Bottom line: Outdated OT systems significantly complicate NIS2 implementation in industry, as rapid replacement is often technically and economically unfeasible.
Industrial companies are encountering substantial obstacles in implementing the NIS2 Directive due to legacy Operational Technology systems that cannot be easily reconciled with modern security requirements.
Legacy OT systems in industry have often grown over decades and were not designed for NIS2 Directive requirements. These older control and automation systems frequently cannot be easily upgraded or replaced with modern alternatives without disrupting production processes.
The NIS2 Directive obliges critical infrastructure companies to implement comprehensive cyber protection measures, incident response processes, and regular security testing. For industrial enterprises, this means their OT systems must also meet corresponding security standards – a requirement that becomes technically complex and economically costly with older systems.
CISOs therefore face a conflict between compliance requirements and operational reality: a forced replacement of critical systems is often not practical, yet workarounds or segmentation measures likewise require substantial investments in network infrastructure and monitoring capabilities.
Many organizations prefer a hybrid approach combining network isolation, advanced monitoring solutions, and targeted upgrades for the most security-critical components. At the same time, a multi-year modernization program becomes necessary to achieve full compliance in the long term.
Source: news.google.com · Published 8 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.