OT cyber resilience for UK manufacturers: what to do now & next

Executive summary

• Regulation is tightening: NIS2 is exerting supply-chain pressure, the EU Cyber Resilience Act (CRA) applies from 11 December 2027, and the UK Cyber Security and Resilience Bill is expected to be published by end-2025 to bring UK NIS Regulations closer to NIS2.
  
  
• The EU Data Act has begun to apply from 12 September 2025, shaping rights to data from connected products and related services—important for OEM/cloud portals and machine telemetry.
  
  
• Even where not legally compelled, customers and EU sites will demand NIS2-style assurance; aligning OT to CAF and IEC 62443 (with ISO 27001/NIST CSF where relevant) is a credible path.
  
  
• iconsys’ GUARD cyber security assessment packages this into a pragmatic, audit-ready OT programme that improves uptime, safety and lifecycle resilience.
  

Why this matters now

Cyber risk has moved from IT to the plant floor. UK manufacturers are seeing disruptive attacks that halt production and ripple through supply chains. This is a resilience issue: protecting uptime, safety and OEE It's not just a tick-box exercise.

Regulation is catching up. While the UK is outside the EU, many UK manufacturers sell into the EU or operate EU subsidiaries. NIS2 widened scope and raised expectations across the bloc; Member States were due to transpose it by 17 October 2024, and even where local laws lag, EU customers are already pushing suppliers to prove equivalent controls.

In parallel, the EU Cyber Resilience Act (CRA) introduces cybersecurity requirements for “products with digital elements”—hardware, software and connected services. It entered into force in December 2024 and applies from 11 December 2027, which will influence your procurement specifications, supplier assurance and lifecycle plans.

At home, the UK Cyber Security and Resilience Bill is expected to be published by the end of 2025, with the aim of bringing UK NIS Regulations closer to NIS2. Directors should plan for tighter duties around OT risk management, incident reporting and supplier assurance, while monitoring the Bill’s passage.

Finally, the EU Data Act began applying from 12 September 2025. It governs access to and use of data generated by connected products and related services—think machines, sensors and vendor portals—so it has practical implications for contracts, data rights and switching providers.

What does good look like? (for Directors)

• Stabilise losses first: robust backups, immutable logging and rehearsed recovery for OT and IT to contain blast radius.

• Instrument before capex: establish asset and traffic visibility; risk-rank lines/cells; target spend where it protects throughput.

• Design for skills scarcity: standardised HMI/recipes and maintenance workflows to reduce error and speed recovery.

• Phased obsolescence: prioritise legacy PLCs, drives and HMIs; bake security into migrations.

• Secure by design: segmentation, least privilege, MFA for remote/vendor access, and role-based access to engineering tools.

Where legislation is unsettled, evidence of alignment to recognised frameworks—NCSC CAF outcomes for governance, IEC 62443 for OT controls, plus ISO 27001/NIST CSF where applicable—helps satisfy auditor and customer requirements while improving uptime..

Regulatory compass: mapping obligations to action

• NIS2 pressure via customers/EU sites: expect requests for OT risk assessments, quick-turn incident reporting, governance evidence and supplier due-diligence.

Prepare evidence packs: asset inventories, risk registers, vulnerability handling, incident playbooks tied to named roles and rehearsed exercises.

• CRA impact on procurement and engineering: introduce cyber clauses now (secure development, update commitments, SBOM, vulnerability disclosure, support lifetime).

From Dec 2027, many digital products placed on the EU market must meet CRA requirements—plan CE-marking checks and supplier attestations.

• UK Bill trajectory: anticipate stronger oversight and modernised UK NIS Regulations; align early to CAF so you can demonstrate due diligence regardless of final text.

• Data & contracts: update manufacturing and service agreements to reflect EU Data Act data-sharing rights for connected products (including access, switching and use restrictions) and to account for evolving UK data requirements cited by Addleshaw Goddard.

Where iconsys adds the most value

iconsys’ Cyber Assessment (Known as the GUARD Framework) is purpose-built for manufacturers. It is aligned to the NCSC Cyber Assessment Framework and mapped to ISA/IEC 62443, giving you one programme that meets regulatory expectations while improving OEE, uptime and safety.

We design around OT realities: legacy assets, vendor access, maintenance windows and safety interlocks.

What you get:

• Evidence-ready baseline: live OT asset inventory (PLC/drive/HMI/SCADA), protocol discovery, trust-zone map, and exposure ranked by production criticality.
• Segmentation plan: cell/area zoning, DMZ and remote-access patterns that reduce lateral movement without redesigning the whole plant.
• Control hardening: credential hygiene for engineering workstations, application whitelisting, patch/update strategy for legacy controllers, and backup/restore drills for programs and recipes.
• Governance kit: CAF-mapped risk register, RACI for cyber response, supplier assurance checklist, and an audit-ready evidence pack.

We also provide contractual clauses and buyer checklists for OT and connected products to reflect CRA-ready procurement language and EU Data Act expectations—so engineering, procurement and legal move in step.

Enablers you can deploy without stopping the plant

• Visibility & detection: passive OT network monitoring to baseline “normal” and flag deviations; log collection into an industrial-aware SOC.

• Identity & access: role-based access for engineers and vendors; MFA for remote access; just-in-time credentials for maintenance windows.

• Network controls: pragmatic zoning/segmentation, secure jump-hosts, and application-layer filtering for critical cells.

• Resilient recovery: offline and immutable backups for controllers and historian; rehearsal of restores on a test bench; clear RTO/RPO per line.

• Lifecycle & obsolescence: plan controller migrations with security-ready templates; specify CRA-aware requirements for new equipment. 

Data and assurance

Directors need consistent metrics:

• Operational: unplanned downtime, mean time to recover, first-pass yield on secured lines.
• Risk: number of high-risk legacy assets mitigated; % of remote access under MFA; % of zones with enforced segmentation.
• Governance: CAF outcome scores, incident drill performance, supplier audit pass-rate.

iconsys provides a live dashboard tied to CAF outcomes and line performance so you can evidence progress to auditors and the Board.

Summary

In short, the next 24 months are about proving control as much as passing audits.

NIS2 pressure, the UK Cyber Security and Resilience Bill, the EU Data Act and the CRA applying from December 2027 will all raise expectations on how UK manufacturers govern OT risk, segment networks, manage suppliers and recover fast.

The most resilient plants will instrument first, contain blast radius, harden legacy assets and evidence CAF- and IEC 62443-aligned practice.

If you want a pragmatic start that protects uptime while satisfying auditors, begin with the iconsys GUARD cyber assessment and turn compliance into measurable resilience.