Why most articles about IEC 62443 are the problem
Enter “IEC 62443” into a search engine. What you get: standard texts, consulting services with five‑figure budgets, and articles full of acronyms that assume you are a standards expert.
What production managers actually need: a clear answer to the question “What do I need to do now?”
That is the purpose of this article.
What IEC 62443 actually is
IEC 62443 is an international family of standards for cybersecurity in industrial automation and control systems (IACS). It was specifically developed for the challenges of the OT world—environments where availability takes priority over confidentiality and where systems cannot simply be taken offline for a reboot.
The standard consists of multiple parts that cover different aspects: from security policies and system architecture to concrete requirements for individual components.
To get started, you do not need to understand all parts. What matters: the core principles.
The core principles relevant to you
Principle 1: Zones and Conduits
IEC 62443 recommends dividing OT networks into security zones. Less critical areas are separated from highly critical areas. Transitions between zones are controlled.
In practice, this means: Not every device in the plant needs to be accessible from the same network segment. PLCs and critical control systems should be in a separate segment.
Principle 2: Security Levels
IEC 62443 defines security levels (SL 1–4), which indicate which types of attackers a system should be protected against. Most manufacturing companies should initially aim for SL 1 or SL 2—this corresponds to protection against unintentional errors (SL 1) and against deliberate attacks without special resources (SL 2).
Principle 3: Data Backup and Recovery
IEC 62443 makes backup and recovery an explicit security element. Backups must be created regularly, checked for integrity, and tested for restorability. Sounds familiar? It is—because NIS2 has the same requirements, and IEC 62443 is considered a reference standard for implementation.
Principle 4: Change Management
Every change to a critical OT system must be documented, approved, and traceable. Unauthorized changes must be detected and logged.
The mapping: NIS2 ↔ IEC 62443 ↔ eguide4DATA
| Requirement | NIS2 | IEC 62443 | eguide4DATA |
|---|---|---|---|
| Regular backups | Art. 21 (2) c | SL 1: Backup processes (62443-2-1) | Automatic backups of all OT systems |
| Integrity verification | Art. 21 (2) c | SL 2: Verification processes (62443-3-3) | Automatic comparison of target vs. actual state |
| Recovery testing | Art. 21 (2) c | SL 2: Recovery tests (62443-2-1) | Restore documentation with timestamp |
| Change log | Art. 21 (2) e | SL 2: Change management (62443-2-1) | Versioning with user, time, comment |
| Asset inventory | Art. 21 (2) a | SL 1: Inventory (62443-2-1) | Central asset management of all OT systems |
The first concrete step: The OT inventory
Before you can talk about security zones, security levels, or compliance, you need a complete list of all OT assets.
That sounds trivial. It isn’t.
In practice, many production environments contain systems that have not been inventoried for years. Old controllers that somehow still run. Remote accesses that were set up once and never disabled. Systems that were supposed to be replaced but are still in operation.
The OT inventory is the starting point for everything else. eguide4DATA starts exactly here—with the automated detection of all known OT systems and their current states.
See eguide4DATA in action—no obligation?
In a personal demo, we show you how eguide4DATA secures your OT infrastructure—tailored to your machinery and your requirements.
FAQ: IEC 62443 & OT Security
Do I need formal IEC 62443 certification?
Certification according to IEC 62443 is voluntary – unless your industry or a client explicitly requires it. NIS2 refers to IEC 62443 as a reference standard but does not mandate formal certification.
What is the difference between NIS2 and IEC 62443?
NIS2 is an EU directive that defines legal requirements. IEC 62443 is a technical standard that explains how to implement these requirements in OT practice. Both complement each other.
Can eguide4DATA cover full IEC 62443 compliance?
eguide4DATA addresses security-relevant areas such as backup, versioning, change management, and inventory. Full IEC 62443 compliance also requires network architecture, access management, and additional measures.
Which parts of IEC 62443 are most relevant for SMEs?
For manufacturing companies without a specialized security department, IEC 62443-2-1 (security management) and IEC 62443-3-3 (system requirements) are the most practical entry points.



