This page is part of the IEC 62443 compliance hub.
IEC 62443 and the NIST Cybersecurity Framework are the two most widely referenced cyber security frameworks in industrial and critical infrastructure contexts. Organisations operating across UK and US markets, or supplying into both, frequently encounter both frameworks and need to understand how they relate to each other, where they overlap and where they diverge.
This guide explains the key differences between IEC 62443 and NIST, how they are used in practice, and how ProtoCrawler supports the technical testing requirements that both frameworks drive in operational technology environments.
In This Guide
- IEC 62443 and NIST at a Glance
- What Is the NIST Cybersecurity Framework?
- What Is IEC 62443?
- Key Differences Between IEC 62443 and NIST
- Where IEC 62443 and NIST Overlap
- Which Framework Applies in the UK?
- Which Framework Applies in the US?
- Using IEC 62443 and NIST Together
- How Testing Requirements Compare
- How ProtoCrawler Supports Both Frameworks
IEC 62443 and NIST at a Glance
Both IEC 62443 and the NIST Cybersecurity Framework address cyber security risk management, but they do so from different starting points, with different scopes and different levels of technical prescription.
IEC 62443 is an OT-specific standard. It is built for industrial automation and control system environments and addresses the full supply chain from component vendors through system integrators to asset owners. It is technically prescriptive, defining specific security requirements at the component and system level and requiring empirical testing evidence to support compliance claims.
The NIST Cybersecurity Framework is a general-purpose risk management framework applicable across all sectors and organisation types. It is outcomes-focused rather than technically prescriptive, organising cyber security activities into five functions and leaving the specific controls and methods to the organisation’s own risk-based judgement.
The practical difference is significant. IEC 62443 tells you what your industrial protocol stack must be able to withstand and requires proof. NIST tells you to identify, protect, detect, respond and recover, and lets you decide how.
What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework was developed by the US National Institute of Standards and Technology and first published in 2014, with version 2.0 released in 2024. It was originally created to help US critical infrastructure organisations manage cyber security risk but has since been adopted globally across a wide range of sectors and organisation sizes.
The framework organises cyber security activities into six core functions in version 2.0: Govern, Identify, Protect, Detect, Respond and Recover. Each function contains categories and subcategories that describe specific outcomes, with informative references pointing to other standards and frameworks that can be used to achieve those outcomes.
NIST CSF is voluntary in the US for most sectors, though it is referenced in federal procurement requirements and has been adopted as a de facto standard by many regulated industries. It is flexible by design and is intended to be adapted to the specific risk context of each organisation rather than applied uniformly.
NIST also publishes SP 800-82, a guide to industrial control system security that is more technically specific than the CSF and directly relevant to OT environments. SP 800-82 references IEC 62443 extensively and treats it as the primary technical standard for IACS security.
What Is IEC 62443?
IEC 62443 is the international standard series for securing industrial automation and control systems. It is developed jointly by the International Society of Automation and the International Electrotechnical Commission and applies globally across all industry sectors that use operational technology.
Unlike NIST CSF, IEC 62443 is technically prescriptive. It defines specific security requirements at the system level in IEC 62443-3-3 and at the component level in IEC 62443-4-2. It requires that those requirements be met at a stated security level and that compliance be demonstrated through structured testing evidence rather than self-assessed against outcomes.
IEC 62443 also addresses the supply chain explicitly, placing different but complementary obligations on asset owners, system integrators and product vendors. This supply chain dimension is one of the key features that distinguishes it from NIST CSF, which addresses the organisation as a whole rather than differentiating between roles within an industrial supply chain.
For a full explanation of how IEC 62443 is structured and what each part covers, see the IEC 62443 framework guide.
Key Differences Between IEC 62443 and NIST
The differences between IEC 62443 and NIST CSF are substantial and matter practically when deciding which framework to prioritise or how to use them together.
Scope. IEC 62443 is OT-specific. It is designed for industrial automation and control system environments and its requirements reflect the specific characteristics of those environments, including legacy protocols, long device lifecycles, safety-critical availability requirements and the supply chain structure of the industrial sector. NIST CSF is sector-agnostic and applies equally to IT and OT environments, which means it lacks the OT-specific technical depth that IEC 62443 provides.
Prescriptiveness. IEC 62443 defines specific technical requirements and requires evidence of compliance. NIST CSF defines outcomes and leaves the specific controls and methods to the organisation. For organisations that need to demonstrate compliance to an auditor or certification body, IEC 62443 provides a clearer and more defensible evidence framework.
Supply chain coverage. IEC 62443 explicitly addresses the obligations of product vendors, system integrators and asset owners as distinct roles with different responsibilities. NIST CSF addresses the organisation as a whole and does not differentiate between supply chain roles in the same way.
Testing requirements. IEC 62443 places explicit testing obligations on product vendors through IEC 62443-4-1 Practice 6 and requires empirical evidence of protocol robustness at the component and system level. NIST CSF references testing as a protective activity but does not define specific testing obligations or evidence requirements.
Geographic prevalence. IEC 62443 is the dominant framework for OT cyber security in the UK, Europe and globally. NIST CSF is the dominant framework in the US federal and critical infrastructure context, though it is used globally and increasingly in UK organisations with US operations or customers.
Where IEC 62443 and NIST Overlap
Despite their differences, IEC 62443 and NIST CSF address many of the same underlying security concerns and are broadly complementary rather than competing.
Both frameworks address risk assessment as a foundational activity. IEC 62443-3-2 and the NIST CSF Identify function both require organisations to understand their assets, threats and vulnerabilities before determining what controls are needed.
Both frameworks address access control, authentication, network segmentation and incident response. The specific requirements differ in technical detail and prescription but the security outcomes they drive are aligned.
