Annex.I.6 NIS2

NIS2 Annex.I.6: Water and Wastewater Sector Cybersecurity Requirements

What This Control Requires

Annex I identifies drinking water supply and distribution (suppliers and distributors of water intended for human consumption as defined in Directive (EU) 2020/2184) and waste water collection, disposal and treatment (undertakings collecting, disposing of, or treating urban waste water, domestic waste water or industrial waste water).

In Plain Language

Safe drinking water is something people take for granted - until a cyber attack tampers with chemical dosing at a treatment plant or shuts down distribution to a city. That is why NIS2 classifies the water sector, covering both drinking water and wastewater, as highly critical.

Water utilities depend heavily on SCADA and industrial control systems for treatment processes, distribution management, and quality monitoring. These systems control operations like chemical dosing, pressure management, and biological treatment. An attacker who manipulates these parameters can create real public health and environmental hazards.

The practical challenge in this sector is that many water utilities are smaller municipal entities with tight IT budgets and limited cybersecurity staff. NIS2 does not make exceptions for resource constraints - all in-scope entities must implement appropriate measures. Smaller utilities need to get creative with shared services, managed security providers, or sector support programmes to close the gap.

How to Implement

Focus first on the operational technology that controls water treatment and distribution. Segment IT and OT networks properly, paying particular attention to SCADA systems managing chemical dosing, distribution pressure and flow controls, water quality monitoring, and remote telemetry units (RTUs) at distributed sites.

Deploy monitoring built for water sector OT environments. Detect anomalous changes to treatment parameters - unexpected shifts in chemical dosing rates, pH levels, or chlorine concentrations could signal tampering. Flag unusual patterns in distribution network operations.

Lock down remote access to distributed infrastructure. Water utilities typically have hundreds of remote sites (pumping stations, reservoirs, treatment works) connected over wide-area networks. Use encrypted VPN connections, enforce MFA for all remote access, and log every remote session.

Write incident response procedures tailored to water sector scenarios. Cover how to verify water quality when SCADA integrity is in doubt, isolation steps for potentially compromised treatment processes, communication with public health authorities and consumers, manual operation fallbacks during cyber incidents, and coordination with environmental regulators for wastewater events.

Treat physical security as a cybersecurity concern. Many water assets sit in remote, minimally staffed locations where physical access to equipment can enable cyber attacks just as easily as a network intrusion. Run combined physical-cyber security assessments.

If your utility has limited internal resources, explore shared cybersecurity services. Sector-specific managed security providers, shared SOC arrangements with neighbouring utilities, and government-provided cybersecurity support can help smaller organisations reach an adequate security level without building everything in-house.

Meet sector-specific obligations under the Drinking Water Directive (EU) 2020/2184, particularly its requirements for digital system security and risk assessment.

Evidence Your Auditor Will Request

OT network architecture for water treatment and distribution systems
Water sector-specific incident response procedures
Remote access security configuration and monitoring records
Physical-cyber security assessment of distributed infrastructure
Compliance with Drinking Water Directive risk assessment requirements

Common Mistakes

SCADA systems accessible from corporate networks or the internet without adequate controls
Remote sites connected via unencrypted or poorly secured telemetry links
No monitoring of treatment parameter changes for potential cyber manipulation
Physical security of remote water infrastructure inadequate
Limited cybersecurity staff and budget leading to fundamental gaps in coverage

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.8.22	Related

Frequently Asked Questions

Are small municipal water utilities in scope?

Standard NIS2 size thresholds apply, but there is an important exception: Member States can designate smaller water utilities if they are the sole provider of drinking water or if their disruption would significantly affect public health. Check your national transposition carefully - many municipal utilities may be surprised to find they are in scope.

How can resource-constrained water utilities achieve compliance?

There are practical options. Look into shared cybersecurity services with other utilities, managed security providers with OT expertise, and government or sector-funded support programmes. Start by prioritising the most critical systems - treatment SCADA first. The proportionality principle lets you scale measures to your resources, but the core requirements still apply regardless of budget.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment