1. Why OPC UA migration cost is the real conversation blocker
Most industrial organisations already understand why they need to migrate from OPC Classic to OPC UA. The security argument, DCOM vulnerabilities, the KB5004442 patch that broke OPC Classic connections, the mandates coming from NIS2 in Europe and NERC CIP in North America, is well established. The operational argument such as cloud connectivity, IIoT integration, analytics, digital twins, is equally clear.
What blocks the conversation is cost. Specifically, the assumption that OPC UA migration means a full infrastructure replacement programme: new PLCs, new SCADA systems, new historians, new integrations, engineering weeks, testing cycles, and downtime windows that are difficult to schedule and expensive to execute in live production environments.
That assumption is wrong – or at least, it is not the only option. And the cost difference between a full replacement and a wrapper-based migration is large enough to change how the business case looks entirely.
This article breaks down the actual cost components of OPC UA migration, shows where each approach saves or spends, and gives you the framework to build a credible business case for a wrapper-first migration strategy.
2. The five cost categories in a full OPC UA migration
When finance or procurement teams cost a full OPC UA migration, replacing OPC Classic infrastructure with native OPC UA equivalents, five distinct cost categories appear. Understanding these categories is essential because the wrapper approach directly eliminates or dramatically reduces most of them.
Cost category 1: Hardware procurement
Full migration often requires hardware changes. PLCs and RTUs that do not have native OPC UA firmware, which describes a significant portion of the installed base at industrial facilities built before 2015, require either firmware upgrades (where available) or hardware replacement. DCS controllers, edge gateways, and communication modules may need replacement. In a facility with dozens of control nodes, hardware procurement alone can run to six or seven figures.
Cost category 2: Engineering and integration
Every OPC Classic server that is replaced with a native OPC UA server requires configuration of the new server’s address space, defining the node hierarchy, data types, access permissions, and security policy. Every client application that was connected to the OPC Classic server must be reconfigured to connect to the new OPC UA endpoint. Custom OPC Classic integrations such as data pipelines, historian connections, reporting tools, must be rebuilt or adapted.
In large facilities, this engineering work is measured in weeks or months. At typical OT integration engineering rates, $150–$250 per hour in North America and Western Europe, the cost accumulates quickly.
Cost category 3: Testing and validation
Industrial systems cannot simply be switched over without validation. Every replaced component must be tested in a non-production environment first, then validated in production with a parallel run alongside the legacy system, then signed off before decommissioning the legacy path. For safety-instrumented systems or process-critical loops, validation requirements are even more stringent – IEC 61511 (functional safety) or GAMP 5 (pharmaceutical) validation protocols add structure and time to every change.
Testing and validation in a brownfield industrial environment is rarely less than 20–30% of the total project engineering budget.
Cost category 4: Operational downtime
Even a well-planned migration requires maintenance windows – periods during which systems are offline or operating in degraded mode while components are replaced and tested. In continuous manufacturing, refinery operations, or power generation, every hour of unplanned or semi-planned downtime carries a calculable cost. For a typical continuous chemical plant, unplanned downtime costs $20,000–$100,000 per hour depending on capacity and product margins. Even a planned, partial maintenance window has an opportunity cost.
Cost category 5: Security remediation during transition
During a phased full-replacement migration, the facility operates in a mixed state: some systems on OPC Classic, some on OPC UA, with bridging connections between them that may themselves introduce temporary security gaps. Managing the security posture of a hybrid environment during active migration requires additional monitoring, network segmentation work, and potentially temporary security tooling – all of which add to project cost.
3. How the wrapper approach addresses each cost category
The OPC UA Wrapper is a software bridge that connects existing OPC Classic DA, HDA, and AE servers to OPC UA clients, without touching the servers, the PLCs they read from, or any existing OPC Classic client applications. Here is what that means for each cost category.
Hardware procurement: eliminated
The OPC UA Wrapper runs as a Windows service on existing infrastructure – the same Windows host that runs the OPC Classic server, or a separate Windows host on the same network segment. No new PLCs, no new RTUs, no new communication hardware. Hardware procurement cost in a wrapper-based migration is effectively zero for the initial deployment.
