New Cybersecurity Regulations Pose Major Shifts for ICS Operators

Executive Summary 

The European Union is enforcing new cybersecurity laws that affect global industrial infrastructure. These include the Network and Information Security Directive 2 (NIS2), the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA). Unprepared Industrial Control System (ICS) operators face disruption under these stricter rules. Organizations must update their practices to comply. Acting now ensures operational safety and reduces legal risks. 

Background 

In 2025, the European Union introduced three major cybersecurity regulations that impact Industrial Control Systems (ICS), which are used to control and monitor industrial operations. These include the Network and Information Security Directive 2 (NIS2), which expands the list of sectors required to meet cybersecurity standards. It mandates stronger risk management, incident response, and protecting the supply chain [1]. This is specially important for ICS operators in sectors like energy, transportation, and healthcare. 

The Digital Operational Resilience Act (DORA) focuses on financial institutions, including those that outsource digital services. These organizations must regularly test their systems, report cyber incidents, and manage risks from external providers [3]. ICS vendors supporting financial entities will need to align their practices to meet DORA’s requirements. 

The Cyber Resilience Act (CRA) ensures that digital products, including ICS hardware and software, are secure throughout their entire lifecycle. This law applies to products sold within the EU, including those manufactured abroad. It requires companies to design secure systems, address vulnerabilities, and deliver timely security updates [4]. These new regulations are reshaping how ICS security is approached, even outside of Europe. 

Impact 

These cybersecurity regulations introduce new expectations that could significantly affect how ICS environments are managed. Organizations that supply or operate critical systems across sectors like energy or finance may now fall under these legal frameworks. For example, Duke Energy, a major U.S. utility provider, operates critical infrastructure that could be impacted by EU regulations like the CRA if it exports ICS components or software to European markets. Additionally, U.S.-based financial institutions such as JPMorgan Chase, along with their IT vendors, must consider DORA’s requirements if they maintain operations or partnerships within the EU. Organizations that do not meet these standards may face financial penalties, operational disruption, or loss of trust. Longstanding practices that once neglected cybersecurity now require major improvements to align with evolving regulatory and technical expectations. 

Mitigation 

Organizations can reduce risk by aligning cybersecurity policies with the new regulations. NIS2 compliance starts with improving incident response, strengthening supply chain controls, and raising internal awareness. CRA requires secure product design and consistent updates across the ICS lifecycle. DORA mandates resilience planning, regular testing, response protocols, and continuity plans involving external providers. These actions improve defenses and support legal compliance [2].

Relevance 

These regulations matter to more than just IT professionals. Anyone who relies on secure energy, water, and transportation systems has a stake in how ICS are protected. Taking the time to meet new cybersecurity standards is far safer and more cost-effective than dealing with a system failure or legal penalty. Adopting these practices helps build trust and resilience across essential infrastructure. 

References 

[1] Navarro, P., & Tang, O. (2025, January 1). 2025: A Critical Year for Cybersecurity Compliance in the EU and UK. Infosecurity Magazine. https://www.infosecurity-magazine.com/opinions/2025-critical-year-cybersecurity/ 

[2] Carrapico, H., & Farrand, B. (2024, July 25). Cybersecurity Trends in the European Union: Regulatory Mercantilism and the Digitalisation of Geopolitics. Journal of Common Market Studies. https://onlinelibrary.wiley.com/doi/10.1111/jcms.13654

[3] Hadnes Bruder, A., Yaros, O., Hörauf, M., Kapotwe, M., Beck, B., & Hajda, O. (2025, January 17). Cybersecurity in the Financial Sector: EU’s Digital Operational Resilience Act Takes Effect. Mayer Brown. https://www.mayerbrown.com/en/insights/publications/2025/01/cybersecurity-in-the-financial-sector-eus-digital-operational-resilience-act-takes-effect 

[4] Disaster Recovery Journal. (2024, October 24). Cyber Resilience Act Passed – A Paradigm Shift in Product Cybersecurity. Disaster Recovery Journal. https://drj.com/industry_news/cyber-resilience-act-passed-a-paradigm-shift-in-product-cybersecurity/