Believing Compliance Alone Secures OT Is a Costly Mistake

When a major U.S. steelmaker halted part of its production after a cyber incident in May 2025, output wasn’t the only thing disrupted — trust was.

Weeks later in Europe, a cyberattack on a check-in and boarding-systems provider snarled operations at multiple major airports, exposing the same weakness: every system was compliant, but not resilient.

Across Europe and North America, industrial and public infrastructures are meeting every checkbox of NIS2, IEC 62443, the Cyber Resilience Act, and NERC standards — yet still going dark when attacks hit. The lesson is now unavoidable: compliance can’t guarantee continuity.

Compliance Was the Beginning, Not the Goal

In the race to prepare for NIS2 enforcement in 2025 and the coming Cyber Resilience Act, many operators rushed to complete audits, update policies, and publish incident plans. Those actions matter — but they only prove readiness on paper.

Recent reports from ENISA show that 70% of incidents in critical infrastructure occurred in organisations already holding active compliance certifications. In other words, being “compliant” does not mean being “secure enough to stay operational.”

Compliance defines what must be done. Continuity defines whether it works when it matters.

When the Lights Go Out on Certified Systems

Take the Energinet case in Denmark (January 2025). The company, responsible for national energy transmission, confirmed an intrusion that forced partial shutdowns of internal systems. It was fully aligned with NIS2 principles — network segmentation, audit logs, incident reporting — yet attackers exploited an overlooked vendor API to move laterally inside the OT monitoring network.

A few months earlier, the RheinEnergie utility in Germany experienced a similar breach. The system passed every compliance audit but failed to maintain remote authentication when a connection dropped, forcing operators to halt critical automation temporarily.

These incidents show a simple but uncomfortable truth: regulations build defences, but resilience depends on what survives beyond the checklist.

The Blind Spot Between Policy and Practice

Why does this gap persist even in well-regulated sectors? Because compliance is periodic, but attacks are continuous.

Audits assess evidence from the past; attackers exploit systems in real time. A policy might say “MFA is enabled,” but what if the authentication server is offline during a network disruption?

A system might “log all access,” but are those logs reachable if connectivity fails? The answer lies not in more documentation but in designing for continuity — making sure essential functions like identity verification, monitoring, and recovery remain operational under degraded conditions.

From Checklists to Living Systems

Forward-thinking operators are reframing compliance as the foundation of continuity, not the finish line. That shift changes how architectures are built:

• Dynamic identity that survives disconnection: Credentials must be verifiable even in air-gapped or intermittently connected networks. One-way dynamic authentication — where one-time credentials are generated without network dependence — is becoming a preferred method. Technologies based on this principle, such as the OTAC Trusted Access Gateway (TAG), help maintain secure access control even when central servers are unreachable.
• Resilient logging and audit integrity: Logs must persist locally and sync automatically once connectivity returns. This ensures both compliance proof and forensic continuity.
• Operational metrics instead of paperwork metrics: Track mean time to detect (MTTD) and mean time to recover (MTTR) for OT incidents. These show whether systems actually withstand disruption — far more valuable than compliance status alone.

A New Definition of Readiness

The real shift underway is cultural. Compliance is about passing the audit; continuity is about proving reliability to the public.

Energy, transport, and water providers no longer just need to follow the law — they must keep societies running during crises.
Governments and regulators are beginning to recognise this too: ENISA’s 2025 recommendations now explicitly call for “live operational exercises” and “resilience-based validation” beyond documentation reviews.

That’s the future of OT security — where readiness is measured not by certifications, but by uptime under pressure.

Before the Next Audit, Ask a Harder Question

As 2026 budgets take shape, another round of compliance projects will begin. But before new policies are written, one question should guide every investment:

“If a cyberattack disconnects us tomorrow, can we still authenticate and control access securely? ”

If the answer isn’t an immediate yes, compliance has not yet achieved its purpose. Security that keeps systems alive — not just certified — is what truly defines continuity.