Engineering and integration: reduced by 70–85%
Instead of reconfiguring every OPC Classic server and every connected client, the Wrapper automatically maps the existing OPC Classic address space – the tag hierarchy, item IDs, data types – to an OPC UA node structure. New OPC UA clients connect to the Wrapper’s OPC UA endpoint. The engineering work reduces to: installing the Wrapper, reviewing the automatically generated address space, configuring OPC UA security (certificates and security policy), and connecting new OPC UA clients to the Wrapper endpoint.
For an experienced OT integration engineer, this takes hours, not weeks.
Testing and validation: substantially reduced
Because neither the OPC Classic server nor any existing client is modified, the scope of validation is limited to the Wrapper itself and the new OPC UA clients connecting to it. Existing OPC Classic connections continue operating identically throughout, they provide the reference baseline for validation. Testing that the Wrapper is correctly bridging data from OPC Classic to OPC UA is straightforward: compare OPC UA client readings against simultaneous OPC Classic client readings from the same data source.
Operational downtime: near-zero
Deploying the OPC UA Wrapper requires no process downtime. The Wrapper service starts alongside existing infrastructure, it does not interrupt, restart, or modify the OPC Classic servers it connects to. Existing OPC Classic clients remain connected and operational throughout. The only activity that could cause a brief interruption is the initial Wrapper service start, which is a software operation on the Wrapper host, not on the process control system.
Security during transition: immediately improved
Unlike full replacement, where a mixed OPC Classic / OPC UA environment exists for months or years with the security risks of both, the Wrapper approach improves security from day one. All new OPC UA client connections operate with AES-256 encryption and X.509 certificate authentication from the moment the Wrapper is deployed. DCOM, and its associated vulnerabilities, is contained to the local machine or a tightly controlled local segment. The security posture improves at the point of deployment, not at the end of the migration programme.
4. The hidden costs of staying on OPC Classic
The business case for OPC UA migration cost needs to account for both sides of the ledger: the cost of migrating, and the cost of not migrating. The ongoing costs of staying on OPC Classic are frequently underestimated in planning discussions.
- Legacy specialist dependency. OPC Classic administration requires engineers who understand DCOM configuration, Windows security policy as it applies to COM/DCOM, and the specific quirks of older OPC server software. This expertise is becoming scarcer and more expensive as the OPC Classic installed base ages and the engineer population that built it approaches retirement. Dependency on a small number of legacy-specialist staff is an operational risk with a real cost when those staff are unavailable.
- Windows lifecycle management. OPC Classic servers run on Windows. As Windows versions reach end-of-support, operators face a choice: run unsupported operating systems (security risk and compliance gap) or upgrade the Windows version and risk breaking DCOM connectivity that was tuned for a specific Windows version. The KB5004442 patch issue, where a security update broke OPC Classic connections, is the most visible recent example of this structural problem. Each Windows lifecycle event is an engineering project.
- Custom integration technical debt. Every integration between an OPC Classic system and a modern application, cloud platforms, analytics tools, MES systems, built using custom OPC Classic connectors accumulates technical debt. These connectors are non-standard, require bespoke maintenance, and break whenever either end of the integration is updated. The cost of maintaining a portfolio of custom OPC Classic integrations compounds over time.
- Compliance penalty exposure. For operators subject to NIS2 (EU), NERC CIP (North America), or sector-specific security standards, running unencrypted DCOM-based communications creates a measurable compliance gap. The financial exposure from a NIS2 violation, up to €10 million or 2% of global annual turnover for essential entities, dwarfs the cost of any OPC UA migration approach. Even where penalties are not imminent, the cost of a cybersecurity incident enabled by unencrypted OT communications is a calculable risk that belongs in any TCO comparison.
- Blocked modernisation projects. Every IIoT integration, cloud analytics project, or digital twin initiative that requires OPC UA connectivity hits a hard stop at OPC Classic boundaries. The cost of these blocked or delayed projects, in lost productivity, delayed ROI, and competitive disadvantage, is real even when it does not appear as a line item in the OPC Classic maintenance budget.
