# Cybersecurity frameworks

From factory floors to cloud APIs and connected sensors, the regulatory landscape for cybersecurity has never been more complex — or more consequential. This guide covers the fourteen frameworks every security professional should understand, spanning operational technology, information systems, and connected devices.

***

### Why this matters

Three years ago, a manufacturer could reasonably treat cybersecurity as an IT problem. Today, that assumption is both incorrect and legally untenable. The convergence of operational technology, information systems, and connected devices has produced a regulatory environment where a single product or facility may simultaneously fall under a European directive, an international standard, a sector-specific mandate, and a contractual compliance scheme.

This complexity is not bureaucratic noise — it reflects genuine risk. The 2021 Colonial Pipeline attack exploited an IT breach to shut down OT operations across the US East Coast. The Mirai botnet weaponised millions of poorly secured IoT devices. Ransomware has become routine in hospitals, ports, and energy grids. Regulators have responded, and the frameworks that have emerged form a coherent — if overlapping — architecture.

> **The question is no longer whether to comply, but which frameworks apply and in what order they interact.**

***

### Two tiers, one landscape

The frameworks in this space divide naturally into two tiers.

* **Tier 1** — Broad-spectrum standards and regulations recognised globally across IT, OT, and IoT. These are the instruments that appear in virtually every serious security programme regardless of industry.
* **Tier 2** — Sector-specific or regionally focused instruments that are authoritative within their domain but less applicable outside it.

Both tiers matter. A sound security programme typically draws from both.

***

### Tier 1 — Universal foundations

#### IEC 62443 — Industrial Automation & Control Systems Security

The de facto gold standard for OT and ICS security. A four-part series covering asset owners, integrators, and component suppliers alike, with Security Levels 1 through 4 calibrated to threat severity. Referenced by NIS2, NERC CIP, ISO 27019, and China's IACS — this is the framework that all others in the OT space orbit around.

**Key sectors:** OT/SCADA, Energy, Oil & gas, Water, Manufacturing, Chemical

***

#### ISO/IEC 27001 — Information Security Management Systems

The most widely deployed security certification on the planet. Its 93 Annex A controls (2022 edition) provide a comprehensive framework for managing information security across any organisation. It is the structural foundation on which sector-specific overlays are built — ISO 27019 for energy, ISO 27017 for cloud. If a company holds one security certification, it is almost certainly this one.

**Key sectors:** All sectors, any organisation

***

#### ISO/IEC 27005 — Information Security Risk Management

The risk management companion to ISO 27001. Its 2022 revision aligns with ISO 31000 and provides a structured methodology for identifying, assessing, and treating security risks across both IT and OT contexts. Where 27001 defines the management system, 27005 provides the analytical engine that keeps it calibrated to real threats.

**Key sectors:** All sectors, any organisation

***

#### Common Criteria — ISO/IEC 15408 — IT Security Evaluation

The international framework for evaluating security products against defined Protection Profiles, across Evaluation Assurance Levels EAL1 to EAL7. Mutual recognition via CCRA and SOG-IS means a certificate earned in one member nation is valid across all. Mandatory for US DoD procurement and NATO equipment, and the structural basis for the lighter-weight SESIP scheme for IoT.

**Key sectors:** Defence & government, Network devices, Smart cards, Cryptographic modules, IoT

***

#### NIS2 — Network & Information Security Directive 2022/2555

The EU's primary cybersecurity obligation for operators of essential and important infrastructure. It covers energy, transport, banking, health, water, digital infrastructure, and critical manufacturing. NIS2 explicitly references IEC 62443 for OT supply chain security, and imposes 24-hour initial and 72-hour detailed incident reporting obligations. Non-compliance can attract penalties up to €10 million or 2% of global annual turnover.

**Key sectors:** Energy, Transport, Banking, Health, Water, Digital infrastructure, Manufacturing

***

#### CRA — Cyber Resilience Act (Regulation EU 2024/2847)

A landmark horizontal regulation covering every product with digital elements sold in the EU — software, hardware, OT components, and IoT devices alike. Manufacturers must meet essential security requirements, provide vulnerability support for five years, and, for Class I and II critical products, undergo third-party conformity assessment. Full applicability arrives in December 2027 and will affect any company exporting to Europe regardless of where they are based.

