The auditor is coming – and you don’t know where to start

Imagine: An audit is announced for the coming month. NIS2 compliance is being assessed. Your IT manager signals confidence - IT is well positioned. Then the question follows: “What about your OT systems? PLCs, HMIs, robots?”

Short silence.

This is exactly where the real challenge begins for many manufacturing companies. While IT security has been implemented in a structured manner for years, OT security – i.e. the protection of production systems – often remains incomplete.

This is currently changing fundamentally.

---

What NIS2 requires from manufacturing companies

Since October 6, 2025, the NIS2 implementation law has been in force in Europe. It affects, among others, companies with 50 employees or more or 10 million euros in annual revenue in a total of 18 sectors, including the manufacturing industry.

The central requirements include:

• Backup and recovery: A documented and regularly tested backup concept for all critical systems is mandatory.
• Change management: Changes to production systems must be traceably documented.
• Recovery tests: Backups must be regularly tested for their restorability.
• Integrity checks: Backups must be checked for completeness and correctness at fixed intervals.

---

The 5 most common deficiencies in OT audits

In practice, the same weaknesses appear again and again:

Deficiency 1: Incomplete inventory list of OT assets

Auditors start with the question: “Which systems do you operate?” An outdated Excel list is not a reliable basis.

Deficiency 2: Missing recovery tests

Existing backups alone are not sufficient. The decisive factor is proof of regular restore tests.

Deficiency 3: Changes without documentation

Adjustments to PLCs or systems are often made in everyday life without logging. In the audit, this is assessed critically.

Deficiency 4: IT backup without OT coverage

While IT systems are often secured, corresponding concepts for OT components such as controllers, HMIs or robots are missing.

Deficiency 5: Unclear responsibilities

If it is not clearly defined who is responsible for OT data backup, this is considered a structural deficiency.

---

What auditors specifically want to see

Good preparation means having relevant evidence structured and available:

Auditor’s question	Required evidence
Are backups created regularly?	Automatically generated backup logs with timestamps
Are backups tested?	Documented restore tests with date and result
Are changes traceable?	Version history with user, timestamp and comment
Who is responsible?	Documented responsibilities

 

With eguide4DATA, this evidence is not compiled manually but is generated automatically during ongoing operation. Backup logs, version histories and change logs are available at any time.

Experience eguide4DATA in action without obligation

In a personal demo, we show you how eguide4DATA secures your OT infrastructure - tailored to your production environment and requirements.