5. Total cost of ownership: full replacement vs wrapper approach
The table below compares the two approaches across the five cost categories and the hidden ongoing costs, using relative cost indices where absolute figures depend on facility size and complexity.
| Cost category | Full replacement | Wrapper-based migration |
|---|---|---|
| Hardware procurement | High: new PLCs, RTUs, gateways where no OPC UA firmware available | None: runs on existing Windows hosts |
| Engineering and integration | High: reconfigure every server and every client | Low: automatic address space mapping; configure Wrapper and new UA clients only |
| Testing and validation | High: every replaced component requires full validation cycle | Low: validate Wrapper and new UA clients only; legacy system provides baseline reference |
| Operational downtime | Medium to high: maintenance windows required for every replaced component | Near zero: Wrapper deploys without interrupting existing systems |
| Security during transition | Risk period during hybrid state (months to years) | Security improved from day one; DCOM contained immediately |
| Ongoing legacy maintenance | Eliminated (after full replacement) | Low: OPC Classic servers continue as-is; DCOM contained to local segment |
| Windows lifecycle exposure | Eliminated (after full replacement) | Reduced: DCOM exposure isolated; OPC UA side is platform-independent |
| Custom integration debt | High cost to rebuild all integrations in OPC UA | Eliminated for new integrations: all new clients use OPC UA |
| Time to security improvement | Long: security improves only as components are replaced | Immediate: all new connections secured from day one |
| Total migration project cost | High | 60–80% lower for equivalent connectivity outcomes |
6. Building the business case: what to put in front of finance
When presenting OPC UA migration cost to finance or senior management, the most effective structure frames the Wrapper approach not as a compromise but as a capital-efficient way to achieve the same security and connectivity outcomes at a fraction of the cost and risk.
Frame the status quo as a cost centre. The hidden costs in Section 4 – legacy specialist dependency, Windows lifecycle management, custom integration debt, compliance exposure – belong in the TCO baseline. The migration cost is not compared against zero; it is compared against the ongoing cost of the current state.
Quantify the compliance exposure. For EU operators subject to NIS2, the maximum penalty for essential entities is €10 million or 2% of global annual turnover, whichever is higher. For North American energy operators under NERC CIP, penalties per violation per day can reach $1 million. These numbers do not need to be presented as inevitable, they need to be presented as the risk that migration removes. Any finance team can calculate expected value from probability × impact.
Present the Wrapper as phase one, not the end state. The Wrapper approach is not an alternative to full OPC UA migration, it is the first phase of it. Hardware and OPC Classic servers are replaced progressively as they reach end-of-life, with the Wrapper managing the transition period. This framing makes the budget ask smaller (phase one only) while showing a credible long-term roadmap.
Highlight the speed-to-value advantage. A full replacement programme takes months of planning before a single line of security improvement is visible. The Wrapper can be deployed and securing new connections in hours. This time-to-value difference is meaningful for management reporting, audit responses, and compliance evidence.
Use the operational data you have. If your facility has records of DCOM-related incidents – KB5004442 connectivity failures, firewall exceptions that were opened for OPC Classic, manual processes that exist because OPC Classic cannot reach cloud systems – these are real costs that belong in the business case. Concrete facility-specific data is more persuasive than industry averages.
7. OPC UA migration cost by industry
Manufacturing (EU – NIS2 scope). Medium and large EU manufacturers classified as essential or important entities under NIS2 face a compliance timeline that makes delayed migration increasingly expensive. The engineering cost of a wrapper-based deployment across a typical manufacturing plant, covering real-time DA, historical HDA, and alarm AE bridging, is significantly lower than a new SCADA or historian procurement project, and delivers immediate compliance progress that can be reported in the NIS2 risk management documentation.
Oil and gas (North America and Middle East). Upstream and midstream operators in North America and the Gulf region typically have large installed bases of OPC Classic servers at well sites, compressor stations, and pipeline facilities – often in geographically distributed environments where on-site engineering visits are expensive. The Wrapper’s ability to deploy remotely and bridge OPC Classic to OPC UA without on-site work reduces the field engineering cost component, which is frequently the largest single cost in distributed OT upgrade projects.
