NIS2 Annex I, Sections 8–9: The OT and SCADA Security Requirements Water Utilities Must Meet Before Their First Audit
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
In February 2021, an unidentified actor accessed the SCADA system at the Oldsmar water treatment facility in Florida and — within minutes — raised the sodium hydroxide concentration from 100 parts per million to 11,100 ppm. A plant operator caught the change in time. Whether the event was a genuine intrusion or an internal error remains disputed; what is not in dispute is the technical reality it exposed. The facility was running 32-bit Windows 7, sharing TeamViewer credentials across workstations, and had no meaningful separation between its operational technology (OT) network and internet-facing systems.
That architecture describes a majority of water and wastewater infrastructure across Europe today. ENISA’s NIS360 2024 assessment ranked the water sector in the bottom maturity band for cybersecurity — the lowest of any Annex I essential sector. Wastewater specifically showed only 60% awareness of applicable obligations. And a 2025 analysis by Binding Hook found that 83% of water and wastewater organisations had undocumented or uncontrolled external connections to their OT environments.
The NIS2 Directive does not give water operators the option to remain at the bottom. The directive lists drinking water and wastewater as separate essential sectors under Annex I — Sections 8 and 9 respectively — and imposes the same security obligations that apply to energy, transport, and financial market infrastructure. This guide explains what those obligations mean in practice for water and wastewater utilities, why OT protocol architecture creates specific compliance challenges, where supply chain risk is most acute, and when smaller operators and councils fall in or out of scope.
1. Annex I, Sections 8 and 9: How the Water Sector Is Classified
NIS2 expanded the scope of the original NIS Directive significantly. Wastewater, in particular, was not covered under NIS1 at all — its inclusion under Annex I, Section 9 is new. Drinking water (Section 8) was already in scope under NIS1, but the new directive tightens the definition and raises the compliance bar.
| Annex I Section | Sector | Covered Activities | New vs NIS1 |
|---|---|---|---|
| Section 8 | Drinking water | Suppliers and distributors of water intended for human consumption; excludes distributors for whom this is an insignificant business activity | Continued (obligations strengthened) |
| Section 9 | Wastewater | Collection, disposal, and treatment of urban wastewater, domestic sewage, and industrial wastewater; excludes operators for whom this is an insignificant share of total activity | NEW — not in NIS1 |
The “insignificant activity” carve-out in both sections matters for industrial operators — a brewery or food manufacturer that treats its own process water internally and for whom wastewater management is incidental to its core business may fall outside Section 9 scope. Pure-play water utilities and municipal operators do not qualify for this exemption.
Essential vs Important Entity: Which Category Applies?
Water utilities meeting Annex I sector criteria are classified as essential or important entities based on size:
| Classification | Criteria | Supervision | Maximum Penalty |
|---|---|---|---|
| Essential entity | 250+ employees OR €50M+ turnover AND €43M+ balance sheet | Proactive — regular audits, inspections | €10M or 2% of global annual turnover |
| Important entity | 50–249 employees OR €10M–€50M turnover | Reactive — investigation upon evidence of non-compliance | €7M or 1.4% of global annual turnover |
| Micro/small — generally exempt | <50 employees AND <€10M turnover | Exempt unless member-state designated | N/A unless designated |
A large regional water authority serving 500,000 residents will almost certainly qualify as an essential entity. A smaller municipal utility serving a town of 8,000 with 35 employees and €6M annual revenue falls below both thresholds — but may be designated by member-state authorities if it is deemed to provide a critical function, a discretion the directive explicitly grants national competent authorities.
2. Why Water Is the Weakest Critical Sector for OT Security
ENISA’s sectoral maturity ranking is not a theoretical concern. Water infrastructure combines three characteristics that make it structurally difficult to secure under standard cybersecurity frameworks:
Long asset lifetimes. SCADA systems and programmable logic controllers (PLCs) in water treatment plants operate for 15–20 years without major replacement cycles. Equipment installed before modern OT security principles existed — and before NIS2 was conceived — is still running live processes today. Patching vendor firmware on a controller managing chlorine dosing is not like patching a laptop; it may require plant downtime, vendor involvement, and formal change-control procedures.