**Key sectors:** All products with digital elements, Software, Hardware, OT components, IoT

***

#### NIST SP 800-82 — Guide to Operational Technology Security (Rev. 3)

The United States' primary OT security guidance document, revised in 2023 to address cloud integration, mobile access, and supply-chain risks in industrial environments. It maps directly to both IEC 62443 and the NIST Cybersecurity Framework, and serves as the technical basis for sector-specific mandates including the TSA pipeline directives and elements of NERC CIP.

**Key sectors:** OT/ICS/SCADA, Energy, Water, Manufacturing, Transport

***

### Tier 2 — Sector-specific and regional

#### ISO/IEC 27019 — ISMS for Energy Utilities

Extends ISO 27001 with controls specific to energy sector process control systems — power generation, gas distribution, water treatment, and district heating. It bridges the gap between IT governance and OT operational reality, and is referenced explicitly in NIS2 national transpositions for energy operators across EU member states.

**Key sectors:** Energy utilities, Power, Gas, Water, District heating

***

#### SESIP — Security Evaluation Standard for IoT Platforms

A lightweight derivative of Common Criteria purpose-built for IoT system-on-chips and microcontrollers. Its three assurance levels map directly to PSA Certified and ETSI EN 303 645, making it the natural conformity path for chip-level security certification under the EU CRA. Essential for silicon vendors and embedded platform developers targeting the European market.

**Key sectors:** IoT platforms, Embedded chips, Industrial IoT, Connected devices

***

#### RED — Radio Equipment Directive, cybersecurity delegated act

Article 3(3)(d–f) of the Radio Equipment Directive, in force from August 2025, adds mandatory cybersecurity requirements to all internet-connected radio equipment — covering network protection, privacy safeguards, and anti-fraud measures. It is both the immediate compliance requirement for wireless IoT devices and the forerunner to the broader CRA regime arriving in 2027.

**Key sectors:** Consumer IoT, Wireless devices, Wearables, Smart home

***

#### PCI DSS — Payment Card Industry Data Security Standard v4.0

Twelve requirements covering network security, access control, encryption, and continuous monitoring for any entity that stores, processes, or transmits payment card data. Not a law, but contractually unavoidable for any merchant or processor. The 2026 deadline for new v4.0 requirements is approaching. Its scope does not extend to OT or IoT unless those systems directly handle cardholder data.

**Key sectors:** Retail, Banking & payments, Hospitality, FinTech

***

#### DORA — Digital Operational Resilience Act (Regulation EU 2022/2554)

In force since January 2025, DORA establishes a uniform framework for ICT risk management, incident reporting, resilience testing, and third-party ICT risk across the EU financial sector — banks, insurers, investment firms, payment providers, and crypto-asset service providers. It is the sector-specific complement to NIS2 for finance, with no meaningful OT or IoT dimension.

**Key sectors:** Banking, Insurance, Investment firms, Payment services, Crypto-asset providers

***

#### HIPAA Security Rule

Mandates administrative, physical, and technical safeguards for electronic protected health information across US healthcare entities and their business associates. Connected medical devices that touch patient data fall within OT scope. While US-specific, HIPAA's influence on global health IT practice — and on medical device security design — extends well beyond American borders.

**Key sectors:** Healthcare, Health IT, Medical devices, Health insurers

***

#### IACS China — Industrial Control System Security (GB/T 30976)

China's national standard for industrial control system security, part of the MLPS 2.0 framework. It mirrors IEC 62443 in structure but operates within China's distinct regulatory apparatus, enforced by the Ministry of Public Security and the Cyberspace Administration of China. Mandatory for any critical infrastructure operator in China, and essential context for multinationals running OT deployments there.

**Key sectors:** OT/ICS, Energy, Manufacturing, Chemical, Critical infrastructure

***

### How the frameworks relate

These instruments are not independent silos — they form a layered architecture where foundational standards underpin sector rules, and sector rules reference each other across geographies.

