When a major U.S. steelmaker halted part of its production after a cyber incident in May 2025, output wasn’t the only thing disrupted — trust was.
Weeks later in Europe, a cyberattack on a check-in and boarding-systems provider snarled operations at multiple major airports, exposing the same weakness: every system was compliant, but not resilient.
Across Europe and North America, industrial and public infrastructures are meeting every checkbox of NIS2, IEC 62443, the Cyber Resilience Act, and NERC standards — yet still going dark when attacks hit. The lesson is now unavoidable: compliance can’t guarantee continuity.
In the race to prepare for NIS2 enforcement in 2025 and the coming Cyber Resilience Act, many operators rushed to complete audits, update policies, and publish incident plans. Those actions matter — but they only prove readiness on paper.
Recent reports from ENISA show that 70% of incidents in critical infrastructure occurred in organisations already holding active compliance certifications. In other words, being “compliant” does not mean being “secure enough to stay operational.”
Compliance defines what must be done. Continuity defines whether it works when it matters.
When the Lights Go Out on Certified Systems
Take the Energinet case in Denmark (January 2025). The company, responsible for national energy transmission, confirmed an intrusion that forced partial shutdowns of internal systems. It was fully aligned with NIS2 principles — network segmentation, audit logs, incident reporting — yet attackers exploited an overlooked vendor API to move laterally inside the OT monitoring network.
A few months earlier, the RheinEnergie utility in Germany experienced a similar breach. The system passed every compliance audit but failed to maintain remote authentication when a connection dropped, forcing operators to halt critical automation temporarily.
These incidents show a simple but uncomfortable truth: regulations build defences, but resilience depends on what survives beyond the checklist.
Why does this gap persist even in well-regulated sectors? Because compliance is periodic, but attacks are continuous.
Audits assess evidence from the past; attackers exploit systems in real time. A policy might say “MFA is enabled,” but what if the authentication server is offline during a network disruption?
A system might “log all access,” but are those logs reachable if connectivity fails? The answer lies not in more documentation but in designing for continuity — making sure essential functions like identity verification, monitoring, and recovery remain operational under degraded conditions.
Forward-thinking operators are reframing compliance as the foundation of continuity, not the finish line. That shift changes how architectures are built:
The real shift underway is cultural. Compliance is about passing the audit; continuity is about proving reliability to the public.
Energy, transport, and water providers no longer just need to follow the law — they must keep societies running during crises.
Governments and regulators are beginning to recognise this too: ENISA’s 2025 recommendations now explicitly call for “live operational exercises” and “resilience-based validation” beyond documentation reviews.
That’s the future of OT security — where readiness is measured not by certifications, but by uptime under pressure.
As 2026 budgets take shape, another round of compliance projects will begin. But before new policies are written, one question should guide every investment:
“If a cyberattack disconnects us tomorrow, can we still authenticate and control access securely? ”
If the answer isn’t an immediate yes, compliance has not yet achieved its purpose. Security that keeps systems alive — not just certified — is what truly defines continuity.
--------------------
swIDch will continue its quest to innovate and pioneer next-generation authentication solutions. To stay up-to-date with the latest trends sign up to our newsletter and check out our latest solutions.