Lean security staffing. Most utilities — including those meeting essential entity thresholds — employ only two or three full-time security specialists. A large regional energy company of equivalent size might have twenty. The consequence is that compliance documentation, risk assessments, and monitoring that NIS2 requires as continuous activities are managed by staff already carrying operational responsibilities.
Legacy remote access architecture. The Oldsmar incident is not an outlier. Dragos researchers found that 83% of water and wastewater organisations had undocumented or uncontrolled external connections to OT environments — often accumulated over years as vendors installed proprietary remote support tools on individual controllers without central inventory or access controls.
The sector’s exposure is not hypothetical. Between 2020 and 2025, more than 30 publicly documented cyberattacks targeted water utilities across Europe and North America. In 2024 alone: Black Basta ransomware breached UK Southern Water at a cost of approximately £45 million in response expenses; CyberAv3ngers — an Iranian state-affiliated group — had previously exploited factory-default credentials on Unitronics PLCs at US facilities; and pro-Russian hacktivist groups targeted European water infrastructure across France, Germany, Poland, and Spain.
3. The Protocol Problem: Why Modbus, DNP3, and IEC 60870 Create Specific NIS2 Exposure
NIS2 Article 21 requires operators to manage risk to their “network and information systems” — and the directive’s scope explicitly covers OT systems used to deliver essential services. Water infrastructure’s dependence on decades-old industrial protocols translates that broad requirement into a highly specific set of technical gaps.
Three protocols dominate water SCADA environments:
Modbus TCP/RTU
Modbus was developed in 1979 and carries no authentication mechanism and no encryption capability. Commands are transmitted as plaintext over port 502. Any device on the same network segment can read sensor values, issue write commands to holding registers, and — if it can reach a PLC controlling a chemical dosing pump — alter setpoints. The FrostyGoop malware family, which targeted industrial control systems in the 2024 Ukraine energy infrastructure attacks, leveraged Modbus to issue commands directly to heating controllers. The attack vector requires no exploit of an operating system vulnerability; it requires only network access.
Under NIS2 Article 21(2)(a), operators must conduct risk analysis on their information systems. Any risk assessment that does not model Modbus exposure on water SCADA networks is incomplete — and an auditor reviewing the assessment will look for evidence that unauthenticated protocol risks have been explicitly evaluated and mitigated.
DNP3
DNP3 is widely used in water distribution and wastewater networks for telemetry and remote monitoring. In its standard (non-secure) implementation, DNP3 is vulnerable to replay attacks, message spoofing, time-synchronisation manipulation, and alarm suppression. An attacker who can intercept DNP3 traffic can replay historical legitimate commands to mask ongoing manipulation — a particularly effective technique in environments where operators rely on HMI displays rather than physical inspection to confirm plant status.
DNP3 Secure Authentication (SA) v5 adds challenge-response authentication, but adoption among water utilities remains limited because it requires firmware updates on RTUs and PLCs that operators are reluctant to cycle through formal change-management processes on live systems.
IEC 60870-5-104
IEC 60870-5-104 is used for SCADA communication over TCP/IP networks, particularly in European utilities. Its application-layer data is transmitted without authentication mechanisms or encryption, making it susceptible to man-in-the-middle attacks and direct command injection. Commands including reset, interrogation, and control operations have no built-in verification that they originate from an authorised source. IEC 62351, which defines security extensions for 60870-5, provides a mitigation path — but implementation requires hardware-capable of cryptographic operations that older controllers may not support.
