What is Compliance?
Compliance means meeting legal, normative and contractual obligations in the areas of information security, privacy and operational safety. In OT/ICS environments, compliance covers both technical measures and process and organisational requirements.
The aim of compliance is to keep risks manageable, deliver demonstrable security and meet relevant regulations such as NIS2, AVG, FISMA or IEC 62443.
🧠 What does compliance cover?
1. Legislation
- NIS2 (Network and Information Security)
- AVG / GDPR (privacy)
- FISMA (US, government security)
- Cybersecurity Act (EU)
2. Standards and frameworks
- ISO 27001 — ISMS for information security
- IEC 62443 — Cybersecurity for industrial systems
- NIST CSF / NIST SP 800-53 — US guidelines
- COBIT — Governance of IT processes
3. Contractual obligations
- Supplier terms (e.g. MSSPs, hosting partners)
- SLAs covering security measures or audit obligations
🔐 Compliance in OT environments
| Component | Example compliance requirement |
|---|---|
| SCADA system | Documentation of access rights, patch status and logging (e.g. ISO 27001 A.9) |
| Remote Access | Use of MFA, Jump Server and Monitoring for traceability |
| PLC network | Network segmentation per IEC 62443-3-3 — Restricted Data Flow |
| Backup procedures | Documented and tested recovery plans (ISO 27001 A.17 / NIS2) |
| Incident Response | Formal reporting and registration procedure per legislation |
In OT, compliance is often not purely IT-driven, but also part of operational and production-related responsibilities.
✅ Benefits of compliance
- Reduced legal risk and potential fines
- Better collaboration with suppliers through demonstrable security
- Structure and repeatability in processes and policy
- Trust from customers, partners and regulators
⚠️ Risks of non-compliance
- Legal fines (e.g. under AVG)
- Loss of certification (ISO, GxP, etc.)
- Exclusion from tenders or contracts
- Undetected vulnerabilities due to missing policy or oversight
🔄 The compliance cycle
Based on the PDCA approach:
- Plan — policy, scope, risk assessment
- Do — implementation of measures
- Check — internal audits, logging, reporting
- Act — corrective actions, continuous improvement
📌 In summary
Compliance means demonstrably meeting legal and regulatory requirements, standards and contractual obligations for information security and OT management. It is an integral part of effective risk management and Cybersecurity Governance.