OT Security 2026: Why IEC 62443 and the EU Cyber Resilience Act Must Be Read Together
8 min. read
OT security is getting a regulatory push in 2026 that many manufacturers are still underestimating. The EU Cyber Resilience Act requires vulnerability reporting for all digital products starting June 2026. Lifecycle obligations kick in from December 2027. IEC 62443 is the only widely adopted standard that provides the technical framework to meet these requirements. For security teams in mechanical engineering, energy, and process industries, the message is clear: zones, conduits, and risk-based segmentation are no longer nice-to-haves.
Key Takeaways
- CRA and IEC 62443 are complementary. The EU Cyber Resilience Act defines the what (Secure-by-Design, vulnerability handling, post-market support). IEC 62443 delivers the how (zones, conduits, security levels).
- Air-gap has become a myth. In modern manufacturing environments, a true air-gap barely exists anymore. Every IIoT connection, every remote maintenance access, and every remote monitoring setup dissolves the classic separation.
- The Purdue model is no longer enough. The hierarchical view of production IT is too rigid for today’s architectures. IEC 62443 works with risk-based zones that can cut across Purdue levels.
RelatedDORA After 15 Months: Lessons from the First Audits / Windows Defender: BlueHammer and RedSun Active
What IEC 62443 Actually Requires on a Technical Level
What is IEC 62443? The IEC 62443 series is an international standard for cybersecurity in industrial automation and control systems (IACS). It defines roles (asset owner, integrator, product manufacturer), four Security Levels (SL 1 to SL 4), zone concepts with conduits between zones, and a complete lifecycle from risk analysis through operations. For companies falling under the CRA, it serves as the technical framework onto which CRA obligations can be mapped.
The practical core of the standard rests on two concepts. First: zones. A zone is a logical grouping of assets with the same security requirements. It does not have to align with physical boundaries — it follows the risk profile instead. A robot on manufacturing line A and a robot on manufacturing line B can belong to the same zone if they share the same protection needs. Second: conduits. All communication between zones runs through a defined conduit, where authentication, filtering, and inspection are enforced. Without conduits, no communication between zones is permitted.
Security Levels build on one another. SL 1 covers incidental threats, SL 2 intentional attacks using simple means, SL 3 attacks employing sophisticated techniques and moderate resources, and SL 4 state-sponsored attackers with significant capabilities. Every asset is assigned a target SL value derived from the risk analysis. The gap between the current and target SL defines the investment roadmap.
Why the Purdue Model Is Hitting Its Limits in 2026
The Purdue Enterprise Reference Architecture Model (PERA) dominated OT security discussions for decades. Its hierarchical view with Levels 0 through 5 — process, control, supervision, operations, enterprise — was a workable model as long as manufacturing environments remained clearly separated along vertical lines. In 2026, that logic no longer maps cleanly to reality. IIoT sensors send data directly to the cloud, bypassing multiple levels. Remote maintenance connections link external technicians directly to Level 1 systems. Digital twin platforms pull raw data from lower tiers and aggregate it into higher-level analytics systems.
IEC 62443 responds with the zone model. Assets are grouped by protection need, not by hierarchy level. This allows flexible structures: an engineering workstation can sit in a different zone from the HMI terminal right next to it if their protection requirements differ. A cloud gateway can remain within the manufacturing network zone as long as its conduits are cleanly defined. Implementation is more demanding, but it reflects today’s reality far more accurately.
Many mid-sized companies have spent recent years building a hybrid approach out of Purdue terminology and ad-hoc risk analysis — driven largely by resource constraints. With CRA and NIS2, that halfway solution becomes a compliance liability in 2026. Regulatory conversations now ask for clear zone definitions, not level diagrams. Companies without a zone map will find documented weaknesses appearing in audit reports.
The good news: moving from the Purdue model to IEC 62443 zones is not a complete rebuild. Existing network segments can be translated into zones once the protection requirements per asset are documented. The conceptual shift lies in the thinking: instead of grouping by hierarchy, you group by risk profile. That distinction matters in audit conversations and in responding to real incidents — because attackers rarely operate hierarchically. They look for vulnerabilities wherever they find them.
What the Air-Gap Legacy Means in Practice
The air-gap promise has evaporated across most German manufacturing operations over the past five years. The causes are clear: predictive maintenance requires data flows to the cloud. Remote vendor support demands access to plant systems. Digital quality assurance pulls measurement data from production lines. And operational accounting needs consumption and output data in real time. Every one of these connections erodes the air gap a little further.
The reality is that modern OT networks are connected to IT systems and external partners through numerous interfaces. The dividing line no longer runs between IT and OT — it runs between different risk zones within a shared network. The job of security teams is to define those zones explicitly, monitor the conduits between them, and detect attacks that move laterally across zones before they gain a foothold.
Where OT Security Fails in 2026
- Air-gap assumption without actual network isolation
- No up-to-date asset inventory of OT systems
- Remote access without MFA and session auditing
- Patch management without OT-specific processes
What IEC 62443-Compliant Setups Get Right
- Zone model with documented risk analysis
- Conduits with authentication and protocol filtering
- OT-specific SIEM with protocol support for Modbus and OPC UA
- Ongoing vulnerability management including legacy devices
OT-specific patch management is one of the most underestimated success factors. Standard IT patches run on a weekly cycle — OT systems can’t tolerate that cadence. A live production line patched every seven days risks quality and availability problems. The IEC 62443 approach is to schedule patches within maintenance windows, apply compensating controls (segmentation, enhanced monitoring) for critical vulnerabilities, and document every risk decision. The anti-pattern is pushing urgent patches without consulting those responsible for production.