The practical consequence for NIS2 compliance: operators cannot simply certify that OT systems are “secured” by pointing to perimeter firewalls. Article 21(2)(e) requires security in “network and information systems acquisition, development, and maintenance, including vulnerability handling.” For water utilities, this means documenting per-protocol vulnerability status and demonstrating active controls — even if the control is monitoring and segmentation rather than protocol-level authentication that the installed base cannot support.
4. NIS2 Article 21 Obligations Mapped to Water OT Reality
Article 21(2) lists ten categories of required measures. Four are especially high-friction for water OT environments:
| Article 21(2) Measure | Water OT Challenge | Practical Approach |
|---|---|---|
| (a) Risk analysis and information system security policies | OT asset inventory is incomplete; Modbus/DNP3 exposure not modelled | Conduct OT-specific risk assessment using IEC 62443 zone/conduit model; explicitly document protocol-layer risks |
| (c) Business continuity, backup management, disaster recovery | Many PLCs lack backup configurations; manual fallback procedures undocumented | Test manual operation mode; maintain offline configuration backups for all PLCs; document switchover time |
| (d) Supply chain security | Chemical dosing vendor remote access; SCADA integrators with persistent VPN credentials; unlogged engineer visits | Map all vendor remote access; apply least-privilege, MFA, session logging; conduct Art. 21(3) supplier assessments |
| (i) Access control and asset management | Shared operator credentials; no MFA on HMI workstations; shadow IT on OT network | Enforce per-operator credentials; deploy jump servers with session logging; complete OT asset register |
The IEC 62443 standard — which defines security levels and zones for industrial automation and control systems — provides the most practical framework for mapping Article 21 requirements to water OT architecture. Operators using IEC 62443 as an implementation framework can produce audit-ready evidence that maps directly to NIS2 obligations rather than adapting IT security controls to OT environments where they may introduce new failure modes.
5. Supply Chain Risk: The Chemical Dosing Attack Vector
Article 21(2)(d) requires supply chain security “including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” For water utilities, two supply chain relationships carry disproportionate risk:
Chemical dosing system vendors. Sodium hypochlorite and sodium hydroxide dosing systems — which control the disinfection chemistry of drinking water — are commonly supplied and maintained by third-party vendors who retain remote access to the dosing controllers for calibration and fault response. If a vendor’s own network is compromised, an attacker gains a trusted-access path directly to safety-critical OT systems. A 2024 European incident — details withheld by competent authorities to protect ongoing investigation — involved manipulation of chemical dosing parameters through a vendor remote-access channel.
SCADA system integrators. Many water utilities commission SCADA deployments from third-party integrators who maintain persistent VPN credentials for ongoing support. These credentials often predate the current security posture, are rarely rotated, and may provide broad network access rather than the specific access the integrator requires. A 2022 Lockbit ransomware attack on German IT provider Reitzner AG disrupted water and sewage services across multiple dependent municipalities — demonstrating that a single upstream IT supplier compromise can cascade through water infrastructure.
Article 21(3) requires operators to consider, when assessing supplier risk, “the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.” For supply chain security in water OT, this translates to a minimum set of contractual and technical controls:
- Vendor remote access via dedicated, monitored jump servers — no direct VPN to OT endpoints
- Session recording and logging for all vendor access events
- Time-limited access tokens (not persistent credentials)
- Contractual right to audit vendor cybersecurity practices
- Notification requirements if the vendor suffers a breach that could affect the utility’s systems
6. Small Operator Exemptions: When Councils and Rural Utilities Are In Scope
The size-cap rule appears to exempt micro and small enterprises — fewer than 50 employees and under €10 million in turnover. In practice, the water sector has several routes by which smaller operators enter NIS2 scope:
Member-state designation. Article 2(2)(a) of the directive allows member states to designate specific entities as essential or important regardless of size if they provide a critical function for which no adequate substitute exists. A rural water authority serving a geographically isolated community — even with 22 employees — may be designated by the national competent authority. Operators should not assume that falling below the size threshold provides certainty of exemption without confirming with the national authority.
