Bridging OT and IT security to achieve NIS2 compliance for critical infrastructure
“Our biggest challenge was not the regulation itself — it was the organisational divide between IT and OT security teams. FortisEU gave both teams a common language and a shared evidence base.”
— CISO, German Energy Provider
As a designated critical infrastructure operator under Germany's BSI-Kritisverordnung (KRITIS), the energy provider was already subject to stringent cybersecurity requirements. When NIS2 came into force — implemented in Germany through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) — the compliance landscape expanded significantly: new incident reporting timelines, supply chain security obligations, and management body accountability provisions that went beyond existing KRITIS requirements.
The provider's security programme was split across two organisational silos: an IT security team managing enterprise systems under ISO 27001, and an OT security team responsible for SCADA systems, grid control infrastructure, and industrial control systems under IEC 62443. Each team maintained separate risk registers, separate incident processes, and separate vendor assessments — creating blind spots at the OT/IT boundary where the most critical risks actually resided.
Germany's implementation of NIS2 introduced additional national requirements beyond the Directive's minimum floor, including specific obligations for KRITIS operators that built on the existing BSI framework. The compliance team needed to satisfy NIS2, KRITIS, and ISO 27001 simultaneously without tripling their evidence collection burden.
OT/IT security silos
Separate teams, separate risk registers, separate incident processes for IT and OT — with critical blind spots at the convergence boundary where grid control systems interface with enterprise networks.
Triple compliance burden
NIS2, KRITIS (BSI), and ISO 27001 all required cybersecurity measures with overlapping but non-identical control frameworks, creating significant evidence duplication.
24-hour reporting obligation
NIS2's 24-hour early warning requirement was significantly more stringent than existing KRITIS incident reporting timelines, requiring a complete overhaul of incident detection and escalation procedures.
Supply chain complexity
Over 150 critical vendors spanning SCADA system manufacturers, grid control software providers, and cloud-based analytics platforms — each requiring security assessment under NIS2 Article 21(2)(d).
FortisEU was deployed as the unified compliance platform spanning both IT and OT security domains. The implementation team worked with both the IT security and OT security leads to create a single, integrated risk register that mapped OT-specific risks (IEC 62443 zones and conduits) alongside IT risks (ISO 27001 controls) into NIS2's Article 21 requirements.
The platform's cross-framework mapping engine automatically identified overlaps between NIS2, KRITIS, and ISO 27001 — eliminating duplicate evidence collection while ensuring each framework's unique requirements were explicitly addressed. For incident reporting, FortisEU's workflow engine implemented the NIS2 24-hour early warning cascade with automatic escalation from OT monitoring systems through the unified CSIRT notification process.
Unified OT/IT Risk Register
Single risk register mapping IEC 62443 OT zones alongside ISO 27001 IT controls into NIS2 Article 21 requirements, eliminating blind spots at the OT/IT convergence boundary.
Triple-Framework Mapping
Automated control mapping between NIS2 Article 21, KRITIS (BSI) requirements, and ISO 27001 Annex A — one evidence item satisfying up to three compliance obligations.
24h Incident Cascade
Automated 24-hour early warning workflow integrated with OT monitoring (SCADA alerts) and IT SIEM, with pre-drafted CSIRT notification templates and escalation chains.
Supply Chain Assessment
Structured NIS2 Article 21(2)(d) vendor security assessment programme covering 150+ critical vendors with automated questionnaire distribution and risk-tiered review cycles.
The unified platform eliminated the OT/IT divide that had been the organisation's single biggest compliance blind spot. For the first time, the CISO had a complete view of cybersecurity risk across both domains — and the management body could fulfil its NIS2 Article 20 governance obligations with a single integrated dashboard rather than reconciling two separate reports.
The cross-framework mapping reduced evidence collection burden significantly: instead of preparing three separate evidence packages for NIS2, KRITIS, and ISO 27001 auditors, the team produced one integrated evidence base with framework-specific views generated automatically.
“For the first time in my career, I can present one integrated security posture to the management board — not an IT view and a separate OT view. NIS2 forced us to break down the silos, and FortisEU gave us the platform to do it properly.”— CISO, German Energy Provider
Ready to Build Your Compliance Story?
See how FortisEU can operationalise your compliance programme. Create an account or schedule a personalised demo.