Why Is Drinking Water Now Locked as a NIS 2 “Critical Infrastructure”?
Ransomware, supplier breaches, misconfigured PLCs-the digital risks facing water utilities are no longer hypothetical. In 2024, under the European Union’s NIS 2 Directive, every water supplier managing public or private networks joined the league of “essential entities” alongside hospitals, power stations, and telecoms. This designation is not just legalese; it signals to boards, managers, and compliance teams that water is too important to tolerate digital fragility. You’re expected to deliver not only potable water but demonstrable, evidence-driven cyber resilience.
Behind every glass of clean drinking water is an unseen web of trust, risk, and responsibility.
What’s changed? Compliance used to mean a dozen IT checklists and a dusty disaster recovery plan. Today, it means showing-at any time-that your OT process control, customer data, and supplier links are secured, tested, and continuously improved (European Commission, NIS2 Directive). This applies even if your utility serves a single rural region; regulators now demand risk registers, asset inventories, supplier tracking, and role-based accountability from every organisation touching the water supply (Bird & Bird). No utility is “too small to matter” in the eyes of NIS 2.
New research exposes the sector’s gap: just 37% of surveyed water utilities self-rate as ready for NIS 2, with most failing on evidence traceability and live controls (European Water Association). Investors, insurers, and the public see rapid incident response and open reporting as baseline performance, not optional extras.
Visible progress earns trust; visible gaps attract audit.
Water utilities now confront a changed social contract: you’re not guarding technology for its own sake, but protecting public health in a digitised era. Inaction-missing logs, unsanctioned supplier access, delay in reporting-no longer passes as “being busy”.
What Legal and Technical Security Duties Now Apply to Water Utilities?
NIS 2 is as demanding operationally as it is legally. The days of checklist-driven “audit theatre” are over. Evidence must live in your systems-not box-checked once for an auditor, but producing daily logs, role-based approvals, and improvement cycles.
Real-world consequences hinge on controls that are both visible and verifiable.
Risk-Based, Sector-Specific Security Moves Centre Stage
ENISA, the EU’s cyber-security agency, defines the new ground rules:
- Your risk assessment must encompass both IT (office systems, customer databases) and OT (field equipment, control systems). Cyber–physical boundaries have dissolved.
- Supplier access is no longer hidden; every external touchpoint from service engineers to cloud-managed sensors falls under scrutiny.
- Real-time or near real-time event logging is expected. Simple annual reviews or “paper audits” leave fatal gaps (ENISA Guidelines).
What raises the stakes further: Article 20 thrusts personal responsibility onto senior management-you can no longer delegate digital risk away (Norton Rose Fulbright).
The new compliance norm is “living documentation”: policies in use, evidence of role assignments, up-to-date asset and risk registers, and records of recent staff training (OneTrust/DataGuidance). If it’s not current-and if you can’t show a recent action linked to a real-world event-it may as well not exist.
Table – ISO 27001 Bridge: Expectation → Operationalisation → ISO Reference
The critical expectations for water utilities, mapped to specific controls:
| Expectation | Operationalisation Example | ISO 27001 / Annex A Ref. |
|---|---|---|
| Asset inventory covers IT, OT, remote links | Live asset register covering workstations to remote field PLCs | 8.9 / A.5.9 / A.8.9 |
| Ongoing risk assessment, not annual | Quarterly risk log updates, post-incident reviews | 6.1.2 / 8.2 / A.5.7 |
| Timely incident response, with logs | 24/72-hour reporting, incident trail, regular debriefs | A.5.24–A.5.27 |
| Business continuity proven | Documented, regularly tested BC/crisis plans | A.5.29 / ISO 22301 |
| Board oversight, defined responsibilities | Management review docs, role matrix, evidence of check-ins | 5.3 / A.5.4 / A.6.2, A.6.5 |
These are not theoretical-regulators are now demanding these artefacts at short notice, and your operational readiness will be measured in real time.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
How Do You Map, Classify, and Secure Critical Assets Under NIS 2?