Managed service relationships. A small utility that contracts operations management to a larger service provider may find that the service provider’s NIS2 obligations flow down through supplier security requirements. The utility may not itself be in scope, but will face audit-style contractual requirements from the service provider who is.
Consortium entities. Some rural water management structures operate as consortium or special-purpose entities that, consolidated, exceed the size thresholds — even if individual member municipalities do not.
Councils responsible for water services should check the national transposition of NIS2 in their jurisdiction, particularly the national list of designated essential entities. As of October 2024, 23 of the 27 EU member states had not completed transposition by the directive’s deadline, meaning the national regulatory landscape is still evolving in most jurisdictions.
7. The EU Water ISAC Gap — and How Operators Can Engage Now
Information sharing is one of the most effective — and most underdeveloped — mechanisms for water sector cybersecurity. Sectors including energy, health, and railways already operate dedicated EU-level Information Sharing and Analysis Centres (ISACs) that distribute threat intelligence in near-real-time, enabling utilities to defend against attack patterns before they are weaponised against their own infrastructure.
Water does not yet have a European equivalent. A 2025 policy analysis proposed a pan-European Water-Sector ISAC, overseen by ENISA in cooperation with DG HOME and national CSIRTs, to provide real-time threat intelligence to water utilities across the EU. The proposal has not yet been implemented.
In the interim, operators have several practical options:
| Channel | What It Provides | Availability |
|---|---|---|
| National CSIRT (e.g., CERT-DE, CERT-FR, NCSC-NL) | Sector-specific advisories, incident notification channel, direct escalation path | All EU member states — contact details in national NIS2 transposition law |
| ENISA publications | Sectoral threat landscape reports, NIS360, technical implementation guidance | Publicly available at enisa.europa.eu |
| WaterISAC (US-based) | Threat intelligence feeds, incident reports, cybersecurity advisories for water sector | Membership-based; open to non-US utilities — waterisac.org |
| ENISA NIS2 Cooperation Group | Member-state coordination on cross-border incidents; sector-specific working groups | Via national competent authority nomination |
NIS2 Article 26 requires operators to cooperate with national CSIRTs and competent authorities, and Article 27 establishes registration requirements. Membership in relevant information-sharing bodies — even informal ones — demonstrates the cooperative posture that regulators look for during supervision.
8. NIS2 Compliance Checklist for Water and Wastewater Operators
| Requirement | NIS2 Basis | Priority | Evidence Required |
|---|---|---|---|
| Determine entity classification (essential/important/exempt) | Articles 2–3, Annex I §8–9 | Immediate | Written self-assessment; national authority registration |
| Complete OT asset inventory (all PLCs, RTUs, HMIs, SCADA servers) | Art. 21(2)(i) | High | Asset register with firmware versions and network location |
| Conduct OT-specific risk assessment including Modbus/DNP3/IEC 60870 protocol risks | Art. 21(2)(a) | High | Documented risk assessment against IEC 62443 or equivalent |
| Implement IT/OT network segmentation (Purdue model or equivalent) | Art. 21(2)(a)(e) | High | Network diagram showing segmentation; firewall rule review |
| Audit and control all vendor remote access (jump servers, session logging, MFA) | Art. 21(2)(d)(j) | High | Access logs; vendor contracts with security requirements |
| Conduct Art. 21(3) supplier assessments for chemical dosing and SCADA vendors | Art. 21(3) | Medium | Vendor questionnaires; contractual security clauses |
| Document and test manual/fallback operations for chemical dosing, pressure, and distribution | Art. 21(2)(c) | Medium | Business continuity plan; tested runbook with timestamps |
| Establish incident reporting procedures aligned with 24h/72h notification cascade | Art. 23 | Medium | Incident response plan; national CSIRT contact list |
| Deliver cybersecurity training to operations staff and management | Art. 20, 21(2)(g) | Medium | Training records; board approval of security policy |
| Register with national competent authority | Art. 27 | Immediate | Confirmation of registration; NIS2 national authority contact |
Frequently Asked Questions
Does NIS2 apply to a water utility that serves fewer than 50 employees?
