The conversation around NIS2 and the Cyber Resilience Act (CRA) is dominated by what vendors and product manufacturers must do. The obligations on the supply side are real and significant, including security by design, SBOMs, and vulnerability disclosure timelines.

But during the roundtable I hosted at ManuSec Europe (“Developing Strategies to Best Adapt to NIS2 & the Cyber Resilience Act” with Danielle Kinsella from Gigamon), the room kept returning to a different tension. NIS2 and CRA create substantial obligations for asset owners too. Operators of cyber-physical systems (CPS), operational technology (OT), and the internet of medical things’ (IoMT) environments are not passive recipients of someone else’s compliance problem. They are squarely in scope.

Here is what both regulations demand from the industrial operator’s chair.

NIS2: Governing CPS, OT, IoMT Risk Is Now a Board-Level Obligation

The NIS2 Directive expands mandatory cybersecurity requirements to manufacturing as an “important” sector. Mid-to-large manufacturers operating in the EU must now treat CPS security as a governance and risk management discipline, not an IT afterthought.

In practice, this means four things for asset owners:

  • Board accountability. Cyber risk in production environments lands on the board’s desk. NIS2 makes management bodies personally accountable, with fines reaching €10 million or 2% of global turnover for non-compliance or negligence.
  • Structured risk management. Programs must align to recognized frameworks: IEC 62443 for industrial control systems and ISO 27001 for information security governance are becoming the default benchmarks across CPS, OT, and IoMT environments.
  • Asset visibility. A complete, continuously updated inventory of every connected device is now a compliance requirement, not a best practice. You cannot manage risk across systems you cannot see. Every connected device includes CPS, OT, building systems, medical devices, et al.
  • Architecture controls. Network segmentation, Zero Trust access, and secure remote vendor access are baseline expectations. Flat networks with unchecked VPN access are incompatible with NIS2 compliance, regardless of the device type.

NIS2 also mandates incident reporting within 24 hours of detection and a detailed report within 72 hours. Translation: continuous monitoring across CPS, OT, and IoMT is not optional. You cannot report what you have not detected.

Go deeper: Need help with IEC 62443? Get our thorough mapping guide to the latest iteration of the standard.

The Cyber Resilience Act: Asset Owners Carry More Responsibility Than They Realize

The CRA is widely discussed as a vendor regulation. And it is. Product manufacturers must deliver security by design, maintain SBOMs, and support their products for a minimum of five years post-release. But for CPS asset owners, the CRA creates a cascade of obligations that flow directly from vendor compliance to operator responsibility.

  • Patch management. When a vendor releases a security update – which the CRA now mandates they do – applying it in a timely manner is no longer a discretionary operational decision. Failing to deploy disclosed patches while remaining under NIS2 scope creates compounded regulatory and operational exposure.
  • SBOM management. The CRA requires vendors to provide SBOMs — machine-readable inventories of every software component in their products. Operators across CPS, OT and IoMT environments must consume, track, and act on that information. SBOM-readiness must enter procurement conversations now, not in 2027.
  • Accelerated vulnerability exposure. Coordinated vulnerability disclosure, mandated by the CRA from September 2026, means newly discovered vulnerabilities in industrial, medical, and connected devices will be publicly known sooner. The gap between disclosure and exploitation will narrow. Detection and response capabilities must match that pace.
  • End-of-life risk. The CRA creates minimum support lifecycles for digital products. Equipment that falls outside those windows will carry explicit, documented risk that regulators and auditors will scrutinize. This is already common in CPS, OT, IoMT environments.

The Hardest Part: Regulatory Complexity Across Borders

NIS2 implementation is not uniform across the EU. Each member state transposes the directive into national law with its own interpretation, supervisory authority, and enforcement timeline. A manufacturer with operating facilities in Germany, France, Italy, and Poland faces four different regulatory environments under the same directive headline — different definitions of “significant incident,” different reporting channels, and different audit expectations.

