- COMPLIANCE · OT REGULATIONS
Regulations covered by MON5.
One OT-native platform, one source of truth for audits, requirements and remediation. Maps the evidence required by NIS2, IEC 62443, CRA, NIST CSF, ISO 27001 / 27019, DORA and ISO 22301 - with nothing to re-install.
WHY MON5
One platform. Many audits.
OT security requirements don't live in silos: NIS2 asks for asset inventory, IEC 62443 asks for zone and conduit segmentation, CRA asks for vulnerability handling, ISO 27001 asks for documented technical controls. MON5 produces the technical evidence - asset inventory, network topology, anomaly detection, CVE/EPSS correlation - once, and you reuse it across frameworks. For each regulation, we say what we cover directly and where complementary work is required.
Which MON5 feature for which regulation.
One platform, technical evidence reusable across eight frameworks. Filled = MON5 covers directly. Empty = requires complementary work on governance, process or documentation.
| Regulation | Asset Inventory | Network Topology | CVE + EPSS | Anomaly Detection | Audit Reporting |
|---|---|---|---|---|---|
| NIS2 | ✓ | ✓ | ✓ | ✓ | ✓ |
| IEC 62443 | ✓ | ✓ | ✓ | ✓ | ✓ |
| CRA | ✓ | — | ✓ | — | ✓ |
| NIST CSF 2.0 | ✓ | ✓ | ✓ | ✓ | ✓ |
| ISO/IEC 27001 | ✓ | ✓ | ✓ | ✓ | ✓ |
| ISO/IEC 27019 | ✓ | ✓ | ✓ | ✓ | ✓ |
| DORA | ✓ | ✓ | — | ✓ | ✓ |
| ISO 22301 | ✓ | ✓ | — | ✓ | — |
NIS2
NIS2 Directive (EU 2022/2555)
Mandates essential and important entities (energy, manufacturing, food, transport, healthcare, digital infrastructure...) to adopt cyber risk management, governance, incident reporting and operational continuity measures. Transposed in Italy by Legislative Decree 138/2024, effective since 16/10/2024.
- 01Asset inventory and risk management (art. 21)
- 02Technical measures: encryption, access control, segmentation, MFA
- 03Incident detection and notification within 24h / 72h / 1 month
- 04Business continuity, backup, crisis management
- 05Supply chain and OT/ICS vendor security
MON5 continuously produces the technical evidence NIS2 requires on the OT network and assets: non-invasive passive discovery, up-to-date inventory, communication map, anomaly detection and CVE/EPSS correlation. The ready-made NIS2 reporting (from ESSENTIAL up) accelerates audit preparation and incident notification.
- →Continuous OT asset discovery and inventory
- →Network topology and detection of anomalous communications
- →Real-time detection + CVE/EPSS vulnerability correlation
- →Exportable NIS2 report, reusable as audit evidence
- →Event tracking to support 24/72h notification
IEC 62443
IEC 62443 - Industrial Automation and Control Systems Security
Reference standard for cybersecurity of industrial automation and control systems (IACS). Defines zones, conduits, security levels (SL 1-4) and requirements for asset owners, system integrators and component suppliers. Applicable to manufacturing, energy, oil & gas, water, building automation.
- 01Zone and conduit segmentation (62443-3-2)
- 02Foundational Requirements (FR1-FR7): identification, use control, data integrity, confidentiality, restricted flow, timely response, resource availability
- 03Risk assessment and Security Level Target definition
- 04Documented patch and vulnerability management
- 05Continuous monitoring of OT network integrity
MON5 is OT-native: it recognises industrial protocols (Modbus, S7, EtherNet/IP, OPC UA, IEC 61850, DNP3 and more), identifies real zones and conduits from observed traffic, and provides technical evidence on FR1-FR7. From PROTECT up, CVE/EPSS correlation and advanced anomaly detection support higher SL-T on critical assets.
- →Native OT / ICS protocol recognition
- →Zone and conduit map based on real traffic
- →Documentable technical evidence for FR1-FR7
- →Patch management informed by CVE + EPSS scoring
- →IEC 62443 reporting (advanced in the ADVANCED tier)
CRA
Cyber Resilience Act (EU Reg. 2024/2847)
EU regulation that imposes cybersecurity requirements on manufacturers, importers and distributors of products with digital elements placed on the European market. Full effect from 11/12/2027. Directly applies to OEMs, system integrators and OT/IoT component vendors.
- 01Security by design across the full product lifecycle
- 02Vulnerability handling and coordinated disclosure
- 03Software component management, including SBOM
- 04Notification of actively exploited vulnerabilities within 24h
- 05Security updates throughout the declared support period
For industrial asset owners, MON5 provides visibility on CRA-relevant products installed on plant: firmware, versions, known vulnerabilities, network exposure. It lets you verify that suppliers honour their vulnerability handling obligations and manage the software/firmware inventory required by supply chain requirements.
- →Firmware and version inventory for OT/IoT devices
- →CVE correlation on installed components
- →EPSS scoring to prioritise patching
- →Evidence on network exposure of CRA-relevant products
- →Audit trail to verify supplier responsiveness
NIST CSF 2.0
NIST Cybersecurity Framework 2.0
Voluntary NIST framework adopted globally as a common language to describe cybersecurity maturity and capabilities. Version 2.0 (2024) introduces the GOVERN function and extends coverage to all organisations - not only US critical infrastructure.
