What compliance standards apply to my OT systems?

The standards and regulatory expectations that apply to OT systems depend on your sector, location, role in essential services and customer requirements. Common references include IEC 62443, the NCSC Cyber Assessment Framework, UK NIS regulations, OG86 for relevant UK industrial environments, and sector-specific guidance.

For organisations operating internationally or supplying critical sectors, additional customer or regional requirements may also apply.

Standards versus regulations

A standard provides a recognised way to structure security. A regulation creates legal duties. In practice, organisations often use standards such as IEC 62443 to demonstrate that cyber security risks are being managed in a systematic and proportionate way.

The NCSC Cyber Assessment Framework is outcome-focused and is used in UK critical national infrastructure and related sectors. IEC 62443 is widely used for industrial automation and control systems, including risk assessment, system design, security levels and lifecycle activities.

Why compliance alone is not enough

Compliance should support resilience, not become a paperwork exercise. A compliant-looking document set is not enough if asset inventories are incomplete, remote access is unmanaged or incident response plans are untested.

How ControlShield can help

ControlShield helps organisations identify which standards and regulatory expectations are relevant, assess current gaps and produce practical improvement plans. We can support IEC 62443 aligned risk assessments, CAF readiness, OG86 pre-inspections, NIS compliance support, documentation development and regulator-facing improvement planning.

We help translate requirements into actions that engineering and operations teams can implement.

Contact ControlShield for support understanding and meeting OT cyber security compliance expectations.