How Security Teams Can Structure Their Approach Right Now
For security teams facing CRA pressure in 2026 or required to meet NIS2 registration obligations, a four-phase plan has emerged as the standard approach. Phase one: asset inventory. Who has which devices, which firmware versions, which network connections, which dependencies on external partners. Without this foundation, every subsequent decision is built on sand. Phase two: risk analysis per asset cluster. Which threat scenarios are realistic, which failures would be business-critical, which security levels are required. Phase three: zone design and conduit definition. This is where IEC 62443 concepts are mapped concretely onto your own environment. Phase four: technical implementation and ongoing operations.
Phase three is frequently the bottleneck, because it demands a shared language among IT security, OT engineers, and production managers. IT security thinks in firewalls and access policies; OT thinks in interfaces and maintenance cycles; production management thinks in availability and throughput. A joint workshop format involving all three groups is the most practical approach. It typically takes three to five days of focused work, followed by two to four weeks of follow-up, to produce a first viable zone map.
One often-overlooked element in phase three is the documentation of conduits. Every communication path between zones should be recorded in a list — with protocol, frequency, affected assets, and responsibilities. Auditors explicitly ask for this list, and it forms the basis for every future expansion. Organizations that fail to document their conduits lose visibility over their attack surface the moment new connections are added. A living list matters more than a polished one-time diagram, because OT reality changes continuously and new connections keep appearing.
On the technology side, the situation has improved considerably by 2026. OT-specific firewalls, network intrusion detection systems, and SIEMs are widely available, often with built-in support for common OT protocols (Modbus, OPC UA, PROFINET, EtherNet/IP). Vendors such as Claroty, Nozomi Networks, Dragos, Tenable OT, and Cisco Cyber Vision cover the full range of requirements. The right choice depends on existing infrastructure and the scale of the OT landscape. Mid-sized companies with a manageable number of systems often get by with an integrated solution, while large enterprises typically adopt a multi-vendor strategy.
What Will Matter Between CRA and Market Pressure in 2026
CRA deadlines are shifting the OT security conversation from a nice-to-have to a market requirement. From June 2026, all digital products placed on the EU market must have vulnerability reporting channels and document discovered weaknesses within defined timeframes. From December 2027, lifecycle support obligations kick in. Manufacturers must provide updates for a specified period, and asset owners must be able to demonstrate they are applying those updates. IEC 62443 offers the only widely accepted technical framework that operationalizes these obligations.
For buyers of OT systems, this means procurement processes will look different in 2026. IEC 62443 certifications from the manufacturer will be requested, CRA compliance must be documented, and vulnerability handling processes must form part of any offer. Manufacturers unable to supply this documentation will be disqualified from tenders. Asset owners who fail to demand these proofs will face problems in their own audits — forced to compensate for what the manufacturer does not deliver.
Another dimension is the role of external service providers. Many German manufacturers source maintenance, remote support, and even parts of their security monitoring from third parties. These suppliers fall under NIS2 supply chain clauses when their services are relevant to the operation of critical assets. Asset owners must audit the security practices of their service providers and document them in contract addenda. Those who fail to do this proactively will inherit their suppliers’ vulnerabilities at audit time.
The certification landscape is also evolving. The CRA will be underpinned by the European Cybersecurity Certification Group (ECCG) with its own schemes, while IEC 62443 has ISA/IEC 62443 (ISASecure) certificates for both products and facilities. These credentials are increasingly required in B2B contracts. Manufacturers without the appropriate certificates by the end of 2026 will lose tenders. Asset owners who do not demand them are quietly absorbing hidden compliance risk.
Finally, there is the supply chain dimension. OT systems comprise hundreds or thousands of components from diverse sources. Software Bills of Materials (SBOM) are becoming a standard artifact in 2026, providing transparency about the components in use. Security teams that process SBOMs cleanly and check them against vulnerability feeds detect weaknesses in their own estate far faster. Without SBOM discipline, new CVEs in OT components often go unnoticed for weeks or months.
Frequently Asked Questions
Do smaller mid-market companies also need IEC 62443 compliance?
Formal certification is rarely required. But as soon as they bring products under CRA into the EU market, or form part of a supply chain serving critical infrastructure operators, IEC 62443 concepts will be scrutinized in customer audits. Applying the standard without formal certification is usually the pragmatic path forward.
How do zones differ from traditional network segments?
Network segments are separated purely at the technical level — often via VLANs or physically distinct switches. Zones are logical groupings based on shared protection requirements, and can span multiple technical network segments. A single zone may encompass several segments, or vice versa. The assignment is determined by risk analysis, not topology.
How often should the zone map be updated?
Annually at a minimum, and on an event-driven basis whenever significant IT or production changes occur. New IIoT connections, additional remote access paths, new equipment, or changed business processes all shift the risk framework. Going more than two years without a trigger-based update signals weak governance practice.
What role does MFA play in OT networks?
A growing one. Traditional HMI workstations on the shop floor have historically relied on basic authentication. By 2026, MFA for remote access, engineering workstations, and service technician accounts is becoming the standard. Implementation is technically feasible and represents a mandatory control point in IEC 62443 SL-3 zones.
What is the single most important step for security teams over the next six months?
Asset inventory and remote access audit. Without an up-to-date asset inventory, no meaningful risk analysis is possible. Without a remote access audit, there is no clear picture of existing attack surfaces. Both can be completed with moderate effort within a single quarter and form the foundation for every subsequent step.
More from the MBF Media Network
Image source: Pexels / Freek Wolsink (px:34194580)
