Protecting critical infrastructure against cyberattacks is now a blend of engineering, governance, and proof. Incidents that touch energy, water, transport, healthcare, or digital public services are not fixed with antivirus alone: the impact is societal and economic, and attackers routinely combine stolen credentials, ransomware, and supply-chain leverage.
For teams already juggling sector regulation, customer audits, and expectations shaped by NIS2, the useful question is not whether an event will happen, but whether you can detect it, contain it, and demonstrate what you did and when. Below is an operational frame without fluff: what to prioritise first and how it maps to a credible ISMS.
Name what is “critical” in practice (and for whom)
Without inventory and ownership, everything looks urgent and nothing is. Start from essential functions: which service, if it fails, causes immediate harm or knocks down dependent systems.
Three decisions usually clarify scope:
- Dependencies: which systems, applications, and networks enable that function, including interfaces with third parties.
- OT versus IT: where office systems end and operational technology begins; many breaches exploit VPN credentials or poorly gated remote access.
- Data and reputation: if personal data or regulatory notification is in play, the incident touches GDPR as well as continuity; treat it as more than a network ticket.
Treat this inventory as living: when vendors, integrations, or automation change, refresh the risk map at the same cadence.
Governance with evidence: policies that actually run
Cybersecurity for critical infrastructure is not a glossy policy deck. It is roles, approvals, and reviews with a record.
What usually signals maturity:
- A risk or security committee that decides exceptions (ports, emergency access, cloud integrations) with traceability.
- Periodic tests: incident tabletops, selective restoration, backup isolation away from a compromised domain.
- Simple metrics: indicative MTTD/MTTR, share of assets patched inside the agreed window, MFA coverage on sensitive accounts.
Without a habit of evidence, auditors and supervisors do not buy narratives; they buy coherent records that match what your manuals claim.
Architecture: segmentation, identity, and exposed surface
For essential services, segmentation is not fashion: it shrinks blast radius when a workstation or a PLC is compromised. Pair network segmentation with strong identity controls (MFA, time-bound privileged accounts, vendor access reviews).
Also monitor external exposure: unknown published services, open RDP, cloud shares without lifecycle limits, or APIs without rate limits. A quarterly surface inventory pays off on the first shadow-IT sweep.
Where ISO/IEC 27001 is your corporate baseline, the ISMS already supplies roles, risk treatment, and continuous improvement; the trick is to write controls in plant and operations language, not only headquarters prose.
Supply chain and operators: measured trust
Recent incidents remind us that a trusted third party poorly governed is an entry point. Clear contracts, access reviews, software bill of materials expectations, and coordinated change windows reduce surprises.
For organisations within the scope of EU network and services regulation, the thread tying incident management, cooperation with authorities, and vendor requirements is already part of the NIS2 package; ENISA’s guidance helps align criteria with agency expectations.
Incident response and continuity: less heroics, more script
A useful plan names who decides, what shuts down first, how evidence is preserved, and what is communicated to customers or regulators without improvising mid-crisis.
Patterns we see in strong programmes:
- A crisis team with backups for each role and 24/7 contacts where required.
- Staged containment: stop lateral movement before cutting services that could affect physical safety.
- Communications: pre-approved templates with legal and leadership sign-off; consistency across technical, regulatory, and reputational lines.
- A mandatory post-incident review: lessons with owners, not just a PDF on a shelf.
The NIS2 directive text stresses cooperation and early notification when incidents have material impact; preparing channels and thresholds up front cuts friction when time is short.
What Privalex offers (and how it fits critical infrastructure)
PrivaLex is a consultancy focused on certifications, regulatory compliance, and data protection—not a generic law firm or an agency shop. We help executives, CISOs, and compliance owners translate law and market expectations into measurable controls and sustainable audits.
In regulated sectors we typically run the programme that collides with critical assets: NIS2, DORA where finance applies, ENS for public sector contexts, ISO 27001 / ISO 27701 for ISMS and operational privacy, SOC 2-style reporting when contracts demand it, and AI Act / ISO 42001 when automated systems sit in sensitive processes. Team training and initial gap assessments sit in the same story so policies do not float above the operation.
If you want to close the loop with evidence and priorities, start with a free risk assessment and, when you are ready to align scope and timing, book a strategic session with the team.
Frequently asked questions
An ISO 27001-based ISMS is an excellent foundation for organising risks and evidence, but sector and country add further layers: sector-specific regulation, supervisory requirements and, in many cases, stricter expectations around OT isolation, continuity and third-party management than the standard’s minimum. For sectors under NIS2 or ENS, ISO 27001 covers a large part of the journey but does not replace those frameworks.
Not always. The NIS2 Directive works with sector categories and thresholds; the specific application depends on national transposition and designation criteria. The conservative reading is: if you operate in essential or highly interconnected sectors, verify with specialist advice whether you fall within scope. In Spain, transposition is still under parliamentary procedure — INCIBE-CERT and CCN-CERT already operate as reference CSIRTs.
Technically it can be the same event; what changes is the impact, scope and the supervisor’s criteria. Under NIS2, an incident with significant impact on service delivery triggers the obligation of an early warning within 24 hours and a formal notification within 72 hours. That is why it is important to define internal thresholds aligned with the applicable regulation and the communication channel with the authority before the clock starts running.
At a minimum whenever the architecture, a vendor with sensitive access or a relevant threat model changes (for example, a newly documented attack vector in your sector). Many teams link this to the ISMS review cycle or the annual risk analysis. ENISA guidance for essential sectors recommends treating the inventory as a live document, not a static one.
In the dependency map, with their own patching and maintenance rules that respect physical safety and continuity. The key is to document OT–IT interfaces and compensating controls when you cannot apply the same patching cycle as in the office environment. Reference frameworks such as IEC 62443 provide the specific security levels for industrial automation environments that complement what ISO 27001 covers at the organisational level.