Managed Security Services: CISO Does Not Bear Sole Liability
Benedikt Langer
8 min. read In many organisations, the CISO is seen as the person who stands accountable for security. ...
Read Article
Factory devices, sensors and edge devices were long considered the domain of OT teams – of little relevance to CIOs. NIS2 changed that. Whoever now does not clarify who bears the governance will walk into the next audit with an open flank.
6 Min. Read time
Key Takeaways
- NIS2 makes OT a CIO topic. Operators of essential entities in KRITIS sectors must include edge devices and OT components in their ISMS scope.
- Governance gap is real. CISOs know the security requirements, but not the OT assets. CIOs know the assets, but not the NIS2 scope. No one owns both.
- Board liability is personal. NIS2 makes management members personally liable for compliance failures – not just the IT department.
- Incident reporting obligation also applies to OT incidents. 24‑hour early warning, 72‑hour notification – even if the affected sensor is on‑site at the plant.
- Asset inventory is the starting point. If you don’t know which edge devices are on the network, you can’t protect or report them.
What is Industrial IoT in the NIS2 context? Industrial IoT refers to connected devices in manufacturing, energy and infrastructure environments: sensors, control systems (PLCs, DCS), edge gateways and condition‑monitoring systems. As soon as these devices are linked via an edge layer to the corporate network, they fall within the ISMS scope for NIS2‑affected companies. The difference to classic IT security: OT devices often run without patching capability, use proprietary protocols and have lifespans of 10‑20 years.
The mechanism that changed the situation is simple: NIS2 expands the scope considerably compared with the original NIS directive. It now also affects mid‑size companies with at least 50 employees or €10 million in turnover in certain sectors – energy, transport, water, health, digital infrastructure and manufacturing of critical products.
The result: many companies that were previously outside the regulatory sphere now have to demonstrate a full ISMS – including all connected devices. In manufacturing firms this typically covers several hundred to several thousand OT components.
35.000+
Critical‑infrastructure‑affected companies in DE
Source: BSI estimate NIS2 scope, 2024
24 h
Early‑warning obligation for a significant incident
Art. 23 NIS2 Directive
10 Mio €
Maximum fine for essential entities
or 2 % of worldwide annual turnover
Who owns the governance: CIO or CISO?
The honest answer is: it remains an open question in most DACH companies. The typical situation looks like this: The CISO knows the NIS2 requirements and the IT security architecture, but lacks visibility into OT assets and has no direct access to plant systems. The CIO has the network view and carries responsibility for the IT infrastructure, but OT has traditionally been the domain of the production or plant team.
| Aspect | CIO | CISO |
|---|---|---|
| NIS2 obligations | Compliance framework responsibility | Technical security measures |
| OT asset inventory | Network view available | Often no direct access |
| Incident reporting | Not always responsible | Formally often the primary responsible party |
| Board reporting | Regular board liaison | Often present only during incidents |
The structural answer that NIS2 forces: one of the two roles must take ownership of the entire asset scope – and the board must decide this actively. Not as a delegation, but as a formal assignment documented in the ISMS.
What board reporting on OT security must now include
NIS2 explicitly requires that management be regularly informed about cyber‑security risks and undergo training. This means OT security risks must be extracted from the technical reporting and formatted in a way that informs board decisions.
Three elements that are missing from every board report on OT security:
First: the number and criticality of unmanaged OT assets. No inventory is a risk that can be quantified. If, out of 800 OT devices, 300 are not recorded in the ISMS, that constitutes a board‑level statement.
Second: patch status and known‑vulnerability exposure. OT devices that have not received updates for years and contain known CVEs are auditable and must be reported if they are affected.
Third: segment‑isolation status. How many OT devices have uncontrolled access to the corporate network? That is the first question an auditor asks.
Frequently Asked Questions
Does NIS2 also apply to medium-sized industrial companies that are not explicitly KRITIS?
Yes, if they fall within one of the regulated sectors and exceed the thresholds. NIS2 distinguishes between “essential entities” (larger companies in critical sectors) and “important entities” (mid-sized companies). “Important entities” are also subject to security obligations and supervision – only with slightly lower maximum penalties. Manufacturing for critical products (medical devices, chemicals, automotive) is explicitly within the scope.
How does NIS2 compliance differ from ISO 27001 for OT environments?
ISO 27001 is a voluntary standard with a selectable scope. NIS2 is a legal requirement with a defined scope. In practice, companies that hold ISO 27001 certification have a solid starting point, but the OT scope often needs to be explicitly expanded. NIS2 additionally demands concrete technical measures (supply‑chain security, encryption, MFA) and reporting obligations that go beyond an ISO 27001 ISMS proof.
What are the first three steps for a CIO who has to take over OT governance?
First: create a complete OT asset inventory (tools such as Claroty, Dragos or Nozomi help with passive network detection without disrupting production). Second: review and document network segmentation between OT and IT, indicating where the boundaries actually lie. Third: formally clarify with the CISO who is responsible for which parts of the NIS2 requirements and embed this in the ISMS documentation.
How does the 24‑hour reporting obligation work for an OT incident in practice?
For a significant incident (major operational disruption or impact on others), an early warning must be sent to the responsible authority (in Germany the BSI) within 24 hours. A more detailed report follows within 72 hours, and a final report after one month. This requires clear internal escalation paths and predefined reporting templates – which are missing in most OT environments.
Which technologies help with OT security governance without production interruption?
Passive network detection (no active scans that could disturb control systems), OT‑specific SIEM integration (Splunk OT Security, Microsoft Sentinel with OT connectors) and asset‑management platforms that combine IT and OT in a single view. Important: OT devices react differently to scans than IT devices – aggressive scanning methods from IT can cause outages in OT environments.
Editorial reading tips
More from the MBF Media Network
Source cover image: Pexels