The NIS2 Directive (EU 2022/2555) requires essential and important entities across energy, transport, manufacturing, and other sectors to apply proportionate cybersecurity measures across all network and information systems.
IoT and OT devices connected via SIM are in scope. Traditional SIM connectivity provides no access control, no traffic visibility, and no audit trail. Organisations using standard cellular connectivity for distributed devices are exposed under NIS2 obligations covering risk management, access control, supply chain security, and incident containment.
Zero Trust SIM connectivity directly addresses these gaps by eliminating implicit trust at the network layer, enforcing policy-based access, and generating the audit records NIS2 requires.
NIS2 is the EU's updated Network and Information Security Directive, which came into force in January 2023 and required member state transposition by October 2024. It replaces the original NIS Directive and significantly expands the scope of organisations covered.
The directive applies to two categories.
Essential entities include operators in energy, transport, water, healthcare, digital infrastructure, and public administration.
Important entities cover a broader group: manufacturing, food production, postal services, chemicals, waste management, and digital providers.
Organisations meeting the size thresholds (generally 50+ employees or 10 million euros in annual turnover) are in scope. Some sectors, regardless of size.
Two things changed materially from the original NIS Directive. The scope broadened substantially, pulling in industries that previously had no formal cybersecurity obligations at this level. And accountability moved upward. Senior management can now be held personally liable for security failures. The board is in scope. That shift changed how most organisations are approaching compliance.
The directive does not prescribe specific tools or architectures. It requires proportionate, risk-based security measures across all network and information systems that support the delivery of essential or important services. That includes technical measures and organisational ones.
The core obligations cluster around several areas:
The 24-hour incident notification window is worth pausing on. To report an incident accurately within that window, organisations need to know it happened. That requires real-time monitoring. For organisations running large fleets of IoT devices without visibility into what those devices are communicating with, that requirement alone is difficult to satisfy.
Yes. NIS2 covers all network and information systems that support the delivery of essential or important services. IoT sensors, OT controllers, remote monitoring equipment, SCADA-connected devices, and anything else using cellular SIM connectivity to support operational processes are in scope if the organisation operating them falls under the directive.
This is the part most organisations have not fully worked through. IT systems tend to get the attention in compliance reviews. IoT and OT environments, particularly those using cellular SIM connectivity, are frequently treated as peripheral. They are not peripheral under NIS2. If an energy grid uses SIM-connected remote terminal units to monitor substation performance, those devices are in scope. If a logistics operator uses cellular tracking across its fleet, that connectivity is in scope. If a manufacturer runs SIM-connected machines on the factory floor, the same applies.
Standard SIM connectivity gives devices network access. It does not give operators control over what those devices do with that access, who can reach them, or what they communicate after deployment.
A SIM inserted into a device connects it to a carrier network. The device gets an IP address. Traffic flows. From a connectivity standpoint, it works. From a security standpoint, several problems follow.
There is typically no inbound access control. Devices with public or semi-public IPs are reachable from outside the organisation's network. Without explicit policy enforcement at the SIM or network level, traffic is not inspected. Third-party vendors and service technicians often access OT devices over VPN, which gives them broad network access far beyond the specific equipment they need to reach. If one vendor laptop is compromised, the blast radius covers everything on that network segment.
Most critically for NIS2 compliance: standard SIM connectivity generates no device-level traffic logs. If a device starts communicating with an unexpected external server, there is no alert. If a compromised device begins probing other devices on the network, there is no record. When an incident occurs, there is often nothing to audit.