- 01GOVERN: governance, risk strategy, roles and responsibilities
- 02IDENTIFY: asset management, business environment, risk assessment
- 03PROTECT: access control, data security, protective technology
- 04DETECT: anomalies, continuous monitoring, detection processes
- 05RESPOND + RECOVER: planning, communications, mitigation, recovery
MON5 directly covers the IDENTIFY (asset management, communications, vulnerability identification) and DETECT (anomaly detection, continuous monitoring) functions on the OT perimeter. The evidence produced supports GOVERN (management reporting) and RESPOND (event correlation, EPSS-driven prioritisation).
- →ID.AM - Asset Management on the OT network
- →ID.RA - Risk Assessment based on CVE + EPSS
- →DE.CM - Continuous monitoring of industrial traffic
- →DE.AE - Real-time anomaly detection
- →Dashboards and reports supporting GOVERN and RESPOND
ISO/IEC 27001
ISO/IEC 27001:2022 - Information Security Management Systems
Certifiable standard for information security management. Together with Annex A:2022 (93 controls organised in 4 themes: organisational, people, physical, technological), it is the benchmark most often required in tenders, enterprise contracts and supply chains.
- 01Definition of the Statement of Applicability (SoA) and scope
- 02Documented risk assessment and risk treatment plan
- 03Implementation of applicable Annex A controls
- 04Internal audit, management review and continuous improvement
- 05Technical controls: A.8 (Technological), including A.8.7 malware protection, A.8.8 vulnerability management, A.8.16 monitoring activities
MON5 provides objective technical evidence for many Annex A:2022 controls applied to the OT perimeter - usually the least covered area in IT-focused ISMS. Continuous monitoring (A.8.16), vulnerability management (A.8.8), asset inventory (A.5.9) and network management (A.8.20-A.8.23) are automatically documented.
- →A.5.9 Inventory of information and associated assets
- →A.8.8 Management of technical vulnerabilities (CVE + EPSS)
- →A.8.16 Monitoring activities on the OT network
- →A.8.20-23 Network security and segregation (zones/conduits)
- →Exportable reports as evidence for certification audits
ISO/IEC 27019
ISO/IEC 27019:2017 - Energy utility industry
Extension of ISO/IEC 27002 specific to the energy utility industry: generation, transmission, distribution, storage. Defines additional controls for process control systems and the Process Control Domain (PCD) that manages the energy infrastructure.
- 01Extension of the ISMS to the Process Control Domain (PCD)
- 02Segregation between corporate IT, process IT and control systems
- 03Hardening and monitoring of SCADA / DMS / EMS systems
- 04Lifecycle management of legacy assets with operational constraints
- 05Resilience and continuity of critical energy processes
For energy utilities and operators in the sector, MON5 passively observes SCADA/DMS/EMS traffic, recognises sector-specific protocols (IEC 61850, DNP3, IEC 60870-5-104), identifies missing segregation between PCD and corporate IT and monitors legacy assets without requiring invasive installations on PLCs/RTUs.
- →Energy protocol recognition (IEC 61850, DNP3, IEC 60870-5-104)
- →PCD / IT / OT segregation map
- →Asset inventory on RTU, PLC, IED, gateway
- →Anomaly detection compatible with operational constraints on legacy systems
- →Evidence for ENE-specific controls of the extended Annex A
DORA
Digital Operational Resilience Act (EU Reg. 2022/2554)
EU regulation applicable from 17/01/2025 to financial entities (banks, insurance, payment, crypto, fund management) and their critical ICT suppliers. Also affects OT operators providing services to these entities or running data centres / technology infrastructure supporting them.
- 01Integrated and documented ICT risk management framework
- 02Incident reporting to competent authorities
- 03Digital operational resilience testing (including threat-led penetration testing)
- 04Third-party ICT risk management (TPRM)
- 05Information sharing on cyber threat intelligence
For financial entities with technology infrastructure and data centres, and for ICT suppliers operating across mixed IT/OT environments, MON5 provides continuous network monitoring, asset inventory and anomaly detection - feeding the ICT risk management framework and the incident reporting required by DORA.
- →Continuous monitoring for ICT risk management
- →Asset inventory for TPRM on supplied systems
- →Event detection supporting incident reporting
- →Technical evidence for resilience testing
- →Audit trail reusable for supervisory authorities
ISO 22301
ISO 22301:2019 - Business Continuity Management Systems
Certifiable standard for Business Continuity Management. Often required alongside ISO 27001 and explicitly cited by NIS2 (art. 21) and DORA for the operational continuity part. Relevant for any organisation whose service interruption would cause material impact.
- 01Business Impact Analysis (BIA) on critical processes
- 02Definition of RTO and RPO for each service
- 03Documented continuity strategies and plans
- 04Periodic exercises and testing of plans
- 05Monitoring of technological dependencies
OT continuity depends on the health of the industrial network. MON5 continuously monitors communications between critical assets, detects degradations before they become plant outages, and provides the BIA with an objective picture of real technological dependencies - not just declared ones.
- →Dependency map between critical OT assets
- →Early detection of degradations and anomalies
- →BIA evidence based on real traffic
- →Reusable history for RCA after events
- →Support for monitoring technological SLAs
Quick answers.
Let's figure out what you really need.
Show us the OT perimeter and the regulations you need to cover: we will tell you what MON5 documents directly, where complementary work is needed, and which tier to start from - no hard selling.