The OTVerdict Defensibility Model™
A five-stage defensibility spectrum describing how clearly an organisation can evidence operational security controls under regulatory or insurer scrutiny.
Assessments evaluate evidence sufficiency against expectations reflected in frameworks such as NIS2, CAF, and industrial cyber insurance reviews.
Reactive
Controls informal or undocumented.
Basic
Controls claimed but with limited supporting evidence.
Documented
Controls defined with partial validation.
Evidence-Backed
Controls supported by structured and reviewable evidence.
Defensible
Evidence sufficient to support regulatory or insurer scrutiny.
Detailed control domains, assessment criteria, and evidence requirements are outlined in the Assessment Framework.
View Full Framework →Built for Industrial Operators Under Regulatory Pressure
For industrial sites facing regulatory, insurer, and board-level scrutiny.
Designed for
OT site managers and CISOs at NIS2 essential and important entities
Sites subject to NIS2 (EU 2022/2555) or the UK Cyber Security and Resilience Bill
Teams requiring OT-specific evidence readiness and a documented defensibility position
Industrial operators who need to demonstrate reasonable steps to a regulator, insurer, or board
Not suitable for
Organisations seeking a certification badge or formal compliance certificate
Pure IT environments with no operational technology in scope
Organisations requiring automated checklist scoring without expert review
Pressure Drivers
NIS2 (EU 2022/2555) — personal liability for senior management under Article 20, fines up to €10M or 2% of global turnover
UK Cyber Security and Resilience Bill — equivalent technical requirements for UK-regulated entities
Cyber insurer requirements — policies increasingly require demonstrable OT security controls
Board accountability — directors require documented evidence that reasonable steps were taken
Industry Sectors
What OTVerdict Is Not
A NIS2 certification or compliance guarantee
An automated SaaS checklist with no expert review behind it
An IT security framework applied to OT environments
Penetration testing or technical vulnerability scanning
Implementation or remediation of controls
What OTVerdict Is
Independent expert assessment by an OT practitioner — not an algorithm
247-question framework across 15 OT control domains
Dual mapping to NIS2 Articles and ENISA Technical Implementation Guidance (EU 2024/2690)
Every gap documented with a prioritised remediation recommendation
Annual Revalidation available for ongoing regulatory assurance
What You Receive
Branded PDF defensibility report — executive-ready
RAG compliance score across all 15 OT control domains
Gap analysis mapped to NIS2 Articles and ENISA EU 2024/2690
Prioritised remediation recommendations for every gap identified
Defensibility statement for regulators, insurers, and boards
Covers NIS2 and the UK Cyber Security and Resilience Bill
Typical Timeline
Week 1: Scoping call — scope, tier, and fee confirmed
Week 1–2: Engagement confirmed, 50% invoiced upfront
Week 2–4: Evidence questionnaire issued and completed
Week 4–6: Independent expert review of submitted evidence
Week 6–8: Report delivered within 10 working days of complete submission
Optional: Annual Revalidation available for ongoing assurance
OTVerdict translates your existing controls and documentation into a structured, defensible position. This is not an automated output. It is a scored, expert-reviewed, and evidenced record of your cybersecurity position — structured for regulatory presentation, insurer submission, or board reporting. OTVerdict does not implement controls, perform penetration testing, or certify compliance.
Purpose-built for OT environments.
The assessment portal guides each engagement from evidence submission through to scored defensibility report. Structured by control domain. Built for operational technology, not adapted from IT.
Frequently Asked Questions
Scope, deliverables, renewals, and what happens after the report.