This matters because NIS2 requires organisations to demonstrate they took proportionate security measures. A post-incident review showing that IoT devices were running on unmanaged SIM connectivity with no access control and no traffic visibility is not a defensible position.
|
NIS2 Obligation |
What it requires |
Why IoT connectivity is exposed |
|
Risk management |
Identify and address risks across all network and information systems, including OT |
SIM-connected devices are rarely included in risk assessments, despite carrying operational traffic |
|
Access control |
Enforce strict controls over who accesses systems and under what conditions |
Vendor laptops on VPNs get broad network access. One compromised device opens a path into OT infrastructure |
|
Supply chain security |
Manage and monitor third-party access to systems and data |
Service technicians from equipment manufacturers often access OT systems remotely with minimal oversight |
|
Incident impact limitation |
Contain breaches and prevent lateral movement across systems |
Flat network architecture means one compromised IoT device can reach everything else on the same network |
|
Audit trails and reporting |
Maintain logs of system activity and report significant incidents within 24 hours |
Standard SIM connectivity generates no device-level traffic logs. There is nothing to audit. |
|
Anomaly detection |
Detect abnormal behaviour and act on it |
Most organisations have no visibility into what their IoT devices communicate with after deployment |
|
Board accountability |
Senior management is personally liable for security failures |
If a breach is traced to an unmanaged IoT device, the organisation cannot demonstrate it took proportionate measures |
Energy is classified as an essential sector under NIS2. Electricity supply undertakings, distribution system operators, production facilities, oil and gas infrastructure, and district heating systems are all in scope.
Energy environments are heavily dependent on OT systems distributed across wide geographic areas. Substations, pipeline monitoring points, remote generation assets, and grid management equipment frequently rely on SIM-based 4G or 5G connectivity as the only practical option. Running fibre to every remote substation is not feasible.
This creates a specific exposure. The devices managing critical infrastructure are connected via cellular, the connectivity is often unmanaged beyond basic network access, and the systems they support are classified as essential under a directive that now requires demonstrated security controls and personal liability for senior management when those controls are absent.
Third-party access compounds the problem. Equipment in energy environments is often maintained by the original manufacturer or specialist contractors. Remote access for service and maintenance is routine. The common approach is VPN access from the contractor's laptop. That laptop gets network-level access, not device-specific access. One compromised contractor environment creates a direct path into the organisation's OT network.
Manufacturing sits in the important entities category under NIS2, which carries somewhat lighter obligations than essential entities but still requires proportionate security measures, supply chain oversight, and incident reporting.
Modern manufacturing environments are a mix of legacy OT infrastructure and newer connected equipment. Robots, production line sensors, quality control systems, and logistics tracking all run alongside older controllers that were never designed with network security in mind. NIS2 requires security across all of it.
The specific exposure in manufacturing is lateral movement. Flat network architecture is common. If one device is compromised, it has line of sight to everything else on the same segment. For a production environment, a breach that spreads to adjacent machines is not a data problem. It is an operational one.
Transport operators, including rail, road, maritime, and aviation, face similar dynamics. Fleet monitoring, cargo tracking, and infrastructure control systems all use cellular connectivity at scale. Rail operators in particular run semi-mobile OT systems that depend on continuous SIM connectivity for real-time monitoring and remote maintenance. Under NIS2, that connectivity is in scope.
Proportionate security, in NIS2 terms, means the measures taken match the risk. For organisations running IoT or OT devices at scale over cellular connectivity, proportionate means addressing the specific vulnerabilities that cellular introduces.
Four things are required in practice.
The gap for most organisations is not the first item. Many have taken steps to reduce inbound exposure. The gap is visibility. Organisations running hundreds or thousands of SIM-connected devices often have no real-time view into device-level traffic. They cannot detect anomalies because they are not monitoring traffic. They cannot audit incidents because there are no logs.
Zero Trust is a security model built on one principle: no connection is trusted by default. Every request, from every device, at every location, is verified before access is granted. Nothing gets implicit trust because it is on the right network or connected to the right SIM.
For IT environments, Zero Trust is typically implemented through agent software installed on user devices. The agent handles identity verification, policy enforcement, and session monitoring. For IoT devices, that approach breaks down. Sensors, remote terminal units, and OT controllers do not run agent software. They often have constrained compute resources and fixed firmware. There is no place to install a client.
