OT Security Regulatory Map
Compliance requirements are driving more OT security procurement than internal risk programs. This table shows what each framework requires, which vendor categories satisfy each requirement, and where frameworks overlap for organizations under multiple obligations.
Click a framework column to highlight its requirements. Hover any row to see cross-framework coverage at a glance.
| Requirement | NERC CIP | IEC 62443 | NIS2 / CRA | TSA Directives |
|---|---|---|---|---|
|
OT Network Visibility
|
R
CIP-015 (2026)
|
~
Implied by zone model
|
R
Incident detection
|
R
Continuous monitoring
|
|
Network Segmentation
|
R
ESP / PSP zones
|
R
Zone & conduit model
|
R
Network security
|
R
IT/OT separation
|
|
Access Control
|
R
CIP-006 / CIP-007
|
R
Least privilege
|
R
IAM measures
|
R
MFA required
|
|
Incident Reporting
|
R
To E-ISAC
|
—
Not specified
|
R
24hr / 72hr rule
|
R
To CISA
|
|
Vulnerability Management
|
R
CIP-010 assessments
|
R
Patch management
|
R
Risk management
|
~
Implied
|
|
Supply Chain Security
|
R
CIP-013
|
~
Vendor requirements
|
R
Supply chain risk
|
~
Implied
|
|
Secure Remote Access
|
~
Under access control
|
R
Remote access controls
|
R
Access management
|
R
Explicit requirement
|
|
Board Accountability
|
—
Not specified
|
—
Not specified
|
R
Management liability
|
—
Not specified
|
For each requirement, which vendor category satisfies it and across how many frameworks simultaneously.
Click any framework to expand enforcement details, specific requirements, and upcoming deadlines.
Key standards for software procurement
CIP-007 requires system security management — ports and services hardening, security patch management, and malicious code prevention for all OT assets within the electronic security perimeter. CIP-010 requires configuration change management and vulnerability assessments. CIP-013 requires supply chain risk management for industrial control systems. CIP-015, effective 2026, requires internal network security monitoring within the electronic security perimeter.
What CIP-015 means in practice
CIP-015 is the most significant recent development. It mandates continuous visibility into OT network traffic — point-in-time assessments do not satisfy the requirement. Organizations that have been deferring OT security platform investment now have a hard compliance deadline. Passive monitoring is required; active scanning is not acceptable in most bulk electric environments.
Compliance evidence requirements
NERC CIP audits require documented evidence. Vendors that automate evidence collection and reporting reduce the administrative burden significantly. Industrial Defender is built around this specifically. Dragos, Claroty, and Nozomi all have CIP compliance reporting capabilities worth evaluating.
Vendor categories implicated
Upcoming Active 2026
CIP-015 enforcement is active. Organizations without an INSM-capable platform are out of compliance. Check NERC's standards page for any pending revisions to other CIP standards.
What it requires
IEC 62443 is a multi-part standard covering ICS security across the full lifecycle. The zone and conduit model requires dividing OT networks into security zones with controlled communication between them. Security levels (SL 1–4) define the protection level required based on risk. Supplier requirements define what vendors developing ICS components must demonstrate.
Why it matters even without direct enforcement
IEC 62443 alignment is increasingly required in vendor procurement qualification — particularly in Europe and in supply chain security programs. The EU Cyber Resilience Act explicitly references IEC 62443 as a harmonized standard for CRA compliance, meaning IEC 62443 product certification will carry direct regulatory weight from 2027. Vendors with ISASecure certification are in a stronger procurement position than those claiming alignment without third-party verification.
Vendor categories implicated
Upcoming CRA 2027
IEC 62443 Part 2-1 was revised in 2024. The CRA's 2027 enforcement date makes IEC 62443 certification a commercial requirement for vendors selling connected OT products in the EU — not just a best practice. Begin requiring certification in vendor RFPs now.
NIS2 requirements
NIS2 expands scope significantly from the original directive — more sectors, stricter requirements, board-level accountability. For OT environments: risk management measures including network segmentation and asset management, supply chain security, incident reporting within 24 hours for significant incidents, and management liability for cybersecurity failures.
The 24-hour reporting requirement
NIS2's incident reporting timeline — 24 hours for initial notification, 72 hours for fuller assessment — is the most operationally demanding requirement. Organizations cannot report incidents they cannot detect. This makes OT visibility and detection tooling non-negotiable for NIS2 compliance. For organizations under both NIS2 and NERC CIP, NIS2's timeline is stricter and should set the standard for incident response workflows.
CRA requirements
The Cyber Resilience Act applies to manufacturers of products with digital elements sold in the EU. For OT security practitioners: CRA compliance from vendors means they have a documented vulnerability disclosure process, provide security updates for the product lifetime, and have had their security processes audited. Require CRA compliance documentation from OT software vendors in EU procurement processes from 2027.
Vendor categories implicated
Upcoming CRA 2027
NIS2 transposition is complete in most EU member states. CRA full enforcement begins 2027. Organizations procuring OT equipment for EU operations should begin CRA vendor qualification processes now — certification takes time.
What it requires
Following the Colonial Pipeline attack, TSA issued directives requiring network segmentation between IT and OT systems, multi-factor authentication for remote OT access, continuous monitoring of OT networks for cybersecurity threats, and documented incident response plans tested against OT-specific scenarios. Directives are outcome-based — TSA reviews implementation plans and approves alternative measures where operators demonstrate equivalent security outcomes.
Overlap with NERC CIP
Pipeline operators who also operate bulk electric system assets face overlapping TSA and NERC CIP obligations. Both require continuous OT monitoring — a single OT visibility platform can satisfy both requirements, reducing tooling complexity. TSA's MFA requirement for remote access is more explicit than NERC CIP's access control standards.
Distributed environment considerations
Pipeline SCADA environments span hundreds of miles with remote assets that cannot easily be reached for hardware deployment. Segmentation tools that enforce zone policies without physical network redesign at remote sites have operational advantages in this context.
Vendor categories implicated
Upcoming
TSA directives are updated periodically — the pipeline directives have been revised twice since 2021. Check TSA's surface cybersecurity page for current directive versions before beginning a compliance-driven procurement process.
Other jurisdictions
Additional frameworks to monitor
The vendor index includes compliance framework alignment for each platform. The vendor comparison tool lets you filter by compliance framework to surface platforms aligned with your specific obligations.