Regulatory expectations for operational technology (OT) cybersecurity have shifted from high-level principles to binding, measurable obligations. Utilities, manufacturers, and critical infrastructure operators now face pressure to redesign governance structures, procurement policies, and compliance programs across heterogeneous industrial environments.
The shift is simultaneous on both sides of the Atlantic. On December 11, 2025, CISA released its updated Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0), consolidating IT and OT guidance into unified, outcome-driven controls and adding a new "Govern" function that places cybersecurity accountability at the C-suite level. In parallel, the EU's NIS2 Directive - which required member-state transposition by October 17, 2024 - introduces administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher, and imposes personal liability on management bodies for compliance failures. The UK followed in November 2025 with the Cyber Security and Resilience Bill (CSRB), which, according to Infosecurity Magazine, classifies nearly all OT systems as national resilience assets and grants regulators authority to recoup oversight costs directly from operators.
Background
OT systems have traditionally operated outside the scope of IT security regulations, prioritizing uptime and operational stability over cybersecurity. That separation has eroded as IT and OT converge. NIS2 covers 18 critical sectors, and its Article 21 requirements for risk analysis, incident reporting, and supply chain security apply explicitly to industrial control systems (ICS), SCADA networks, and OT environments. Enforcement posture is already uneven: as of mid-2025, 16 EU and EEA countries had adopted NIS2 into national law, while others remained in draft or consultation phases with enforcement expected to extend into 2026. Some member states, including Italy, have exceeded the directive's minimum requirements, expanding sectoral scope and management liability.
In the United States, CISA's CPG 2.0 remains voluntary but carries regulatory weight through alignment with mandatory sector-specific regimes. CPG 2.0 includes four new goals targeting emerging risks, among them third-party providers with deep system access and zero-trust principles to mitigate lateral movement. The update also integrates OT-only goals from its predecessor into universal goals covering both IT and OT, reducing framework fragmentation for small and medium-sized operators.
Details
Persistent gaps between paper compliance and operational readiness remain the central challenge. The 2025 SANS State of ICS/OT Security Survey, drawing on responses from over 330 industrial cybersecurity professionals, found that only 12.6% of organizations reported full visibility across the ICS Cyber Kill Chain - from initial IT compromise through to potential impacts on PLCs, SCADA systems, and physical processes. While nearly 50% of incidents were detected within 24 hours and around 60% were contained within 48 hours of detection, remediation remained significantly slower: 22% of incidents required two to seven days to recover, and 19% took over a month.
Regulated sites demonstrate measurable advantages. According to the same SANS survey, organizations subject to mandatory compliance regimes - including NERC CIP and TSA Security Directives - experienced approximately 50% fewer financial losses and safety impacts when incidents occurred, compared to peers operating without such mandates. The survey attributed this gap to regulation-driven deployment of foundational capabilities: asset visibility, logging, and change detection.
Supply chain governance has emerged as a specific enforcement focus under NIS2. According to NIS2's Article 21, supply chain risk management is an explicit obligation, covering OT vendors and system integrators. For operators deploying legacy programmable logic controllers (PLCs) and hybrid cloud workloads across distributed edge environments, SANS Institute instructor Dean Parsons has noted that implementing controls designed for IT systems "may introduce new risks or prove ineffective in OT environments," underscoring the need for ICS-specific security measures such as network visibility and secure remote access.
The EU Commission proposed targeted amendments to NIS2 on January 20, 2026, aimed at increasing legal clarity and easing compliance for approximately 28,700 companies, including 6,200 micro and small-sized enterprises. CISA's CPG 2.0, meanwhile, acknowledges implementation-cost constraints explicitly, noting that its Impact and Ease of Implementation ratings "do not necessarily extend to OT systems or other non-IT environments."
Outlook
The regulatory trajectory points toward continuous assurance requirements rather than periodic audit snapshots. CISA is expected to release a new CSET assessment module for CPG 2.0 in Q1 2026, providing updated checklists and repeatable analytic tools aligned to the revised goal set. In Europe, national enforcement intensity will continue to diverge as jurisdictions move beyond NIS2 minimums. The UK CSRB's progress through Parliament will be closely watched by asset owners seeking clarity on mandatory incident reporting thresholds, stricter penalties, and the expanded classification of OT systems as national resilience assets - setting a potential precedent for similar regulatory escalation in other jurisdictions.
