Högskolan i Skövde

Industrial Control Systems (ICS) form the backbone of critical infrastructure but face increasing cybersecurity risks as connectivity expands. To address these challenges, the European Union has introduced new legislation, including the Cyber Resilience Act (CRA), the NIS2 Directive, and the Machinery Regulation, which establish mandatory cybersecurity obligations. At the same time, technical standards such as IEC 62443 and ISO/IEC 27001 continue to provide structured frameworks for securing industrial systems.The aim of this thesis is to analyse how the EU’s emerging cybersecurity regulations relate to existing ICS security standards and to identify regulatory requirements that are not yet addressed by them. The study was conducted as a Systematic Literature Review (SLR), covering the period 2015–2025, drawing on four major academic databases together with grey literature, including EU legislative texts and industry guidelines. The findings show broad alignment between regulations and standards in areas such as lifecycle security, secure development, and incident reporting. However, gaps remain concerning post-market surveillance, vulnerability disclosure, and long-term update obligations, which are not comprehensively covered by current standards. These results highlight the need for closer harmonization to ensure that secure-by-design principles can be effectively implemented in ICS environments. The thesis contributes by clarifying the relationship between regulations and standards and by providing practical insights for industry and policymakers.