If you don’t know the edges of your system, there can be no real security. NIS 2 mandates a living asset inventory that spans IT and OT-field cabinets, SCADA nodes, cloud services, even mobile devices used by field engineers. This catalogue isn’t just “for” compliance: it sits at the heart of your operational risk and improvement cycles (ENISA Asset Inventory Guidance).
It’s easy to miss a vulnerability you haven’t even recorded.
Visual Guide: Envisioning a Living Asset Map
Imagine a top-down view of your network-each server in the control room, every field PLC, remote VPN gateways, and each supplier’s temporary access channel tagged by criticality. You spot not only managed assets, but unapproved connections and “temporary” fixes that become permanent backdoors.
Water utilities experience most breaches at the margins: forgotten wireless modems, field stations with end-of-life OS, or supplier laptops left connected after a routine maintenance. These orphaned devices nearly always evade traditional paper audits (Dragos Security).
The boundary between in-house and supplier infrastructure is blurry-only mapped assets can be defended.
Controls by Criticality
If an asset touches real-time control of water quality or supply, expect the full suite: encryption at rest, multi-factor authentication, patch/maintenance logs, role-based privileged access (SCADA Hacker).
Supplier assets inherit the same expectations. Over half of sector incidents arise from neglected third-party access (Water Security Journal). Evidence of privileged access reviews-who had access, when, and for how long-is fast becoming the single most scrutinised log.
Are Your Risk Assessments and Controls Fit for Water Utility Reality?
Risk management for the water sector must integrate cyber, operational, and environmental factors-one static “cyber register” leaves dangerous gaps. Floods, supply chain outages, chemical dosing malfunctions, and ransomware converge in ways old frameworks never anticipated (UK Government Guidance).
Visual: Integrating Risk Heatmaps
A living dashboard tracks the headwaters of risk: cyber events like malware on OT systems, environmental risks such as extreme weather, and operational threats from supplier outages. This lets you link every risk to a real, actionable control-with evidence backing up each decision.
Regulation-compliant registers demand updates at least quarterly (often tied to major events). You must show that every risk is tied to at least one control and supporting evidence, traceable from trigger through to ongoing mitigation (McKinsey Water Sector Cyber).
Table – Traceability: Incident Trigger → Risk Update → Control/SoA Link → Evidence
| Trigger (Example) | Risk Update | Control/SoA Link | Evidence Logged |
|---|---|---|---|
| OT ransomware detected | Add “malware disruption” risk | A.5.25 / A.8.8 | Incident report, risk log, RCA |
| Field device network alteration | Update “unauthorised access” risk | A.8.9 / A.8.22 | Change record, asset log |
| Supplier breach alert | Add “third-party risk” | A.5.21, A.5.20 | Supplier SLA, notification log |
| Password sharing audit finding | Update “privileged credential risk” | A.8.5 / A.5.17 | Audit log, acknowledgement list |
| Missed water anomaly alert | Add “detection failure” risk | A.5.28 / A.8.15 | Incident record, config snapshot |
Auditors want to see the real evidence chain. One missing link-or one risk updated “on paper” but not in the system-will quickly raise red flags.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
What Are the Must-Have Incident Response and Continuity Controls?
Supplying water is a mission that tolerates zero ambiguity in incident reporting and response. Under NIS 2, “significant incidents” (any event undermining supply, quality, or service continuity) must be reported within 24 hours, with factual investigation delivered within 72 (SC Magazine Europe).
Plans not tested in real time will fail when reality strikes.
Playbooks: Move from Policy to Action
Every water utility needs a response playbook for:
- Ransomware and destructive malware
- Field device lockdowns or OT system attacks
- Supplier breaches impacting operational systems
- Data integrity failures affecting water quality
For each scenario, your plan must document the team lead, reporting flow to authorities, preservation of digital evidence, and processes for learning and system improvement (Confidus Water Utilities Guide).
