The shift from optional security to mandatory compliance 

For years, building security was a nice-to-have. Facility managers knew their systems were connected, but the pressure to do something about it was abstract. No regulation required it. Insurance did not ask about it. Tenants did not mention it. That is changing. Fast.  

For MSPs advising building operators, understanding the landscape is essential.  

Why was building OT security historically ignored? 

For decades, building systems lived in a grey zone. 

• They were connected 

• They were remotely accessible 

• They controlled critical physical processes 

But no regulation required cybersecurity controls. Insurance did not ask about them. Tenants did not demand evidence.

Security was treated as a technical concern rather than a governance issue. That era is over. 

What has changed? 

Three forces are converging to make OT security mandatory rather than optional: 

The new compliance environment 

• Regulatory enforcement 

• Cyber insurance underwriting pressure 

• Tenant security due diligence 

Together, they are turning OT security into a board-level risk.

For building operators, this is no longer about best practice, it’s about meeting obligations. 

NIS2 and building operators 

What is NIS2? 

The Network and Information Security Directive 2 (NIS2) is the European Union’s updated cybersecurity regulation framework. 

It came into force in October 2024 and dramatically expands: 

• The number of organisations in scope 

• The accountability of senior leadership 

• The penalties for non-compliance 

NIS2 moves cybersecurity from an IT issue to a corporate governance obligation. 

Why does NIS2 apply to building operators? 

NIS2 explicitly covers essential and important entities, including sectors such as: 

• Energy 

• Healthcare 

• Transport 

• Waste management 

• Manufacturing 

• Food production 

• Digital infrastructure 

• Public administration 

All of these sectors operate in connected buildings, so the building itself becomes part of their compliance surface. 

When do building operators fall into scope? 

Building operators may fall into scope in several ways: 

Direct sector inclusion 

If the operator itself provides services in an essential or important sector. 

Supply chain inclusion 

If the operator provides building services to organisations that are in scope. 

Hospitals, energy companies, government facilities, and critical infrastructure all rely on building management providers. Under NIS2, service providers become part of the regulated ecosystem. 

What are the penalties? 

NIS2 introduces real enforcement: 

• Fines up to €10 million or 2% of global turnover 

• Personal liability for senior management 

• Mandatory incident reporting 

• Regulatory audits 

For European building operators, OT security is now a compliance requirement. 

Cyber insurance is changing 

Why insurers now care about OT security 

Cyber insurers have absorbed billions in ransomware losses. 

They have responded by tightening underwriting and demanding evidence of real security controls. 

The old model (firewalls and antivirus) is no longer sufficient. 

What are insurers now asking? 

Modern cyber insurance applications increasingly include: 

OT security questions 

• Is there network segmentation between IT and OT systems? 

• Are building management systems monitored? 

• Are connected devices inventoried and assessed for vulnerabilities? 

• Does incident response include OT systems? 

• Is there visibility into industrial protocols? 

These are no longer theoretical questions. They directly affect policy terms. 

What happens if operators cannot answer? 

Building operators that fail underwriting face: 

• Higher premiums 

• Coverage exclusions 

• Reduced limits 

• Denied policies 

Some insurers now explicitly exclude losses caused by unmonitored OT systems. 

If a building management system is encrypted and no monitoring was in place, the claim may be rejected. 

Cyber insurance has become a compliance test. 

Tenant due diligence is raising the bar 

Why tenants now assess building security 

Enterprise tenants operate under their own regulatory and insurance obligations. 

They must assess the security posture of their suppliers, partners, and landlords. 

The building itself is now considered part of their operational risk. 

What tenants are asking 

Large tenants increasingly ask building operators: 

Security governance questions 

• What monitoring covers building systems? 

• How are building networks segmented from tenant networks? 

• What incident response procedures exist for building system compromise? 

• Can you provide vulnerability management evidence? 

• How is access to building systems controlled?

These questions influence leasing decisions. 

Security is becoming a commercial differentiator. 

The compliance frameworks shaping OT security 

Which frameworks apply to building OT environments? 

Several frameworks now guide OT security for regulated environments. 

IEC 62443 

The international standard for industrial automation and control system security. 

What it provides 

• Architecture guidance for secure OT networks 

• Secure system design principles 

• Operational security processes 

• Vendor security requirements 

IEC 62443 is increasingly referenced by regulators and insurers as the OT security benchmark. 

NIST Cybersecurity Framework 

The NIST CSF now includes OT-specific guidance. 

Why it matters 

• Risk-based security approach 

• Mapped to regulatory requirements 

• Well understood by auditors and insurers 

• Supports portfolio-wide risk management 

ISO 27001 

The information security management standard. 

Why OT is now included 

Recent updates acknowledge that OT environments are part of organisational information systems. 

Organisations with ISO 27001 certification increasingly need to extend scope to include building systems. 

Cyber Essentials (UK) 

The UK government baseline security scheme. 

While still IT-focused, its principles increasingly apply to connected buildings, and future updates are expected to include OT. 

What building operators now need 

To satisfy regulators, insurers, and tenants, building operators must demonstrate five core capabilities. 

1. Visibility 

Know what is connected. 

Required controls 

• Full device inventory 

• Identification of building controllers and systems 

• Protocol awareness (BACnet, Modbus, OPC-UA, KNX, LonWorks) 

• Asset ownership and responsibility mapping 

You cannot secure what you cannot see. 

