Is ISA/IEC 62443 mandatory or voluntary?

ISA/IEC 62443 is a voluntary international standard, but it is referenced in mandatory regulations in several jurisdictions. The EU's NIS2 Directive references IEC 62443 for critical infrastructure operators. Some sectors (oil and gas, nuclear) have regulatory frameworks that effectively require 62443 alignment. For most organizations, compliance is voluntary but increasingly expected by customers, insurers, and regulators.

Definition

ISA/IEC 62443

An international standards series for securing Industrial Automation and Control Systems. Widely adopted in manufacturing and critical infrastructure as the framework for OT security program design.

What is ISA/IEC 62443?

An international standards series for securing Industrial Automation and Control Systems. Widely adopted in manufacturing and critical infrastructure as the framework for OT security program design.

ISA/IEC 62443 is a series of international standards developed by the International Society of Automation (ISA) and adopted by the International Electrotechnical Commission (IEC) as the authoritative framework for securing Industrial Automation and Control Systems (IACS). The standards address security across the full IACS ecosystem: product development (for vendors), system integration (for integrators), and operational security management (for asset owners).

The standard is organized around a maturity-based approach using Security Levels (SL 1–4) that define increasing degrees of protection against increasingly sophisticated threats. SL 1 addresses protection against casual or unintentional violations; SL 4 addresses protection against state-sponsored attacks using sophisticated, extended resources. Organizations assess their current security level and target security level for each zone within their environment.

ISA/IEC 62443 is distinct from IT-focused frameworks in its explicit recognition of OT operational constraints. It defines requirements that can be met through compensating controls when direct implementation is impractical — acknowledging that patching, authentication, and encryption requirements cannot always be met by legacy industrial devices. This makes it the most operationally realistic framework for organizations with significant OT environments.

Key Facts

ISA/IEC 62443 is the most widely adopted ICS security standard globally, used in manufacturing, energy, water, and process industries
The standard covers vendors, integrators, and asset owners — creating requirements across the full OT supply chain
ISA/IEC 62443 is referenced in CISA guidance, DOE cybersecurity guidelines, and EU NIS2 directive implementation
Security Level 2 (SL2) protection against intentional violation is the target for most operational OT environments

How ORDR Addresses ISA/IEC 62443

ORDR maps its asset inventory, vulnerability assessment, and policy management capabilities directly to ISA/IEC 62443 requirements, supporting compliance reporting for asset owners and system integrators. ORDR's zone and conduit modeling aligns with the ISA/IEC 62443 network architecture requirements, and its policy automation capabilities help achieve the access control and monitoring requirements across security levels.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Protect your operational technology.

ORDR discovers and monitors every OT asset in real time—even legacy PLCs and SCADA systems that cannot run agents.

REQUEST A DEMO OT Security Solutions