ISO 22301, the business continuity gold standard, is now requested by many auditors. Proven drills-logged exercises covering both IT and OT crises, not just tabletop scenarios-now count more than written plans (BSI ISO 22301).
Evidence is king: incident notifications, event logs, and post-incident reviews all form the compliance backbone (Waterscan).
How Do You Secure the Supply Chain and Third-Party Links Under NIS 2?
The digital perimeter of a water utility now extends far beyond your own systems. Vendors, contractors, and service providers all touch networked infrastructure, field equipment, or sensitive data-and every one is now within scope for NIS 2 (ENISA Supply Chain Recommendations).
Your procurement paperwork now acts as technical control-auditors demand breach notice windows, audit rights, and cyber-specific obligations in every major supplier contract.
Modern contracts should require:
- Immediate notification of cyber-security breaches (usually within 24 hours)
- Audit rights for you and your regulators
- Strong authentication for all supplier access
- Logs for connected supplier endpoints
- Supplier security compliance evidence
More than half of supply chain breaches come from unmanaged connectivity-VPNs, remote desktops, or insecure devices left online after a maintenance call (Water Security Journal).
Your incident response plan must explicitly include supplier-triggered events; contracts, logs, and collaboration workflows must prove that internal and external security controls align (CSO Online Supply Chain Controls; ContractWorks Cyber Clauses).
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Can You Prove Your People, Training, and Security Culture Deliver Compliance?
One-time, box-ticked security training is no longer enough. Audit and regulator scrutiny zeroes in on “living” cyber awareness: documented, role-specific training, tracked by completion and regular assessment (CYBERWISER.eu Water Utilities Training).
Culture is proven by records, not intent.
Modern staff development for water utilities means:
- Tailored modules for office, OT, and field roles
- Automated completion and assessment tracking
- Visible gap dashboards for management, accessible before audit day
- HR–IT collaboration proofs: signed acknowledgements, assessment pass rates, scenario-based testing
An effective culture ensures staff connect the dots between a phishing test, an operational process, and water quality outcomes. Audit logs should tie successful prevention to specific training interventions, not generic “awareness modules” (Smart Water Magazine; Vakblad Civiele Techniek).
How Do You Prove and Improve Security Measures Over Time?
Resilience is not a static state-continuous improvement is now both a regulatory and operational expectation. Boards, IT, HR, and operational managers are all accountable for closing evidence gaps, addressing audit findings, and capturing lessons learned (ISC2).
Visual: KPI and Audit Dashboards in Action
Peer benchmarking, audit trail completeness, and control reviews are now standard. The utilities that pass audits fastest aren’t necessarily those with the most complex systems, but those who can tie every improvement or risk mitigation to a logged action and measured outcome (UK Water Industry Cyber-Security Forum).
Quarterly reviews, with KPIs on patch cadence, access reviews, incident closure timeframes, and training completion, anchor your improvement process (WaterWorld Audit Readiness).
Peer programmes lift all boats: utilities participating in benchmarking saw a 20% higher rate of passing initial NIS 2 audit reviews (Global Water Intelligence).
Control drift remains the most common cited sector risk (SecurityWeek Water Sector Control Drift). Tracked dashboards and regular management engagement are the only proven remedies.
Collaboration multiplies resilience. Audit success is seldom solitary.
Move Beyond Compliance-Resilience Begins With ISMS.online Today
NIS 2 compliance is a journey, not a finish line. True resilience in water utility cyber-security arises not from paperwork, but from living systems, engaged staff, and continuous measurement.
ISMS.online supports you across this journey:
- Out-of-the-box mapping from sector, NIS 2, and national requirements into everyday controls, evidence, and improvement cycles
- Real-time dashboards displaying asset status, risk trends, training completion, supplier engagement, incident logs, and audit readiness
- Integrated management of staff engagement, asset inventory, supplier control, and incident response-one platform for the whole team
- Rapid generation of audit and board reports, showing exactly where you stand and where to act next
(ISMS.online NIS 2 Solution)
Real resilience balances compliance, culture, and continuous action.
