IXT

NIS2 for utilities: a practical connectivity checklist

NIS2 raises the bar on how you protect and prove control over connected assets. Rather than wade through legal text, use this as a field-ready to-do list. It focuses on what you can enforce in the connectivity layer and what you should align with elsewhere in the organisation.

ALL_Blog_utilities_remote grid

NIS2 changes what you need to prove about your connected infrastructure. For utility operators managing thousands of SIM-connected meters, RTUs, and substations, the regulation puts connectivity security under a compliance spotlight it has never faced before.

This checklist focuses on what you control at the connectivity layer, and what to align elsewhere in your organisation. No legal jargon. No theory. Field-ready actions you can hand to your engineering and security teams today.

 

 

Why connectivity matters under NIS2

 

NIS2 requires risk-based security measures across all network and information systems that support critical services. In OT and IoT environments, SIM-based connectivity is often a critical part of the attack surface, but it rarely gets the same scrutiny as IT systems.

 

Traditional SIM connectivity provides reachability. It does not provide segmentation, identity binding, or session-level logging. That gap creates problems when regulators ask you to demonstrate control over distributed devices.

 

As of early 2026, enforcement is accelerating. Germany passed its implementation act in November 2025, with entity registration required by April 2026. Belgium has been fully active since October 2024. ENISA published nearly 200 pages of technical guidance in June 2025, setting clear expectations for what compliance looks like in practice. The European Commission proposed targeted amendments in January 2026 to simplify compliance, but the core obligations remain firm.

 

For utilities classified as essential entities, the stakes are direct: fines up to 10 million EUR or 2% of global annual turnover, and personal liability for board members who fail to oversee adequate security measures.

 

The bottom line: SIM-connected devices in your OT environment are in scope. Treating them as "out of band" or "air-gapped" is no longer defensible.

 

 

1. Identity: people and devices

 

What to do at the connectivity layer

 

Bind each device to a SIM or eUICC-based identity and link it to your asset inventory. Every connected meter, RTU, and gateway should have a traceable identity from the moment it ships.

 

Require named user identities with multi-factor authentication for engineers and contractors accessing remote equipment. Shared credentials on jump hosts are a compliance failure waiting to happen.

 

Apply least-privilege access: one person, one device, one task, time-boxed. If a field technician needs to access a single substation RTU for a firmware update, they should get access to that device for that session. Nothing more.

 

Also align

Your IAM and joiner/mover/leaver process, so accounts appear, change, and disappear on time when people change roles or contracts end.

 

Evidence to keep

Device-to-SIM/eUICC mapping records. Decommission logs. Periodic access reviews showing who accessed what and when.

 

IXT approach: IXT SIMs bind device identity at the SIM level from factory provisioning. With IXT CMP, you get real-time visibility into every device, with ICCID-level tracking, event logging, and the ability to suspend or revoke access in seconds.

 

 

2. Segmentation and access control

 

What to do at the connectivity layer

Replace flat site-to-site VPNs with thin, per-session paths. VPNs were designed to connect trusted networks. Utilities do not have one trusted network anymore. They have thousands of intermittently connected sites, many operated by contractors, all changing over time.

 

Enforce allow-lists per device type. Be specific:

  • IEC-104 and DNP3 traffic goes to named SCADA masters only (TCP 2404/20000)

  • DLMS/COSEM traffic goes to MDM FQDNs only (no wildcards)

  • MQTT traffic goes to the broker FQDN only (TLS/mTLS required)

 

Keep OT traffic off the public internet. Use private APNs or private routes to SCADA, MDM, and cloud endpoints.

 

 

Evidence to keep

Current policy set. Port and protocol matrix. Change log showing when policies were modified and by whom.

 

IXT approach: IXT SecureNet provides private APN connectivity with direct cloud integration to AWS, Azure, and GCP, keeping device traffic off the public internet entirely. For organisations moving toward Zero Trust, IXT Zero Trust connectivity replaces flat VPN tunnels with per-session, per-application access verified at the network edge. No exposed ports. No lateral movement. Read more about why VPNs fail at grid-edge scale.

 

 

3. Logging, monitoring, and audit

 

What to do at the connectivity layer

Capture session-level records for every connection: who connected, to what, when, and which policy governed the session.

 

Set up alerts for policy breaches. When a device starts communicating with an unexpected host, sending unusual data volumes, or using an unapproved protocol, your team needs to know immediately.