Generally, entities with fewer than 50 employees and under €10 million in annual turnover fall below the NIS2 size threshold and are not automatically in scope. However, member-state competent authorities can designate smaller entities that provide a critical function with no adequate substitute — including small water utilities serving geographically isolated communities. Confirm your status with your national authority; do not assume the size exemption applies without verification.
Are wastewater treatment operators subject to NIS2 for the first time?
Yes. Wastewater is listed under Annex I, Section 9 of NIS2 — a new addition that did not exist under the original NIS1 Directive. Wastewater treatment operators, collectors, and disposal services meeting the size thresholds face full NIS2 obligations including Article 21 risk management measures and Article 23 incident reporting for the first time.
What counts as a “significant incident” for water utilities under NIS2?
Article 23 requires notification of incidents that cause significant disruption to essential services. For water utilities, indicators of significance include: any unauthorised access to SCADA systems or OT networks; manipulation of chemical dosing, pressure, or quality parameters; service disruption affecting supply to a significant number of customers; and any incident affecting critical safety systems. Member states are implementing significance thresholds in national legislation — check your national transposition for specific thresholds.
Do the NIS2 OT security obligations apply to older SCADA systems that predate modern security standards?
Yes, with proportionality. Article 21 requires “appropriate and proportionate” measures, which means the obligation is not to replace all legacy equipment immediately but to demonstrate that risks from legacy systems — including legacy protocols like Modbus and DNP3 — have been assessed, documented, and mitigated with compensating controls where protocol-level security is not feasible. Compensating controls include network segmentation, monitoring, access control at the network boundary, and documented manual fallback procedures.
When should a water utility expect its first NIS2 audit?
Essential entities face proactive supervision — regulators do not wait for an incident. The timing depends on national implementation; as of early 2026, most EU member states are still finalising enforcement frameworks. The most exposed operators — those serving critical supply areas without existing ISO 27001 or IEC 62443 programmes — should treat first-audit readiness as an immediate priority rather than assuming a multi-year runway. Registration with the national competent authority is itself a trigger for regulatory contact.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive), Annex I — EUR-Lex. Drinking water (Section 8) and wastewater (Section 9) classification as Annex I essential sectors; Article 21 risk management obligations; Article 21(3) supply chain criteria.
- NIS2 Directive, Article 21 — nis-2-directive.com. Full text of Article 21(2) measures (a)–(j) and Article 21(3) supply chain security requirements.
- Why Europe Must Finally Secure Its Water Sectors from Cyber Threats — Binding Hook. ENISA bottom maturity band ranking; 83% undocumented external connections (Dragos); European incident frequency 2020–2025; EU Water ISAC proposal.
- Top 20 ICS Protocols and Their Security Risks — CyberSec Magazine. Modbus, DNP3, and IEC 60870-5-104 vulnerability details; FrostyGoop malware; authentication and encryption absences.
- Water Sector Cybersecurity 2024 — Smart Water Magazine. Southern Water Black Basta breach (£45M); CyberAv3ngers Unitronics PLC attack; Volt Typhoon; EPA finding that 70%+ of US water systems fail critical security standards.
- NIS2 Compliance for OT — SANS Institute. SANS Five ICS Critical Controls; ICS-specific incident response; network visibility as compliance foundation.
- Water Utility Cybersecurity — nFlo. 82% of Polish water utilities lack IT/OT segmentation; 15–20 year legacy SCADA cycles; IEC 62443 as implementation framework.
- ENISA Threat Landscape 2024 — European Union Agency for Cybersecurity. OT attacks at 18.2% of total threats; critical infrastructure targeting patterns.
- Commission Calls on 23 Member States to Transpose NIS2 — European Commission. Transposition status as of October 2024 deadline.