NIST SP 800-82 treats IEC 62443 as the primary technical reference for ICS security, effectively positioning the two frameworks as complementary layers. NIST CSF provides the governance and risk management structure. IEC 62443 provides the OT-specific technical requirements and testing obligations that give that structure practical substance in industrial environments.
Organisations that are already aligned with NIST CSF will find that IEC 62443 adds technical depth and supply chain specificity rather than contradicting or duplicating what they have already done.
Which Framework Applies in the UK?
In the UK, IEC 62443 is the primary framework for OT cyber security. It aligns directly with the NCSC Cyber Assessment Framework, which applies to operators of essential services under the Network and Information Systems Regulations. UK regulators and auditors in energy, water, transport and critical manufacturing consistently reference IEC 62443 as the technical standard for demonstrating proportionate OT cyber security risk management.
NIST CSF is less commonly referenced in UK regulatory contexts but is used by UK organisations with significant US operations, US customers or US supply chain relationships. Some UK organisations use NIST CSF as their overarching governance framework and IEC 62443 as the OT-specific technical layer beneath it.
For UK organisations that need to demonstrate compliance to UK regulators or certification bodies, IEC 62443 is the framework that carries the most weight. For a detailed guide to how IEC 62443 applies in the UK regulatory context, see the IEC 62443 UK compliance guide.
Which Framework Applies in the US?
In the US, NIST CSF is the dominant governance framework for critical infrastructure cyber security and is referenced extensively in federal procurement requirements and sector-specific regulations. However, IEC 62443 has significant and growing relevance in the US OT context.
CISA references IEC 62443 as a recommended framework for ICS security. NERC CIP requirements for bulk electric system operators overlap substantially with IEC 62443-3-3 system security requirements. ISASecure certification, the primary IEC 62443 product certification scheme, is operated by a US organisation and widely recognised in US procurement.
For product vendors selling into US critical infrastructure markets, IEC 62443-4-2 component certification is increasingly a procurement requirement alongside or instead of NIST alignment. US asset owners and system integrators in regulated sectors are applying IEC 62443 technical requirements even where NIST CSF provides the overarching governance structure.
The practical position for organisations operating in both markets is that NIST CSF and IEC 62443 are used together. NIST CSF provides the governance framework. IEC 62443 provides the OT-specific technical requirements and testing evidence.
Using IEC 62443 and NIST Together
For organisations that need to satisfy both frameworks, the good news is that work done for IEC 62443 compliance contributes directly to NIST CSF alignment and vice versa. They are not competing programmes requiring separate investment.
The risk assessment process under IEC 62443-3-2 satisfies the asset identification and risk assessment requirements of the NIST CSF Identify function. The security controls defined in IEC 62443-3-3 and IEC 62443-4-2 address the Protect function outcomes. The monitoring and incident response requirements in IEC 62443 address the Detect and Respond functions.
The most efficient approach for organisations operating across UK and US markets is to use IEC 62443 as the technical foundation and map NIST CSF outcomes to the IEC 62443 requirements that address them. This produces a single compliance programme that satisfies both frameworks rather than two parallel programmes with significant duplication.
The testing evidence generated through an IEC 62443 compliance programme, including structured protocol fuzz testing records, scored findings and audit-ready reports, provides the empirical substance that NIST CSF alignment requires but does not itself define.
How Testing Requirements Compare
The testing requirements of IEC 62443 and NIST CSF differ significantly in specificity and obligation.
IEC 62443 places explicit, defined testing obligations on product vendors through IEC 62443-4-1 Practice 6. It requires security requirements testing, threat mitigation testing, vulnerability testing including fuzzing, and penetration testing at higher security levels. It requires that testing evidence be documented, traceable to specific requirements and repeated when products change.
NIST CSF references security testing within the Protect and Identify functions but does not define specific testing methods, evidence requirements or repetition obligations. Organisations demonstrating NIST CSF alignment decide for themselves what testing is sufficient based on their risk assessment.
In practice, organisations using both frameworks apply IEC 62443 testing requirements as the technical standard and rely on those outputs to satisfy NIST CSF testing expectations. The structured protocol fuzz testing evidence that IEC 62443 compliance requires is more than sufficient to demonstrate the testing activities that NIST CSF alignment implies.
For a detailed guide to what IEC 62443 compliance testing involves, see the IEC 62443 compliance testing guide.
How ProtoCrawler Supports Both Frameworks
ProtoCrawler generates the protocol security testing evidence that IEC 62443 compliance requires and that NIST CSF alignment implies.
For IEC 62443, ProtoCrawler addresses the SVV-3 vulnerability testing requirement in IEC 62443-4-1 Practice 6 directly, generates component-level compliance evidence for CR 3.5 and CR 7.1 in IEC 62443-4-2, and produces system-level evidence for SR 7.1 and SR 7.2 in IEC 62443-3-3. Its structured, audit-ready reports map findings directly to the IEC 62443 clause requirements that certification bodies and regulatory assessors look for.
For NIST CSF, ProtoCrawler provides the empirical testing evidence that gives NIST CSF Protect function alignment practical substance in OT environments. The scored findings, coverage traceability and remediation records it produces satisfy the testing evidence expectations that NIST CSF alignment implies without defining.
For organisations operating across UK and US markets, ProtoCrawler’s outputs serve both compliance programmes simultaneously. The same testing evidence that supports an IEC 62443 certification assessment also demonstrates the security testing activities that NIST CSF and NIST SP 800-82 alignment requires.
For the full list of industrial protocols supported, see the protocol models page. For the complete set of IEC 62443 guides, explore the IEC 62443 compliance hub.