NIS2 Compliance for Industrial OT. On-Premise. No Agents. No Cloud.
Your PLCs, HMIs, and CNCs cannot run agents. They cannot move to cloud. Article 21 still applies. Access Gate enforces NIS2 at the network boundary — segmentation, MFA, access control, and tamper-evident audit — without touching a single production device.
Trusted by leading companies
What NIS2 Requires.
A 60-second summary of who must comply, what the directive obligates, when sanctions apply, and what is at stake.
Who Must Comply
Essential and important entities across 18 sectors — energy, transport, water, healthcare, banking, digital infrastructure, manufacturing of critical products, and more. Generally any organization with 50+ employees or €10M+ annual turnover operating in scope.
What You Must Do
Article 21 mandates 10 cybersecurity risk-management measures: risk policies, incident handling, business continuity, supply chain security, network security, effectiveness assessment, cyber hygiene, encryption, access control, and MFA. Article 23 requires incident reporting within 24 hours.
When It Applies
EU Member States transposed NIS2 into national law by October 2024. Sanctions are live across most jurisdictions today. Audits and enforcement actions are already happening, particularly in Germany, France, Belgium, and the Netherlands.
Penalties at Stake
Up to €10M or 2% of global annual turnover for essential entities. Up to €7M or 1.4% for important entities. Senior management is personally liable — board-level accountability is built into the directive.
What Article 21 Requires on the Production Floor
Article 21 mandates risk management measures that apply to every asset in scope — including PLCs, HMIs, CNCs, SCADA servers, and IoT sensors on the production floor. These assets cannot run endpoint agents. Many run proprietary firmware or end-of-life operating systems. NIS2 does not exempt them.
Access Gate enforces Article 21 at the network layer. No agent installation. No firmware modification. No production downtime.
Network segmentation without rewiring
Overlay segmentation isolates OT zones from IT and from each other. No VLAN reconfiguration. No switch changes.
MFA at the boundary, not on the device
MFA is enforced at the Access Gate proxy. The PLC never needs to support it. Article 21 access control satisfied.
Tamper-evident audit for every OT session
Every connection to every OT asset is logged — user, timestamp, protocol, session replay. Hash-chained. Ready for NIS2 audit.
On-premise Appliance
Connect Access Gate to your existing network. No re-cabling.
Secure IT & OT On-Premise
Control how your systems, from servers to PLCs, and HMIs connect to corporate systems. Network-level policies. No agents to install.
Article 21 Measures Mapped
Continuous enforcement. Audit-ready evidence for every NIS2 requirement on demand.
Measure by Measure.
NIS2 Article 21(2) defines 10 security measures. Here is how each applies to on-premise IT and OT environments and what Access Gate covers.
Establish and maintain risk management policies for all information systems.
Access Gate provides continuous asset discovery, network mapping, and policy enforcement. Risk is managed through microsegmentation and deny-by-default rules. Policy changes are version-controlled.
Detect, report, and respond to security incidents within 24 hours of awareness.
Session anomaly detection, automated alerting, and forensic session replay. Every connection is logged with user identity, timestamp, and payload. Incident evidence is generated continuously and exportable on demand.
Maintain operations during and after security incidents. Backup management and disaster recovery.
Access Gate deploys adjacent to the network, not inline. If the appliance is unavailable, production traffic continues. Policy configurations are exportable for backup. Disaster recovery plans remain a customer responsibility.
Manage cybersecurity risks in supplier and service provider relationships.
Vendor access is scoped per session: specific assets, specific protocols, specific time windows. MFA enforced. Every vendor session is recorded with full audit trail. No persistent VPN tunnels. Access revoked automatically when the session ends.
Secure the acquisition, development, and maintenance of network and information systems. Vulnerability handling and disclosure.
Overlay microsegmentation isolates assets without network redesign. Deny-by-default blocks unauthorized connections. Passive asset discovery identifies unmanaged devices. No active scanning that could disrupt OT operations.
Assess the effectiveness of cybersecurity risk management measures.
Segmentation baselines, access policy audits, and session log analysis provide continuous assessment data. Evidence packages generated on demand for auditors and regulators.
Basic cyber hygiene practices and cybersecurity training for staff.
Access Gate enforces hygiene through policy: MFA required, least-privilege access, session timeouts. Training content and delivery remain a customer responsibility.
