IEC 62443 has rapidly shifted from a voluntary best-practice framework to a foundational regulatory requirement for industrial and critical infrastructure operators globally, driven by converging legislation and escalating OT cyber threats.
New Standard Update: ISA-TR62443-2-2
The most recent update to the ISA/IEC 62443 series is ISA-TR62443-2-2-2025, published in December 2025. This technical report provides actionable guidance for developing, validating, operating, and maintaining a comprehensive Security Protection Scheme (SPS) that safeguards Industrial Automation and Control Systems (IACS) throughout their operational lifecycle. ISA99 Co-Chair Eric Cosman noted: "ISA-TR62443-2-2 gives asset owners and operators a risk-based approach for day-to-day security actions — bringing together technical controls, process maturity, and clear accountability".
Prior to that, ANSI/ISA-62443-2-1-2024 was published in January 2025, addressing organization-wide cybersecurity program management with a restructured maturity model (ML0–ML4) for evaluating requirements. This 2024 update replaced the 2010 version and introduces implementation-independent requirements giving asset owners flexibility to tailor programs to their risk profile.
IEC 62443 Elevated to "Horizontal Standard"
A landmark institutional development: the IEC has formally designated ISA/IEC 62443 as a Horizontal Standard. This status means the standard applies broadly across all IEC technical committees and product families — not just one vertical sector — significantly expanding its authority and reach across global industrial markets.
NIS2 and EU CRA: IEC 62443 as the Compliance Backbone
The EU's NIS2 Directive mandates cybersecurity controls for critical sectors across 27 member states, and IEC 62443 has emerged as the primary technical vehicle for compliance. As of March 2026, practitioners are actively mapping Article 21 of NIS2 (10 mandatory security measures) directly to IEC 62443 sub-standards:
Risk analysis → IEC 62443-3-2 (Zones & Conduits, Target Security Levels)
Supply chain security → IEC 62443-4-1 (Secure Product Development) and 4-2 (Component Technical Requirements)
Security program management → IEC 62443-2-1 (CSMS requirements)
Simultaneously, the EU Cyber Resilience Act (CRA) is creating new product-level cybersecurity obligations, with IEC 62443-4-1 certification now accepted as evidence of CRA conformity. Companies like Advantech and Kalmar have recently achieved IEC 62443-4-1 certification specifically citing CRA alignment.
New ISASecure ACSSA Program Rollout
The new ISASecure Automation and Control System Security Assurance (ACSSA) program for operating industrial sites is rolling out in 2026. This extends ISASecure certification beyond products to encompass entire operating sites, making IEC 62443 compliance an enterprise-wide operational obligation rather than a product-level checkbox.
Industry Certifications and Product Developments (March 2026)
Several major players have recently achieved or announced IEC 62443 compliance milestones:
SINTRONES debuted IEC 62443-4-1 certified Edge AI solutions at Embedded World 2026 (March 2026), targeting industrial automation, transportation, and defense applications
AppGate launched an OT-focused Zero Trust Network Access (ZTNA) product on March 22–23, 2026, explicitly aligned with IEC 62443 for critical infrastructure operators
Advantech and MediaTek (with Bureau Veritas) completed IEC 62443-4-2 certification for ARM-based industrial systems, including EVSE controllers and industrial automation systems
2026 OT Risk Assessment Priorities Under IEC 62443
Published guidance from March 22, 2026 identifies the top IEC 62443-driven actions asset owners must complete this year:
Critical Infrastructure Threat Context
A January 2026 survey of 100+ energy OT sites revealed unpatched devices, flat networks, and hidden assets — with critical vulnerabilities detected within minutes of assessment. This threat landscape reinforces why IEC 62443, alongside NIST CSF and ISO 27001, is increasingly mandated in energy, manufacturing, water, and transportation sectors. The standard's defense-in-depth architecture — requiring network-level detection, zone segmentation, and conduit control — directly addresses these findings.
Four Practical Layers Framework (March 2026)
A March 11, 2026 article from the ISA Global Cybersecurity Alliance (Automation.com) frames ISA/IEC 62443 across four practical implementation layers — governance/policy, risk assessment, technical controls, and supply chain management — giving OT security teams a structured entry point regardless of organizational maturity.
In summary, as of March 24, 2026, IEC 62443 has transitioned from a technical guideline to a legally-backed, globally-enforced cybersecurity framework for OT environments, with active regulatory pressure from NIS2, the EU CRA, and national transpositions driving urgent adoption across critical industries.
About the Author
Nay Linn Aung is a Senior Automation & Robotics Engineer (M.S. Computer Science — Data Science & AI) specializing in the convergence of OT and IT.