Utilities using ISMS.online consistently report:
- 60+ hours saved per audit cycle
- 25% faster incident response and closure
- Board-ready compliance dashboards for investors, authorities, and peer benchmarks
- Confidence that all team members-from the control room to the boardroom-engage with a living system, not a paperwork relic (SupplyChainDigital; WaterNews Compliance Stories)
Ready to move from compliance panic to operational resilience?
See how ISMS.online unites every part of your operation-team, board, and supply chain-in measurable, living security.
Frequently Asked Questions
Why is drinking water now considered critical infrastructure under NIS 2, and what makes cyber-security compliance uniquely difficult for this sector?
NIS 2 designates all public and private drinking water suppliers as critical infrastructure because threats to water supply directly endanger public health, safety, and social stability. This includes small operators that, until now, may have escaped regulatory focus. Water utilities must meet exacting legal standards: documented cyber risk management, continual operational resilience, and evidence-backed control of both IT and operational technology (OT). The sector faces a uniquely hazardous blend-OT systems, such as pumps and treatment controllers, often connect with older devices, remote field units, and vendor-supplied software, multiplying attack vectors.
A single weak password or forgotten remote login can enable digital attacks to trigger physical harm-think poisoned supplies or system outages. ENISA’s recent water sector survey showed only 37% of utilities felt prepared for NIS 2, underscoring sector-wide readiness gaps. National regulators (like Germany’s BSI or France’s DSO) now audit water suppliers at every scale, with powers to demand evidence, impose fines, or hold executives accountable. As one water manager clarified, “Cyber events make compliance a matter of survival, not mere bureaucracy.”
What does this mean for small suppliers?
Even the smallest operator is now squarely in scope-if your systems could influence supply or public safety, NIS 2 applies, and national authorities will enforce it.
What’s the most common technical gap?
Asset mapping-legacy PLCs, field devices, and vendor endpoints often escape IT oversight, leaving blind spots in compliance and security posture.
What new legal duties and board-level responsibilities do water utilities face under NIS 2?
Water utilities now have three core legal obligations: (1) ongoing, risk-proportionate cyber and operational resilience; (2) prompt incident detection, response, and regulatory notification; (3) continuous business continuity planning, with living documentation always ready for audit. Crucially, proportionality does not mean minimal action-controls must be explicitly tied to identified business/service risks, with justification and review. ENISA and sectoral guidance demand live evidence that OT systems (e.g., pumps, dosing equipment) receive the same scrutiny as IT. Particularly, secure remote access, supply chain asset onboarding, and real-time logging are expected.
NIS 2 raises the bar for board accountability: executive and board members are named in Article 20 and elsewhere, bearing direct legal responsibility for compliance-gaps can result in personal and financial sanctions. Passive or “annual” documentation is now non-compliant; living logs, continuous engagement, and up-to-date evidence are required.
Boards can no longer wait for end-of-year reports-auditors and regulators expect oversight that’s active, real-time, and provable.
Which obligations trip organisations up most?
Failures in mapping controls to actual risk, outdated incident plans, missing evidence for process reviews, and limited executive involvement.
Has the bar for executive responsibility changed?
Dramatically: lack of ongoing engagement or absent documentation can result in fines or public sanction directed at specific individuals.
How should water utilities structure, update, and prove their asset inventories in line with NIS 2?
A NIS 2-compliant asset inventory must be dynamic-encompassing every IT device, OT endpoint, cloud platform, and all supply-chain-linked infrastructure. ENISA specifies that each asset (from central SCADA servers down to remote PLCs and sensors) must be classified by its service criticality, process dependency, and external connectivity. Legacy devices, supplier-managed equipment, or remote credentials must be included; exclusion of any device constitutes a compliance and operational risk.
Quarterly updates are the minimum, with immediate refresh triggered after incidents, infrastructure changes, or new supplier integrations. Auditors routinely cross-reference asset inventories with procurement and maintenance records-any omission is a red flag. Systematic internal audits, particularly after near misses, are essential for operational and compliance assurance.