 

Use time-boxed change windows that auto-revert. If a maintenance window grants broader access for a firmware rollout, it should close automatically when the window expires.

 

Also align

SIEM and SOC runbooks so someone owns the alert and the response. Session-level connectivity logs only help if they flow into your detection and response pipeline.

 

Evidence to keep

Logs streamed to SIEM. Documented retention policy that meets your national transposition requirements. Mean time to respond (MTTR) metrics.

 

NIS2 incident reporting requirements are strict: early warning within 24 hours of detection, incident report with initial impact assessment within 72 hours, and a final report within one month.

 

IXT approach: IXT CMP provides real-time event logging with timestamps, searchability, and SIM-level detail. When combined with Zero Trust connectivity, every session is logged with full context: identity, destination, policy applied, and duration.

 

 

4. Supply chain and provisioning

 

What to do at the connectivity layer

Factory-provision identity before the device ships. Bind the SIM or eUICC to the device and apply a baseline connectivity policy at the point of manufacture, not in the field.

 

Use eUICC and multi-IMSI for resilience and local profile requirements. Multi-profile capability lets you swap network profiles with guardrails and rollback if a primary network fails or if permanent roaming regulations force a local profile.

 

Ask your suppliers to support protocol and FQDN allow-lists, signed firmware, and per-session access for maintenance. If your vendor sends a technician to service a remote asset, that technician should get scoped, time-limited, auditable access, not a VPN tunnel to your entire OT network.

 

Also align

Supplier security clauses in contracts. A straightforward acceptance checklist at goods-in that verifies devices arrive with the correct identity binding and baseline policy.

 

Evidence to keep

Provisioning logs. Profile library documenting which profiles are deployed where. Vendor security attestations.

 

IXT approach: IXT supports factory provisioning with SIM identity binding from the start. eUICC and multi-IMSI technology provides profile flexibility across 600+ networks in 190+ countries, with centralised management through IXT CMP. Learn how eSIM simplifies supply chain security.

 

 

5. Incident response and continuity

 

What to do at the connectivity layer

Contain by default. A default-deny architecture limits lateral movement the moment an incident starts. If a device is compromised, it should not be able to reach anything beyond its pre-approved application endpoint.

 

Build the ability to revoke device or user identity quickly. In the middle of an incident, you need to isolate a compromised SIM or block a contractor session in seconds, not hours.

 

Implement health-based failover. Steer traffic to healthy networks based on latency, packet loss, and attach success. Trigger profile swaps during outages so critical assets stay connected.

Keep forensics-ready logs for the legal retention window defined by your national NIS2 transposition.

 

Also align

Your wider incident response plan: roles, communication chains, legal hold procedures. Run tabletop exercises that include connectivity failure scenarios.

 

Evidence to keep

Results from revocation tests proving you can kill a SIM session within your target timeframe. Failover drill results. Incident timelines from exercises and real events.

 

IXT approach: IXT CMP enables instant SIM suspension and quick-action controls for incident containment. Multi-IMSI with health-based network switching provides automatic failover when primary networks degrade. Zero Trust architecture ensures default-deny from day one, limiting blast radius without requiring manual intervention during an incident.

 

 

Where to start

You do not need to solve everything at once. Most utility operators get the biggest compliance return from three early moves:

 

Bind identity to every device. If you cannot map a SIM to a device to an asset record today, start there. This underpins everything else on this checklist.

 

Move OT traffic off the public internet. Private APN connectivity is a practical first step that reduces your attack surface before you tackle full Zero Trust segmentation.

 

Enable session-level logging. If you cannot show an auditor who connected to what, when, and under which policy, nothing else matters.

 

IXT builds connectivity for exactly this scenario. A single SIM with global coverage, private networking through SecureNet, Zero Trust access control, and a management platform that gives you real-time visibility and audit-ready logs.

 

Download the Zero Trust utilities guide for reference architecture and detailed implementation steps. Or request a test SIM and pilot secure connectivity on 10 to 20 sites.

 

External references:

 

 

About IXT

IXT is a Full MVNO built for IoT. We deliver secure, global connectivity through a single SIM that works across 600+ networks in 190+ countries. Our SecureNet platform keeps IoT traffic off the public internet with private APNs, encrypted VPN tunnels, and direct cloud integrations. Our Connectivity Management Platform provides real-time visibility into every connected device. Built for European compliance requirements, designed for operations that need connectivity they do not have to worry about.

 

Ready to see how it works? Book a demo.

 

ALL | CTA | Zero Trust Webinar Gradient