Policies and procedures on the use of cryptography and encryption.
FIPS-validated TLS cipher suites on all access paths. AES-128/256 GCM with ECDHE key exchange. Encryption enforced at the proxy layer without modifying production equipment.
Human resources security, access control policies, and asset management.
Identity-based access control with MFA, RBAC per user, per asset, per protocol. Automatic asset inventory through passive network discovery. Access policies enforced at the network layer.
Use of MFA, continuous authentication, and secured communications.
MFA enforced at the proxy boundary before any session reaches the asset. TOTP tokens work offline for air-gapped environments. Secured communications via FIPS-validated TLS.
How Guichon Valves secured OT and IT for NIS2.
of OT-IT flows segmented and auditable for NIS2 compliance. Deployed without production disruption.
Trusted by leading companies
“The Trout Access Gate gave us a clear path to CMMC compliance without disrupting our manufacturing operations.”
Ready for your NIS2 audit?
See how the Access Gate enforces Article 21 measures and provides audit-ready evidence across your infrastructure.
Download the Access Gate Datasheet.
Get the complete product overview with technical capabilities, deployment model, compliance alignment, and customer references.
What's Inside
Product architecture, deployment model, key capabilities (proxy enforcement, micro-DMZs, identity-based access), compliance alignment, and real-world customer deployments.
See It in Action
Request a live demo to see how the Access Gate deploys on your network without rewiring or downtime.
Common Questions About NIS2 Compliance.
Article 21 cybersecurity measures enforced and continuously monitored. Audit-ready evidence generated on demand.
NIS2 is the EU directive on cybersecurity for essential and important entities — energy, transport, manufacturing, water, digital infrastructure, and more. If you operate in these sectors within the EU above the size thresholds (typically 50+ employees or €10M turnover for important entities, 250+ or €50M for essential entities), it applies.
Article 21 requires risk management measures including network segmentation, access control, incident handling, supply chain security, cryptography, and tamper-evident audit logging. These obligations apply to every asset in scope — including PLCs, HMIs, CNCs, SCADA servers, and IoT sensors on the production floor. NIS2 does not exempt OT.
Yes — and for many essential entities, on-premise is the only path that preserves data sovereignty under the CLOUD Act and FISA 702. Access Gate is an appliance or VM that runs entirely inside your perimeter. No SaaS dependency, no foreign control plane, no data leaves your network. Article 21(2)(d) supply-chain risk management makes the cloud-jurisdiction question a board-level concern.
Up to €10M or 2% of global annual turnover for essential entities, whichever is higher. Up to €7M or 1.4% for important entities. Beyond fines, Article 32(5) authorizes competent authorities to impose temporary bans on senior managers personally for gross negligence. Personal liability is built into the directive.
NIS2 dramatically expanded scope — from ~700 essential operators under NIS1 to roughly 160,000 entities EU-wide. It introduced personal liability for management bodies (Articles 20 and 32), stricter incident reporting deadlines (24-hour early warning, 72-hour notification), and concrete supply-chain security obligations under Article 21(2)(d). The original NIS directive left these to member-state interpretation; NIS2 codifies them at the EU level.
The CLOUD Act gives US authorities legal power to compel American cloud providers to disclose data, including data physically stored in European data centers. Jurisdiction follows the corporate parent, not the server location. An EU data center option from a US vendor does not eliminate exposure. For NIS2 essential entities, structural sovereignty is the only durable defense — which is why Access Gate runs on-premise under your jurisdiction with no remote control plane.
Hours, not months. Access Gate deploys inline on your existing network — no re-cabling, no IP changes, no production downtime. Guichon Valves segmented their production and IT networks in hours. A typical NIS2 readiness deployment covers Article 21 access control, segmentation, MFA, and audit logging in a single appliance or VM, ready for audit on day one.
Yes. IEC 62443 zone-and-conduit architecture is exactly how Access Gate enforces segmentation — every OT zone is its own protected enclave with explicit conduit policies between zones. The same evidence Access Gate generates for NIS2 Article 21 audit also documents IEC 62443 compliance. One architecture covers both frameworks without duplication of effort.
Go Deeper on NIS2.
Foundational guides, Article 21 deep dives, sector implementation playbooks, and cross-framework analyses — written for IT and OT teams preparing for NIS2 audits.