2. Monitoring 

Watch building systems continuously. 

Required controls 

• Network traffic analysis 

• Protocol-aware anomaly detection 

• Detection of unusual commands 

• Monitoring of remote access 

• Alerting on suspicious behaviour 

Insurers now expect 24/7 OT monitoring.

3. Vulnerability management 

Find weaknesses before attackers do. 

Required controls 

• Vulnerability discovery for OT devices 

• Risk-based prioritisation 

• Remediation tracking 

• Compensating controls for legacy systems 

OT vulnerabilities persist for years if unmanaged. 

4. Reporting 

Produce compliance evidence. 

Required outputs 

• Asset inventories 

• Monitoring coverage reports 

• Vulnerability assessment reports 

• Control mapping to frameworks 

• Incident response documentation 

Auditors, insurers, and tenants all expect proof. 

5. Response capability 

Be prepared for OT incidents. 

Required controls 

• OT-inclusive incident response plan 

• Escalation procedures 

• Communications playbooks 

• Technical response capability 

• Regulatory reporting readiness 

OT incidents now trigger regulatory scrutiny. 

The MSP opportunity 

For MSPs, the compliance pressure on building operators creates opportunity.  

MSPs who can deliver OT security with compliance-ready reporting become valuable partners. You are not selling security for its own sake. You are helping clients meet obligations they cannot avoid.  

Why compliance pressure creates demand 

Building operators are not cybersecurity experts. 

They need partners who can translate regulation into operational controls and turn frameworks into real-world security. 

This is where MSPs become strategic partners 

How the conversation changes 

Old conversation: 
“You should probably think about building security.” 

New conversation: 
“Here is how we help you meet your NIS2 obligations and keep your insurance.” 

Compliance turns security into a business requirement. 

Why OT compliance is a growth market for MSPs 

Market dynamics 

• Regulatory enforcement is increasing 

• Insurance underwriting is tightening 

• Tenant scrutiny is rising 

• OT attack frequency is growing 

• Building systems are increasingly connected 

Security spending follows compliance. 

How enhanced.io supports OT compliance 

At enhanced.io, our platform is built for compliance-driven security. 

Framework-aligned reporting 

We provide reporting mapped to: 

• NIS2 

• IEC 62443 

• NIST CSF 

• ISO 27001 

• Cyber Essentials 

Our reports produce evidence that auditors and insurers accept. 

Continuous OT monitoring 

We deliver: 

• 24/7 monitoring of building systems 

• Protocol-aware anomaly detection 

• Network behaviour analysis 

• Remote access monitoring 

This satisfies modern insurance requirements for OT visibility. 

Vulnerability management 

We provide: 

• Continuous vulnerability discovery 

• Risk-based prioritisation 

• Remediation tracking 

• Executive reporting 

This demonstrates active risk management. 

Fractional security director 

We provide expert leadership for:

• Regulatory conversations 

• Insurance underwriting discussions 

• Tenant due diligence 

• Board-level reporting 

Someone who can explain your client’s security posture in business language. 

MSP-first delivery 

We give MSPs compliance capability without requiring you to become a compliance consultancy. 

You provide the relationship. We provide the platform, with audit-ready reporting. 

What this means for MSPs 

OT security is becoming non-negotiable 

Compliance is turning OT security into a contractual requirement. MSPs that ignore OT will increasingly lose deals. 

Competitive advantages: 

• Differentiation from endpoint-only competitors 

• Higher-value security conversations 

• Stronger client retention 

• Regulatory relevance 

• Insurance-aligned security services 

OT compliance becomes a growth engine. 

Getting started with OT compliance services 

Why most MSPs hesitate 

Common barriers: 

• OT feels unfamiliar 

• Industrial protocols are complex 

• Compliance frameworks seem intimidating 

• Hiring OT specialists is expensive 

• Tooling appears fragmented 

How MSPs can enter the market quickly 

You do not need to build this capability internally. 

The enhanced.io partnership model: 

• Platform with OT integrations 

• Built-in protocol support 

• Compliance-aligned reporting 

• SOC with OT expertise 

• Fractional security leadership 

All of this means you can reduce the timeline to capability from months to weeks. 

Key takeaways 

Compliance is changing building security 

• NIS2 expands regulation into building environments 

• Insurers require OT security evidence 

• Tenants conduct security due diligence 

• OT security is now mandatory 

Building operators need real controls

• Visibility of all connected systems 

• Continuous monitoring 

• Vulnerability management 

• Compliance reporting 

• Incident response capability 

MSPs are becoming compliance partners 

• Security conversations shift to regulatory outcomes 

• OT compliance creates recurring revenue

• Differentiation in a crowded MSP market 

• Long-term strategic client relationships 

What should MSPs do next? 

OT compliance is becoming unavoidable. 

Take action: 

• Identify clients with connected building systems 

• Understand which are in scope for NIS2 

• Review cyber insurance requirements 

• Assess OT visibility gaps 

• Build a compliance-ready service 

Want to help your building operator clients meet their compliance obligations? 

Contact us to discuss a compliance-focused OT assessment and learn how enhanced.io enables MSPs - including Onsite Technologies - to deliver OT security aligned with NIS2, cyber insurance requirements, and modern compliance frameworks. 

Or read our complete guide to OT security for MSPs to understand how compliance-driven security fits into your service portfolio and growth strategy.