IEC 62443 explained: the OT security standard mid-market manufacturers actually need

IEC 62443 explained for mid-market manufacturers: security levels, zones and conduits, and how it maps to NIS2 and the CRA. Where a lean team starts.
Engineer reviewing industrial control systems on a mid-market factory floor.

IEC 62443 is the international standard for securing industrial automation and control systems, and for European mid-market manufacturers it has shifted from optional best practice to the technical baseline auditors expect. If you run a factory network with PLCs, HMIs and SCADA systems, this is the framework that translates vague regulatory pressure into concrete engineering decisions.

The standard matters now because NIS2 and the Cyber Resilience Act lean on its principles. You do not need to memorise the whole series. You need to understand four things: what it covers, how its security levels work, what zones and conduits mean for your network, and where a lean team should start.

What is IEC 62443?

IEC 62443 is a series of international standards that defines how to secure industrial automation and control systems across their full lifecycle, from product design to daily operation. It originated as ISA-99 at the International Society of Automation and was later harmonised and published by the International Electrotechnical Commission. Unlike IT-focused standards such as ISO 27001, it prioritises availability and process integrity over data confidentiality.

The series is organised into four parts, each aimed at a different actor in the industrial chain:

  • General (62443-1-x). Concepts, terminology and models. The shared vocabulary between IT and OT teams.
  • Policies and procedures (62443-2-x). Requirements for the asset owner, including how to run a cybersecurity management system for an industrial environment.
  • System (62443-3-x). Technical requirements for system design and network architecture, including the zones-and-conduits risk assessment in 62443-3-2 and the system security requirements in 62443-3-3.
  • Component (62443-4-x). Requirements for hardware and software makers, covering secure development and the security capabilities of individual devices like PLCs and switches.

Underneath the system and component standards sit seven foundational requirements: identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. These are the functional pillars every other technical control maps back to.

How IEC 62443 security levels work

IEC 62443 ranks resilience using five security levels, from SL 0 to SL 4. Each level describes the type of attacker a system is built to withstand, so you can match protection to actual risk rather than over-engineering every corner of the plant.

Security level Protects against Typical attacker
SL 0 No specific protection required None defined
SL 1 Accidental or coincidental misuse Own staff making mistakes
SL 2 Intentional misuse with simple means Low-skill attacker, limited resources
SL 3 Targeted attacks with industrial knowledge Motivated attacker, moderate resources
SL 4 Targeted attacks with advanced means Well-resourced, state-backed actor

The standard separates three views of any level. The target level (SL-T) is what your risk analysis says you need. The capability level (SL-C) is the maximum a given component can deliver when configured correctly. The achieved level (SL-A) is what your live environment actually reaches. The achieved level must meet or exceed the target level for each of the seven foundational requirements.

A worked example makes this concrete. Say a filling line in a beverage plant carries a target of SL 2 because deliberate tampering is plausible but nation-state interest is not. You select PLCs rated SL-C 2 or higher, then verify through segmentation and access control that the operating environment genuinely achieves SL-A 2. A certified component on a flat, unsegmented network still achieves SL-A 0. The certificate on the box means nothing without the architecture around it.

What zones and conduits mean for your network

A zone is a logical or physical group of assets that share the same security requirements and risk profile. A conduit is the controlled communication path between zones. By grouping assets into zones and forcing all cross-zone traffic through inspected conduits, you stop a single infection from spreading unchecked across the whole plant.

Picture a mid-market factory with an automated filling system, split into three zones. The production cell holds a Siemens S7 PLC, a local HMI panel and sensors, with a target of SL 2. The supervisory zone holds the SCADA servers and the historian database, also SL 2. The corporate IT zone holds ERP systems and office machines at SL 1, because an outage there causes no physical harm.

Two conduits connect them. The first sits between corporate IT and the supervisory zone, secured so that only outbound traffic from the historian to the enterprise database is allowed through a DMZ. Direct inbound traffic from office machines to the factory floor is blocked. The second conduit connects the supervisory zone to the production cell. This is where the hard problem lives, because the PLCs behind it cannot defend themselves.

This second conduit is the technical bridge between IEC 62443 and what platforms like Jimber actually do on the floor. An inline isolation appliance can sit on that conduit, inspect industrial traffic at the packet level, and permit only verified read actions such as a SCADA poll for temperature or status. Write commands or attempts to change PLC logic are blocked at the boundary unless an authorised maintenance session is open. The PLC never has to run an agent. The enforcement happens in the network.

How IEC 62443 relates to NIS2 and the Cyber Resilience Act

NIS2 and the Cyber Resilience Act tell you what to achieve. IEC 62443 tells you how. The standard has become the practical translation layer between binding European law and engineering reality, which is why auditors increasingly treat it as the recognised state of the art for industrial security.

