The short answer
IEC 62443 is the international technical standard for securing industrial automation and control systems. NIS2 is the European Union’s cybersecurity directive for operators of essential services. For UK critical infrastructure operators, both frameworks are relevant, but the primary compliance obligations sit within the NCSC Cyber Assessment Framework and the incoming UK Cyber Security and Resilience Bill. Understanding how all three work together is the starting point for any serious OT compliance programme.
Why three frameworks, not one
A common source of confusion for UK operators is the relationship between IEC 62443, NIS2, and the CAF. These are complementary layers of obligation and guidance that, when understood together, form a coherent approach to OT security governance.
IEC 62443 defines the technical controls. It tells you what your industrial control systems, zones, and conduits need to look like from a security engineering perspective.It is a standard with no direct enforcement mechanism. But implementation of IEC 62443 is widely accepted as evidence of meeting the technical requirements of both NIS2 and the CAF.
NIS2 is a European Union legislative directive. It does not apply directly to UK-headquartered organisations operating solely within the UK. However, organisations with EU operations are in scope, and the UK government has explicitly designed the Cyber Security and Resilience Bill to mirror and in some areas exceed NIS2 obligations. UK operators who dismiss NIS2 as irrelevant are likely to find themselves surprised by the CSR Bill’s requirements when it takes effect.
The CAF is the NCSC’s Cyber Assessment Framework, the primary tool used by UK regulators to assess whether operators of essential services are meeting their obligations under the NIS Regulations 2018. CAF 4.0, released by the NCSC in 2025, sets sharper outcome-based expectations across governance, network segregation, supply chain security, and incident response. For most UK CNI operators, the CAF is the framework that actually gets tested at audit.
Understanding how these three frameworks map to each other determines whether a compliance programme produces genuine security capability.
IEC 62443: what UK operators need to know
IEC 62443 is a series of standards developed by the International Society of Automation and adopted by the International Electrotechnical Commission. It covers the full lifecycle of industrial automation and control system security, from governance and risk assessment through to technical controls at the component level.
For UK asset owners, the most relevant parts of the standard are:
IEC 62443-2-1 covers cybersecurity management system requirements for IACS asset owners. It is the governance layer of the standard, defining how an organisation should structure its security programme, conduct risk assessments, and manage security across operational technology environments. This is where IEC 62443 maps most directly to CAF Objective A requirements around governance and risk management.
IEC 62443-3-2 covers security risk assessment for system design. It introduces the concept of zones and conduits, which divide OT networks into segments based on security level requirements and manage the communication channels between them. This maps directly to CAF Objective B requirements around network segmentation and access control.
IEC 62443-3-3 covers system security requirements and security levels. It defines four security levels, from SL1 protection against casual or unintentional violations through to SL4 protection against sophisticated state-sponsored attacks. Most UK CNI operators operating in energy, water, and transport should be targeting SL2 as a minimum, with critical process zones requiring SL3.
IEC 62443-2-4 covers security requirements for IACS service providers, making it directly relevant to managed SOC providers operating in OT environments. e2e-assure’s OT Security service is structured to support client compliance with IEC 62443-2-4 requirements, with defined security responsibilities, documented processes, and audit-ready evidence trails.
The fundamental concept running through IEC 62443 is defence in depth. Security is achieved through overlapping layers of technical, procedural, and governance controls that an attacker must defeat sequentially. This is precisely the model that an IT/OT SOC service operationalises on a continuous basis.
NIS2 and the UK: what actually applies
NIS2 became EU law in January 2023 with national implementation required by October 2024. It applies to operators of essential services and important entities across energy, transport, water, health, digital infrastructure, manufacturing, and other sectors operating within EU member states.
The UK left the EU before NIS2 came into force. UK-headquartered organisations operating solely within the UK are not directly subject to NIS2. They remain governed by the UK NIS Regulations 2018 and the CAF.
However, two important points mean UK operators cannot simply disregard NIS2.
First, organisations with operations in EU member states are directly in scope for NIS2, regardless of where they are headquartered. Energy companies, utilities, and manufacturers with EU operations must demonstrate compliance with NIS2 requirements, including 72-hour incident reporting, supply chain security measures, and governance obligations that include board-level accountability.
Second, the UK government has introduced the Cyber Security and Resilience Bill, which was brought before Parliament in November 2025. The Bill explicitly aligns the CAF with ENISA guidance issued under NIS2 and proposes to make the CAF binding on regulated entities. It introduces a 24-hour early warning requirement for significant incidents, stricter than NIS2’s 72-hour threshold, alongside 72-hour full incident reports. Fines for non-compliance can reach £17 million or £100,000 per day in enforcement orders. The Bill expands scope to include approximately 2,500 additional entities including managed service providers, data centres, and digital service providers.
For UK operators currently operating under the NIS Regulations 2018, the CSR Bill represents a significant increase in regulatory obligation. The compliance work required to meet NIS2 standards provides an effective blueprint for CSR Bill readiness.
Our NIS2 and CAF compliance support is designed specifically to prepare UK operators for both frameworks simultaneously, recognising that the practical requirements converge even where the legislative mechanisms differ.
The CAF: the framework that gets tested at audit
The NCSC Cyber Assessment Framework is the primary tool used by UK sector regulators to assess NIS compliance for operators of essential services. CAF 4.0 represents the most significant update to the framework to date, with sharper outcome-based expectations and a stronger emphasis on consequence management across IT and OT environments.
The CAF is structured around four objectives, each subdivided into contributing outcomes:
Objective A: Managing security risk. Requires organisations to have appropriate governance structures, policies, and processes to understand and manage cybersecurity risk across both IT and OT environments. CAF 4.0 expects boards to govern both domains holistically, not through separate IT and OT risk registers that are never reconciled.
Objective B: Protecting against cyber attack. Covers network segregation, access control, identity management, and secure configuration. For OT environments, this includes the zone and conduit model that IEC 62443-3-2 defines in technical detail. Demonstrating compliance requires evidence of implemented segmentation, not just policy documents describing intended segmentation.
Objective C: Detecting cyber events. Requires active monitoring capability that detects anomalous activity across the systems supporting essential functions. For UK CNI operators, this means OT monitoring capability, not just IT SIEM coverage. An IT-only SOC cannot produce the evidence required to satisfy CAF Objective C for OT assets.
Objective D: Minimising the impact of cyber security incidents. Covers incident response, business continuity, and recovery capability. CAF 4.0 expects tested response plans with consequence-driven playbooks, not generic incident response procedures carried over from IT. The incident response capability must demonstrate operational awareness, not just technical competence.
The CAF does not prescribe how to achieve these outcomes. IEC 62443 provides the technical roadmap for getting there. The SOC capability that continuously monitors, detects, and responds is the operational mechanism that produces the evidence needed to demonstrate you have arrived.
How the three frameworks map to each other
For practical compliance planning, the mapping between IEC 62443, NIS2/CSR Bill, and the CAF can be understood through five operational areas:
Risk assessment and governance. IEC 62443-2-1 defines the CSMS structure. NIS2 Article 21 requires risk management measures. CAF Objective A requires demonstrated governance. A single, well-structured OT risk assessment programme satisfies all three simultaneously.
Network segmentation and access control. IEC 62443-3-2 zone and conduit methodology. NIS2 network security requirements. CAF Objective B contributing outcomes on separation and access management. Implementing IEC 62443-3-2 correctly is sufficient to demonstrate compliance with the segmentation requirements of both NIS2 and the CAF.
Continuous monitoring and detection. IEC 62443-3-3 monitoring requirements. NIS2 incident detection obligations. CAF Objective C monitoring outcomes. This is where a managed IT/OT SOC becomes the single most important control. The CUMULO platform provides correlated detection across IT and OT environments, with detection rules mapped to CAF outcomes and incident reporting workflows aligned to NIS2 and CSR Bill timelines.
Incident response and reporting. IEC 62443-2-1 incident response requirements. NIS2 72-hour reporting obligation. CSR Bill 24-hour early warning requirement. CAF Objective D incident management outcomes. These cannot be satisfied by documentation alone. They require a tested, operational response capability with defined escalation paths and evidence of regular exercising.
Supply chain security. IEC 62443-2-4 service provider requirements. NIS2 Article 21 supply chain obligations. CAF Objective B supply chain contributing outcomes. This is one of the most consistently under-addressed areas across UK CNI operators. Our Dark Web Monitoring service provides early warning of supply chain targeting before compromise occurs.
The five compliance gaps most commonly found at OT audit
Based on the pattern of assessments and incident response engagements in critical infrastructure environments, five gaps appear consistently across organisations that believe they are closer to compliance than they are.
Gap 1: OT assets are not in scope for monitoring. Organisations have SOC coverage for IT environments but no visibility into industrial control systems, SCADA networks, or OT-adjacent systems. CAF Objective C requires demonstrable monitoring of the systems supporting essential functions. If those systems include OT assets and they are not monitored, the CAF assessment will record a gap regardless of how well the IT environment is covered.
Gap 2: Incident response plans do not account for OT operational constraints. Generic IT incident response procedures are insufficient for OT environments where containment actions can interrupt physical processes. CAF Objective D requires tested, consequence-driven playbooks. Most organisations have not tested their OT incident response capability and cannot produce evidence that they have done so.
Gap 3: Supply chain access is not observable. Third-party vendors, system integrators, and managed service providers frequently have privileged access to OT environments. CAF Objective B supply chain requirements and NIS2 Article 21 both require organisations to manage and evidence this access. Many cannot demonstrate what their third parties accessed, when, or what they did.
Gap 4: Segmentation policy exists but implementation is incomplete. Zone and conduit documentation exists but has not been validated against actual network architecture. IT and OT networks that should be segregated have undocumented pathways between them. This is the most common technical gap identified in OT security assessments.