Zero Trust for IoT works differently. Security is enforced at the network layer, through the SIM and the connectivity infrastructure, rather than on the device itself. Device-initiated connections are verified against policy before any traffic flows. Inbound access is eliminated. Traffic is inspected continuously. Third-party access is handled through browser-based sessions that are time-limited and recorded, without distributing VPN clients.
This maps directly to NIS2 obligations. No exposed ports addresses attack surface reduction. Policy-based access control addresses the access management requirement. Session recording addresses audit trail requirements. Traffic monitoring and anomaly detection address the incident detection and notification requirements.
Supply chain risk is one of the areas NIS2 treats with most seriousness. Organisations are required to assess and address the security practices of their direct suppliers and service providers, not just their own systems.
For organisations operating IoT or OT infrastructure, the supply chain risk is usually third-party remote access. Equipment manufacturers, maintenance contractors, and service partners routinely need remote access to systems they supplied or maintain. The traditional approach is VPN. The contractor gets credentials, connects to the VPN, and has broad network access.
The problem is well understood. A contractor VPN client is only as secure as the contractor's own security posture. If their environment is compromised, your network is compromised through the VPN connection. NIS2 requires you to manage this risk. Managing it means more than choosing a contractor with good intentions.
The technically defensible approach is session-level access control. The contractor authenticates through a web portal. They access only the specific device or system they are authorised to reach. The session runs in the browser. There is no VPN client distributed, no credentials that can be reused, no lateral movement possible. The session is time-limited. Every action is recorded. Access is revocable instantly.
For an organisation trying to demonstrate proportionate supply chain security to a regulator, this approach generates the evidence needed. Logs of who accessed what, when, for how long, and what they did.
A private APN isolates IoT traffic from the public internet by routing it through a private network. It is a meaningful step up from standard SIM connectivity. It is not sufficient on its own for NIS2 compliance.
Private APN addresses traffic isolation. It does not address access control within the network, third-party access management, device-level traffic visibility, or anomaly detection. If a device on a private APN starts communicating with unexpected destinations, the APN will not flag it. If a compromised contractor gains access to the private network, lateral movement to other devices is possible.
The compliance gap is visibility and control within the private network, not just isolation from the public internet. NIS2 requires organisations to detect anomalies, maintain audit trails, and limit the impact of incidents. A private APN does not deliver those capabilities.
"VPNs were designed to connect users on laptops to corporate networks. They were never built for thousands of headless devices in energy grids, water treatment plants, and factory floors. With this integration, we bring the same Zero Trust architecture that Zscaler delivers to Fortune 500 IT environments directly to OT and IoT devices over cellular. For organizations facing NIS2 compliance obligations, this is a direct answer: no exposed attack surface, no VPN dependencies, full traffic inspection, and audit-ready controls from a single SIM." — Henning Solberg, CTO and Co-founder, IXT
If your organisation is in scope under NIS2 and you rely on SIM-connected IoT or OT devices, the connectivity layer is not a commodity decision. The provider you choose determines whether you can meet the technical requirements the directive imposes.
Four questions are worth asking of any cellular IoT connectivity provider:
IXT is a full MVNO built for IoT, operating its own core network with Zero Trust security built into cellular connectivity from the SIM to the application. IXT Zero Trust, powered by Zscaler ZTNA and Illumio, is the first solution to extend Zero Trust to OT and IoT endpoints over cellular, without client software on devices. It is built for NIS2 and GDPR compliance, with private infrastructure, full audit trails, policy-based segmentation, and controlled third-party access.
If you are working through what NIS2 means for your IoT connectivity and want to understand your current exposure, the IXT team is available to walk through your specific environment.
This article was written by the IXT Connectivity and Security team. IXT operates a full MVNO core network and delivers secure IoT connectivity across 190+ countries and 600+ mobile networks. The team works directly with industrial, utilities, and infrastructure operators to design and secure large-scale IoT and OT deployments. Their focus is on network-level Zero Trust architecture, SIM-based identity, and secure device communication without relying on VPNs or endpoint agents.