Comprehensive, living inventories aren’t paperwork-they’re your most effective control against invisible, growing risk.
How often must the asset register be reviewed?
Quarterly as standard, and always after major change, incidents, or integration of new devices/suppliers.
Why does supply chain mapping matter so much?
Over 60% of water sector cyberattacks trace back to unmanaged vendor devices or third-party connections-every asset with operational access must be visible and catalogued.
What distinguishes robust, NIS 2-aligned risk assessment and scenario analysis in the water sector?
Effective risk management in water utilities now requires an all-hazards approach, integrating cyber-security, physical threats, and environmental risk into a unified, frequently updated matrix. Threats must be scored by their technical severity, health impacts, business disruption potential, and reputational risk. ENISA and national water guidance encourage risk models that blend frontline, OT, and board perspectives, ensuring shared understanding and action.
Static, annual risk models are no longer compliant-quarterly review is mandated, with urgent updates after any incident or material change. Auditors expect clarity: every major risk must be mapped to named controls, with rationale, review history, and evidence logged. Unjustified mitigations or “gaps” between risk and control are a primary cause of failed audits.
Passing isn’t about documenting risk; it’s about showing how every real risk is continuously managed with a live, defensible control map.
Where do audit failures most often originate?
Exposed legacy OT assets, incomplete supplier vetting, and lack of behavioural testing for physical security or resilience scenarios.
What evidence is now routinely checked?
Logs showing risk identification, linked controls, rationale, review cycles, and evidence that actions have been taken and re-tested.
What sets incident response and continuity planning apart in high-performing water utilities under NIS 2?
Leaders in the sector can report any major operational/cyber incident within 24 hours and deliver cause/remediation reports inside 72. Living incident registers-not static reports-log ransomware, OT sabotage, data integrity events, and vendor breaches in real-time. ISO 22301 business continuity standards are the benchmark-regular live and table-top exercises (with vendors and authorities) are mandated. The “Single Point of Contact” for response must be named, available, and ready for both audits and live events.
Modern readiness means all plans specify dual, coordinated internal/vendor responsibilities. Active evidence-like exercise logs, incident documentation, and board review minutes-are required in audits. Lack of supplier participation in scenarios or missing role clarity is a new compliance trap.
Success is measured not just in plans, but in visible, rehearsed coordination-gaps are penalised regardless of whether an actual outage occurs.
Why is coordinated supplier response mandatory?
A delayed or absent vendor response-regardless of outcome-can trigger regulatory censure; NIS 2 treats both internal and vendor failures as compliance risks.
What documents do auditors most often request?
Up-to-date incident logs, exercise schedules, contact directories, and logs/minutes showing executive engagement.
How does NIS 2 transform supply chain and vendor security for the water sector?
NIS 2 mandates that water utilities include every device, connection, or service tied to a supplier in regular asset and risk reviews. You must log vendor assets, formalise breach notification timelines, and require audit rights and defined cyber controls in every contract-SLAs are no longer sufficient. Both your own and your vendors’ incident protocols must generate auditable, time-stamped evidence.
The most common audit failings now stem from missing vendor infrastructure in asset maps, untracked shadow IT, and outdated access logs. High-performing utilities refresh vendor inventories quarterly, tie incident/response records to named assets, and maintain dual-path logs for every incident.
Your supply chain is now your compliance perimeter. Omission is risk-live mapping is non-negotiable.
What’s new in vendor incident evidence requirements?
You must now log both your response and your supplier’s, complete with timelines and resolution actions-gaps on either side threaten compliance.
Which reports carry the most audit weight?
Live asset/vendor inventories, incident and vendor action logs, signed contracts linking security obligations, and mapped controls updated in real time.
What training, role, and cultural requirements are new for water utilities under NIS 2?