Gap 5: Governance treats IT and OT as separate risk domains. CAF 4.0 explicitly requires boards to govern both domains holistically. Essential functions span IT and OT, and the consequence-of-loss scenarios must reflect this. Organisations that maintain separate IT and OT risk registers without integration at board level are unlikely to satisfy the CAF 4.0 governance requirements.
How e2e-assure supports IEC 62443, NIS2, and CAF compliance
e2e-assure provides full compliance visibility through the Cumulo Standard and Enterprise tiers. The compliance dashboards allow security leaders to instantly see their compliance status across all major frameworks, including IEC 62443, NIS2, and CAF. This capability enables security leaders to understand their compliance status year-round as well as quickly communicate the benefits of additional investments to boards by showing the impact on compliance improvements.
Additionally, e2e-assure provides a fully converged IT/OT SOC service designed to produce the evidence required by all three frameworks as a function of day-to-day security operations, not as a retrospective compliance exercise.
Our cyber assessment services cover the full range of compliance preparation activities:
- OT security assessments mapped to IEC 62443 security levels, identifying gaps against target SL requirements for each zone
- CAF-structured gap analysis with evidence mapping to all four Objectives and their contributing outcomes
- NIS2 and CSR Bill readiness reviews covering incident reporting readiness, supply chain security, and governance obligations
- Detection rule libraries mapped to CAF Objective C outcomes, deployed within the CUMULO platform
- Incident response playbook development and exercising aligned to CAF Objective D and CSR Bill reporting timelines
- Audit-ready evidence packages structured for regulatory submission
Clients operating with e2e-assure achieve 3x faster detection and 60% fewer false positives across their IT and OT environments. Our NPS score of 88+, against a sector average of 34, reflects consistent client outcomes across the exact sectors where IEC 62443, NIS2, and CAF obligations intersect: energy, utilities, manufacturing, transport, and defence.
Frequently asked questions
What is the difference between IEC 62443 and NIS2? IEC 62443 is a technical standard that defines security requirements for industrial automation and control systems. NIS2 is a European Union legislative directive that mandates cybersecurity obligations for operators of essential services. IEC 62443 describes how to implement security controls. NIS2 mandates that appropriate controls are in place and enforces compliance through national regulation. For OT environments, implementing IEC 62443 is widely accepted as evidence of meeting the technical requirements of NIS2.
Does NIS2 apply to UK organisations? NIS2 applies directly to organisations operating in EU member states. UK-headquartered organisations operating solely within the UK are governed by the UK NIS Regulations 2018 and the NCSC Cyber Assessment Framework. However, organisations with EU operations are in scope for NIS2, and the UK Cyber Security and Resilience Bill, introduced in November 2025, aligns UK requirements closely with NIS2 obligations, including binding CAF assessments and stricter incident reporting timelines.
What is the UK Cyber Security and Resilience Bill? The Cyber Security and Resilience Bill was introduced to UK Parliament in November 2025. It expands the scope of the NIS Regulations 2018 to include approximately 2,500 additional entities, makes the CAF binding on regulated organisations, introduces 24-hour early warning requirements for significant incidents, and increases maximum penalties to £17 million or £100,000 per day. It represents the UK’s parallel response to NIS2 and will significantly increase compliance obligations for CNI operators once enacted.
What is CAF 4.0 and why does it matter? CAF 4.0 is the updated version of the NCSC Cyber Assessment Framework, released in 2025. It sets sharper outcome-based expectations across governance, network segregation, supply chain security, and incident response. Critically, it requires organisations to govern IT and OT security holistically at board level, and it expects demonstrable OT monitoring capability under Objective C. Organisations whose SOC coverage does not include OT assets will have a gap under CAF 4.0.
How does IEC 62443 map to the CAF? IEC 62443-2-1 maps to CAF Objective A governance requirements. IEC 62443-3-2 zone and conduit methodology maps to CAF Objective B segmentation and access control requirements. IEC 62443-3-3 monitoring requirements map to CAF Objective C. IEC 62443-2-1 incident response requirements map to CAF Objective D. Organisations that implement IEC 62443 comprehensively are well-positioned to satisfy all four CAF Objectives, provided implementation is validated and evidenced rather than documented on paper only.
What evidence does a CAF assessment require for OT monitoring? CAF Objective C requires evidence of active monitoring capability across the systems supporting essential functions, including OT environments. This typically means demonstrating that OT assets and industrial protocols are ingested into a monitoring platform, that detection rules are in place and tested, that anomalous activity triggers documented triage processes, and that analysts with OT expertise are performing investigations. Organisations relying on IT-only monitoring cannot produce this evidence for OT assets.
Prepare for your next CAF assessment
If your current security operations do not include demonstrable OT monitoring, tested incident response, and audit-ready evidence trails, your CAF assessment will identify gaps that are costly to address under regulatory scrutiny. Speak with an e2e-assure compliance specialist to understand your current position and what it takes to close the distance.