The CRA adds a further layer of complexity for multi-country operators. While the CRA is a directly applicable EU Regulation — avoiding the transposition variability of NIS2 — its interaction with sector-specific frameworks creates friction in practice. Medical device manufacturers must reconcile CRA requirements with the EU MDR. Industrial automation vendors and their customers must align CRA conformity assessments with existing IEC 62443 certification processes. Organizations that operate across manufacturing, healthcare, and building infrastructure sectors simultaneously face overlapping but non-identical compliance obligations.

The practical consequence: a CPS/OT/IoMT asset owner running plants across multiple EU countries cannot build one compliance program and replicate it. They must maintain a unified security architecture that generates jurisdiction-specific evidence, maps to multiple supervisory authorities, and adapts to enforcement interpretations that are still evolving in several member states.

The companies that will navigate this best are not those that deploy the most tools. They are those that build a compliance architecture designed for multi-jurisdictional complexity from the start — with documented controls, continuous monitoring, and evidence trails that satisfy multiple regulatory frameworks simultaneously.

How the Forescout Platform Addresses the CPS/OT/IoMT Compliance Challenge

The Forescout 4D Platform™ is designed for the specific compliance and security challenges that NIS2 and the CRA create for CPS/OT/IoMT asset owners.

Cloud-native visibility with eyeSentry

For organizations managing CPS/OT/IoMT assets across distributed and multi-country environments, eyeSentry delivers cloud-native asset discovery, classification, and continuous monitoring. It provides a unified view of every connected device — OT, IoMT, building systems, industrial IoT — across all sites, with centralized dashboards that support multi-jurisdictional compliance reporting. For operators navigating NIS2’s different national implementations, eyeSentry provides the enterprise-wide visibility layer needed to generate audit-ready evidence across multiple regulatory regimes from a single platform.

OT-specific depth with eyeInspect

For air-gapped or highly sensitive CPS/OT environments where cloud connectivity is restricted or prohibited, eyeInspect delivers passive, agentless discovery using deep packet inspection across 300+ industrial protocols. It identifies every device, firmware version, and communication pattern without touching the control network — providing the asset inventory depth that NIS2’s risk management requirements and the CRA’s SBOM consumption obligations demand in isolated industrial environments.

AI-supported risk prioritization with Forescout VistaroAI

Not every vulnerability can be patched immediately in a live CPS/OT/IoMT environment. Patching a PLC or a connected medical device carries operational and safety risk that patching a laptop does not. VistaroAI provides AI-driven risk scoring and prioritization across the full asset inventory — helping operators focus remediation effort where exposure is highest and operational risk is greatest. This is what makes NIS2’s risk-based approach operationally viable in environments where “apply patches timely” collides with production continuity.

Dynamic segmentation with eyeSegment

eyeSegment enforces granular network access policies across CPS/OT/IoMT environments — ensuring that only authorized systems and users can communicate with critical assets, and that a compromise in one zone cannot propagate laterally. This directly satisfies NIS2’s access control and incident containment requirements, and provides auditors across multiple jurisdictions with consistent, documented evidence of appropriate technical measures.

Compliance monitoring across frameworks

The Forescout 4D Platform™ provides continuous compliance posture monitoring mapped to NIS2, IEC 62443, CIS Controls, and NERC CIP. Rather than point-in-time snapshots, operators get a live view of their control status — with the documentation, evidence trails, and reporting templates that multi-country regulatory environments demand. For organizations managing different supervisory authorities across EU member states, this is the difference between a compliance program that scales and one that breaks under audit pressure.

NIS2 and the CRA are not a 2027 problem. The asset inventory gaps, the unpatched legacy devices, the flat networks, the unsupported equipment across CPS, OT, and IoMT environments — regulators are not creating these risks. They are making them visible, actionable, and increasingly difficult to defer.

The organizations that treat compliance as the outcome of a well-governed security program  rather than a deadline to hit will be better protected, more resilient across jurisdictions, and better positioned when the auditors arrive.

The work starts with knowing what you have. Everything else follows from there.

Go deeper: Navigate the entire NIS2 directive with a detailed mapping guide showing you how Forescout helps you align for compliance.