NIS 2 requires annual, role-specific cyber training for all staff, contractors, and executives-with records of attendance, comprehension, and policy sign-off as audit-ready evidence. Training isn’t just participation-it must prove understanding, often via assessment. HR and Security must jointly manage training content, ownership, and evidence logs; fragmented or siloed approaches yield audit failure. High performers leverage dashboards to track sign-off, monitor for gaps, and prioritise scenario-driven training aligned to real incidents and emerging threats. Field staff respond best to credible, event-based learning with tangible consequences.
Culture is proven not by intent, but by signed rosters and role alignment-resilience grows when every team member can act in a real incident.
How is training effectiveness measured?
Documentation must confirm all staff are current, have completed assessed learning-especially those in critical operational roles.
Why is shared HR/Security accountability key?
Joint stewardship closes coverage gaps and delivers credible, gap-free evidence when the auditor or regulator asks.
How can water utilities prove and sustain continuous NIS 2 compliance and cyber resilience?
Passing an audit now means proving ongoing improvement with “living” metrics: quarterly patch closures, privilege reviews, incident drills, and up-to-date evidence dashboards. Leaders hold quarterly board reviews of compliance status and adapt quickly to lessons learned both internally and from sector alliances. Real-time audit readiness is vital; unannounced audits, document requests, and evidence sampling are routine.
Sustained resilience falters most from “drift”-compliance eroding after the spotlight fades. Fixes include scheduled self-checks, benchmarking with sector peers, and active leadership oversight.
Compliance is no longer static-resilience is hard-earned daily, with KPIs and evidence to match.
How is improvement operationalised and proved?
By holding regular internal reviews, benchmarking metrics to peers, and logging remediation or improvement actions formally.
Are real-time audits a growing reality?
Yes-regulators expect living, evidence-rich systems that react to threats and regulatory changes, not annual fire-drill documentation.
ISO 27001 / Annex A Bridge Table: Expectation to Operationalisation
Below, regulatory and operational actions for NIS 2 are linked to ISO 27001 references:
| Expectation | Operationalisation | ISO 27001 / Annex A Reference |
|---|---|---|
| Live risk assessment | Quarterly/all asset types, multidimensional | Cl. 6.1.2, Cl. 8.2, A.5.7 |
| Dynamic asset & supply chain map | Updated inventory incl. vendor endpoints | A.5.9, A.5.21 |
| Rapid incident reporting (24/72h) | Detailed log/trail, dual team–vendor record | A.5.24–26 |
| Annual, role-specific training | Progress tracked, assessed, signed-off | A.6.2, A.6.3, A.5.2 |
| Board accountability | Quarterly board review, KPIs, oversight logs | Cl. 5.1, Cl. 9.3, A.5.4, A.5.36 |
Traceability Table: Trigger to Evidence
| Trigger | Risk Update | Control / SoA | Evidence Logged |
|---|---|---|---|
| Vendor breach notification | Supply chain risk ↑ | A.5.21, A.5.22 | Incident report, vendor audit scan |
| New field device deployed | Asset scope expands | A.5.9, A.5.12 | Register, config log |
| Business continuity exercise | Updated plans rehearsed | A.5.29, A.5.30 | Drill record, logs |
| New/revised policy | Requirement applied, signed | A.5.1, A.6.3 | Staff signoff, policy log |
How does ISMS.online accelerate and support NIS 2 resilience for water utilities?
ISMS.online dramatically simplifies and accelerates compliance-from pre-configured controls to automated evidence logs, dynamic asset registers, and board-ready dashboards. Onboarding is faster by up to 40%, and daily work of audit prep, supply chain assurance, and staff training is unified in one platform. Practitioners routinely report 60+ hours saved per audit cycle, and no contractors or devices are left untracked. Supply chain risk is tamed-vendor logs and action records are mapped and evidenced, not managed in disconnected emails or spreadsheets. Across Europe, ISMS.online customers report zero missed notifications, 25% quicker incident remediation, and stronger executive engagement.
ISMS.online turns legal requirements into action-delivering daily resilience, never just compliance. That’s how sector leaders earn regulatory trust and safeguard public health.