#### OT / Industrial stack

```
IEC 62443             ← core technical standard
  ├── NIST SP 800-82  ← US implementation guide
  ├── ISO/IEC 27019   ← energy sector overlay
  └── IACS China      ← Chinese national mirror
NIS2                  ← references IEC 62443 for OT supply chain
```

#### IT / Information stack

```
ISO/IEC 27001         ← core ISMS
  └── ISO/IEC 27005   ← risk management methodology
Common Criteria       ← product security evaluation
NIS2 / DORA / CRA    ← EU regulatory layer
PCI DSS / HIPAA      ← sector-specific mandates
```

#### IoT / Connected stack

```
CRA                   ← primary EU product regulation (2027)
  ├── RED             ← wireless devices, in force Aug 2025
  └── SESIP           ← chip-level certification path
Common Criteria       ← higher assurance evaluation
IEC 62443             ← industrial IoT context
```

***

### Practical implications

For a manufacturer producing a connected industrial sensor sold into the European market, the compliance picture is illustrative of the challenge:

* The **product** falls under CRA (digital product) and RED (if it has a wireless interface)
* The **chip** inside may require SESIP or Common Criteria certification
* The **factory** operating the sensor is subject to NIS2 if it operates critical infrastructure, and to IEC 62443 as the expected security engineering standard
* **China operations** bring GB/T 30976 into scope for the OT environment
* **Payment processing** anywhere in the stack triggers PCI DSS

This is not an unusual situation — it is the normal condition for any mid-sized industrial technology company operating internationally. The frameworks are not redundant; they operate at different layers of the same system, and a mature security programme must address all of them coherently.

***

### Summary table

| Framework           | Geography            | Obligation  |  OT |  IT | IoT |
| ------------------- | -------------------- | ----------- | :-: | :-: | :-: |
| IEC 62443           | Worldwide            | Voluntary\* | ●●● |  ●  |  ●  |
| ISO/IEC 27001       | Worldwide            | Voluntary\* |  ●  | ●●● |  ●  |
| ISO/IEC 27005       | Worldwide            | Voluntary\* |  ●  |  ●● |  ●  |
| Common Criteria     | 31 CCRA nations      | Voluntary\* |  ●  |  ●● | ●●● |
| NIS2                | EU 27 states         | Mandatory   |  ●  | ●●● |  ●  |
| CRA                 | EU / EEA             | Mandatory   |  ●  |  ●● | ●●● |
| NIST SP 800-82      | USA / Global ref.    | Voluntary\* | ●●● |  ●  |  —  |
| ISO/IEC 27019       | Worldwide            | Voluntary\* |  ●● |  ●● |  —  |
| SESIP               | Europe / Global      | Voluntary   |  ●  |  —  | ●●● |
| RED                 | EU / EEA             | Mandatory   |  —  |  ●  | ●●● |
| PCI DSS             | Global (card brands) | Contractual |  —  | ●●● |  —  |
| DORA                | EU                   | Mandatory   |  —  | ●●● |  —  |
| HIPAA Security Rule | USA                  | Mandatory   |  ●  | ●●● |  ●  |
| IACS China          | China                | Mandatory   |  ●● |  ●  |  —  |

*Voluntary as a standalone standard but frequently mandated via contract, procurement rules, or referenced as a compliance path within binding regulations. Pip count (●/●●/●●●) indicates depth of coverage within that domain.*

***

### Conclusion

The regulatory landscape for IT, OT, and IoT security is not converging into a single global standard — it is stratifying into a structured hierarchy. International standards like IEC 62443 and ISO 27001 form the technical foundation. Regional regulations like NIS2, CRA, and DORA impose legal obligation on top. Sector-specific instruments add domain depth. And certification schemes like Common Criteria and SESIP provide the third-party assurance that ties the whole system together.

Understanding where each framework sits in that hierarchy — and how they reference one another — is the starting point for any compliance strategy that is both defensible and sustainable.