NIS2 (Directive 2022/2555) sets cybersecurity and risk-management obligations for essential and important sectors, including manufacturing. Member states were required to transpose it into national law from October 2024, and in Belgium the law of 26 April 2024 anchors it formally. Manufacturers with more than 50 employees or annual turnover above 10 million euro fall directly in scope. Organisations that fail to take appropriate technical and organisational measures risk administrative fines up to 10 million euro or 2 percent of global annual turnover, and board members can be held personally liable.

Belgium’s CyberFundamentals framework (CyFun), developed by the Centre for Cybersecurity Belgium, turns those NIS2 obligations into auditable controls across four levels. Many of those technical controls map directly onto IEC 62443. The framework is also moving on: certificates issued under the 2023 version stay valid until 18 April 2028, but from 18 April 2027 only audits against the stricter 2025 version are accepted. The 2025 update sharpens the focus on supply chain security and operational network infrastructure.

The Cyber Resilience Act (Regulation 2024/2847) takes a different angle. It targets the products themselves. From December 2027 it becomes fully enforceable, and makers of industrial hardware and software cannot sell into the EU without a valid cybersecurity CE marking. To gain a presumption of conformity, the EU is harmonising IEC 62443 under the designation EN IEC 62443/A11, with formal publication expected across the late 2026 to early 2027 transition window. In practice, the standard is becoming the legal yardstick for industrial product security in Europe.

One caution worth stating plainly. A CyFun certificate does not equal full NIS2 compliance, and an IEC 62443 component certificate does not make a plant compliant. The directives carry organisational duties, such as the 24-hour incident reporting obligation and active board governance, that no purely technical framework covers.

The mid-market reality and the agentless-device obstacle

Large industrial multinationals can fund full network rebuilds. Mid-market manufacturers of 50 to 400 users cannot, and they hit three recurring obstacles when they try to apply IEC 62443. Understanding these constraints is the difference between a realistic plan and a shelf-ware policy document.

The first is the skills gap. Few mid-market plants have a dedicated industrial security team. Network management usually falls to general IT, who know Windows and firewalls but not Profinet, Modbus or the priorities of the factory floor. Maintenance technicians know the machines intimately but not segmentation or cryptographic access control. The two groups rarely speak the same language. Our guide to securing PLCs, HMIs and production lines without downtime covers how this plays out on a real production floor.

The second is the cost of downtime. Availability is the top priority on a production line, and independent figures from IBM and the Ponemon Institute put the average cost of unplanned downtime in industrial settings at around 125,000 dollars per hour. That pressure makes teams deeply reluctant to patch a running PLC or SCADA server, so known vulnerabilities sit unaddressed for fear of stopping production.

The third is the flat network. In many mid-market factories the infrastructure grew organically and never got segmented. Office machines, printers, SCADA consoles and the PLCs driving physical motors share one subnet. When a phishing email lands ransomware on an office PC, nothing stops it reaching the production machines within minutes.

These constraints converge on one technical wall: the agentless device. In office IT you install an endpoint agent on every machine. On the factory floor that model fails completely, and it fails for reasons that are not going away. The same problem extends beyond production gear to IP cameras and building management systems that fall under NIS2 yet cannot run a single line of security software.

Industrial controllers are embedded systems with minimal processor and memory headroom, all of it reserved for real-time control. They run proprietary real-time operating systems like VxWorks or ThreadX that mainstream security tools were never built for. Installing third-party software on a certified machine can void the manufacturer warranty and safety certifications such as TÜV or CE, and an agent that adds even 200 milliseconds of latency can disrupt the deterministic timing a process depends on, risking mechanical faults or safety hazards.

The conclusion is unavoidable. You cannot harden these components from the inside. Security has to move into the network itself, which is exactly what the zones-and-conduits model asks for. Inline isolation and an IT-OT bridge that brings Zero Trust to factory networks enforce zone boundaries on behalf of devices that can never defend themselves.

Why this is not theoretical: the European threat picture

The risk of a flat, unsegmented OT network is documented in recent European incidents, not just in standards bodies’ warnings. Manufacturing has become one of the hardest-hit sectors, and the entry points are exactly the gaps IEC 62443 is designed to close.

According to the ENISA Threat Landscape 2025, manufacturing accounts for 14.9 percent of all ransomware claims in the EU, placing it among the most targeted sectors. Check Point research covering 2025 recorded a 56 percent rise in successful ransomware attacks on manufacturers, totalling 1,466 incidents, while supply chain attacks nearly doubled to 297 cases as attackers exploited smaller suppliers to reach their real targets.

The Jaguar Land Rover attack of August 2025 shows the scale of what poor IT-OT isolation can cost. Attackers exploited a third-party software vulnerability and, with no effective separation between IT and the factory floor, the malware reached the smart-factory systems directly. Global production stopped for the whole of September 2025, with total economic impact across the company and its supply chain estimated at 1.9 billion pounds, the most expensive cyber incident in British history.

Closer to the mid-market, the AZ Monica hospital ransomware attack in Antwerp in January 2026 makes the same architectural point. Attackers entered through compromised SSL-VPN credentials and found a completely flat internal network. The shutdown of central servers severed connections to agentless medical equipment such as MRI and CT scanners, more than 70 operations were cancelled, and emergency services closed. A hospital is not a factory, but the failure mode is identical: no segmentation and no hardware isolation of vulnerable agentless devices means a single intrusion takes down critical physical processes.

Where a lean team should start

You do not need a dedicated industrial security team to make meaningful progress against IEC 62443. You need a defined scope, an accurate inventory, and a way to enforce zone boundaries without re-architecting the plant. The steps below are ordered for a small team working under production constraints.

Start by defining the system under consideration. Draw a clear boundary around the network you are assessing so the scope is precise and achievable, rather than trying to secure everything at once.

Then build a passive asset inventory. Use passive monitoring to discover every device, and avoid active network scanners on the factory floor. Older controllers have fragile IP stacks and can crash under aggressive probing, which is the opposite of what you want.

Next, run the zone-and-conduit risk assessment. Group assets with similar risk into zones, set a target security level for each, and map the conduits that must connect them. This is the design work that everything else depends on.

Finally, enforce the conduits with agentless inline isolation. Place a hardware appliance on the boundary between zones so it applies authentication and authorisation on behalf of the devices behind it, inspects industrial protocols like Modbus/TCP and OPC-UA at the packet level, and blocks unauthorised write commands while logging every decision. A typical mid-market floor with a few dozen critical devices can be brought under control in days, with zero changes to the firmware or configuration of the production machines.

This is where Jimber fits. Its NIAC hardware acts as that inline IT-OT bridge, turning each agentless device into its own enforced zone and producing the centralised access logs a CyFun assessor expects. Jimber does not certify or guarantee IEC 62443 compliance, and no vendor honestly can. What it does is make the segmentation requirement, the FR 5 restricted-data-flow control at the centre of the standard, achievable for a team that cannot rebuild its network.

Frequently asked questions

What is the difference between a zone and a conduit in IEC 62443?

A zone is a logical or physical group of devices that share the same security requirements and risk profile. A conduit is the controlled communication channel that regulates, inspects and filters traffic between zones. The zone defines the boundary, and the conduit acts as the auditable gatekeeper at that boundary.

How does IEC 62443 relate legally to NIS2?

NIS2 is binding law that says what organisations must achieve for risk management, but it avoids prescribing specific technical solutions. IEC 62443 fills that gap as the recognised state of the art. By implementing its system and policy controls, an organisation holds auditable, regulator-recognised evidence of NIS2 alignment.

Why do traditional endpoint security tools fail on the factory floor?

EDR and antivirus require an active software agent on the device. Industrial controllers and HMIs run minimal, proprietary real-time operating systems that cannot support such software and lack the spare processor and memory capacity. The added latency or risk of an unexpected reboot can also disrupt the real-time timing of the process, causing mechanical faults or safety hazards.

What does presumption of conformity mean under the Cyber Resilience Act?

From December 2027, digital products need a cybersecurity CE marking to enter the EU market. The EU is harmonising IEC 62443 under the designation EN IEC 62443/A11. A manufacturer that proves its products meet this harmonised standard gains a legal presumption of conformity, meaning regulators assume the product satisfies the CRA, which simplifies market access.

Does an IEC 62443 certified component make my whole plant compliant?

No. A component can only hold a certified security capability (SL-C) at the device level. Compliance is an ongoing architectural and organisational process. A misconfigured or unsegmented network has an achieved security level of zero, regardless of how certified the individual PLCs are.

What is the first practical step for a mid-market manufacturer?

Define the system under consideration to set a precise scope, then run a passive asset inventory without active scanners that could crash fragile controllers. From there, divide the flat network into functional zones and secure the conduits between them with agentless inline isolation, which blocks lateral malware spread without touching the production machines.

Meeting the zone-and-conduit requirements of IEC 62443 is hard when your most vulnerable devices cannot run a single line of security software. If that is the wall your team keeps hitting, take a look at how inline isolation enforces those boundaries without re-architecting production, or book a demo to see it mapped against your own floor.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed