEC62443-2-1 | IEC62443-2-4 | IEC62443-3-3 |
| 3.13 | Guidelines and procedures | Establish, implement and apply a policy and procedures regarding the use of cryptography. | (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption | DATA1.5 | SP.07.04 RE(1) | SR4.3 |
| 3.14 | Policies and procedures | The applications used in the automation solution are generally accepted by both the security and industrial automation industries. | (g) basic cyber hygiene practices | --- | SP.07.01 | --- |
| 3.15 | Policies and procedures | Provide detailed instructions for installation, configuration, operation and termination of remote access. | (g) basic cyber hygiene practices | NET3.2 | SP.07.02 | SR1.13 |
| 3.16 | Policies and procedures | Check the identities regularly and deactivate them if they are no longer required. | (g) basic cyber hygiene practices | USER1.2 | SP.09.03 | SR1.3 |
| 3.17 | Policies and procedures | Maintain policies for the management of privileged accounts and system administration accounts. | (i) human resources security, access control policies and asset management | USER1.1 | SP.09.01 | SR1.3 |
Conclusion
The alignment of the IEC 62443 standard with the NIS2 directive provides a robust framework for securing industrial remote access. With its standards-compliant architecture, Ewon from HMS Networks offers industrial organizations a practical and secure way to implement these requirements - supporting regulatory compliance, reducing cybersecurity risks and ensuring business continuity.
In Part 3 (November 2025), we look at practical implementation: How do you configure Ewon's remote access services to meet NIS2 and IEC 62443 requirements?
Stay tuned!
Part 3: A guide to configuring Ewon Talk2m and devices for NIS2 compliance using the ISA/IEC 62443 framework
Secure remote access to industrial systems is critical, but companies face several major challenges:
1. Cyber threats - Industrial systems are prime targets for cyberattacks, including unauthorized access, ransomware and data breaches.
2. Outdated devices - Many operating systems (OT systems) have not been designed with security in mind and are therefore vulnerable to modern threats.
3. Compliance and regulations - Standards such as ISA/IEC 62443, NIST 800-82 and ISO 27001 require strict controls for remote access security.
4. Reliability and performance - Secure remote access must not cause latency or disruption to industrial processes.
1.1 NIS2 DIRECTIVE CONSIDERATIONS
The NIS2 Directive1 specifically mandates more stringent cybersecurity requirements for essential and critical facilities, including asset owners. Key security requirements include:
1. Risk-based security controls - organizations must implement robust risk management strategies to secure remote access
2. Incident Reporting - Mandatory reporting of cybersecurity incidents affecting industrial environments.
3. Third Party Security Assurance - Machine builders must ensure their solutions meet asset owner security requirements and NIS2 compliance.
4. Network and Information Systems Security Measures - Companies must protect remote access solutions from unauthorized access, cyber threats and potential disruption.
COMMISSION IMPLEMENTING REGULATION (EU)2 describes more specifically what is expected of companies that must comply with the regulations. Machine builders need to consider these requirements and build them in from the start - or make them easily adaptable to enable simplified compliance for their customers.
1.2 RESPONSIBILITIES IN THE SUPPLY CHAIN
With the introduction of NIS2, asset owners are now also responsible for ensuring that their supply chain is secure and that deliveries critical to the business are guaranteed. Combined with insurance company requirements to clarify the maturity of cyber security measures, this raises many questions for asset owners. One consequence of this is changes in procurement that require clear secure-by-design delivery. Machine builders need to adapt their architecture to meet these new requirements.
Fortunately, the ISA/IEC 62443 standard provides good guidance for both policies and procedures in ISA/IEC 62443-2-4, which describes the requirements for security programs, and 62443-3-3, which outlines the technical requirements at the system level. Implementing and referencing these requirements not only significantly increases the safety of the machine, but also simplifies the communication of the level of safety provided by the design.
Guide to configuring Ewon Talk2m & devices for NIS2 compliance using the ISA/IEC 62443 framework
Download the full guide here!
Download (4.52 MB) For further questions about cyber security,
please contact: ewonsecurity(at)hms-networks.com
Always up-to-date and important information on updates and cyber security topics
... promptly, at first hand! Further information
to top
Contact
Request form