Energy and utilities (North America – NERC CIP). For bulk electric system operators, the compliance cost of DCOM-exposed OPC Classic connections, Electronic Security Perimeter documentation gaps, annual audit findings, potential CIP violation exposure, is a direct input to the migration business case. Replacing DCOM connections with Wrapper-mediated OPC UA connections simplifies the Electronic Security Perimeter boundary, reduces the scope of annual CIP audits, and eliminates a recurring audit finding.
Pharmaceuticals (US – FDA 21 CFR Part 11; EU – Annex 11). Validation cost is the dominant cost driver in pharmaceutical OT projects. Because the Wrapper does not modify existing OPC Classic servers or any validated process control systems, the validation scope for a Wrapper deployment is narrower than for any approach that touches the validated systems themselves. This is a significant cost advantage in environments where full revalidation of a modified system can cost more than the migration itself.
Frequently asked questions
Is the OPC UA Wrapper a one-time cost or ongoing?
The OPC UA Wrapper is licensed software. Like all enterprise software, it carries a licence cost and typically an annual maintenance and support fee that covers updates and technical support. This ongoing cost is small relative to the engineering cost savings from avoiding full replacement, and significantly smaller than the ongoing cost of maintaining custom OPC Classic integrations or the compliance exposure of unencrypted DCOM communications.
Does using the Wrapper mean I never have to fully migrate to OPC UA?
No. The Wrapper is the recommended first phase of an OPC UA migration, not a permanent alternative to it. OPC Classic servers should still be replaced with native OPC UA servers as they reach end-of-life or as budget and maintenance cycles allow. The Wrapper manages the transition period, allowing migration to proceed at a pace that is operationally and financially sustainable rather than requiring a disruptive, all-at-once programme. Once all OPC Classic servers have been replaced, the Wrapper layer can be decommissioned.
Can the Wrapper help reduce the cost of NERC CIP compliance?
Yes, directly. DCOM's dynamic port requirements make Electronic Security Perimeter documentation under NERC CIP complex and difficult to audit cleanly. Replacing DCOM-exposed OPC Classic connections with Wrapper-mediated OPC UA connections reduces the perimeter to a single, defined port and simplifies the conduit documentation. This reduces the annual audit scope and eliminates a common audit finding - both of which have direct cost implications for NERC CIP-obligated utilities.
How do I calculate the ROI of an OPC UA Wrapper deployment?
The ROI calculation has three components. On the cost side: Wrapper licence and implementation engineering. On the savings side: avoided hardware replacement, avoided custom integration engineering, avoided validation costs, and reduced compliance exposure. On the value side: new OPC UA connections that enable cloud analytics, IIoT integration, and digital twin projects that were previously blocked by OPC Classic boundaries. Most organisations find the payback period for a Wrapper deployment is under 12 months when the hidden costs of staying on OPC Classic are properly accounted for.
What is the difference between OPC UA migration cost and OPC UA total cost of ownership?
Migration cost is the one-time or phased investment required to transition from OPC Classic to OPC UA. Total cost of ownership (TCO) includes migration cost plus the ongoing operational costs of the resulting architecture - maintenance, licensing, support, and integration costs over the system's lifetime. The Wrapper approach improves both: it reduces migration cost significantly and it improves TCO by standardising on OPC UA for all new integrations (eliminating custom connector maintenance) and by enabling cloud and IIoT connections that increase operational value.
Related reading: OPC UA Migration cluster
- OPC UA Migration: The Complete Guide: Full migration strategy, approaches and phased roadmap
- OPC Classic to OPC UA: Bridge Legacy Systems Without Replacing Infrastructure: How the Wrapper and Proxy work technically
- OPC Classic Security Risks and the OPC UA Wrapper: The security case and DCOM vulnerability detail
- How to Configure OPC UA Wrapper Address Space: Step-by-step implementation guide
- OPC UA Security: The Complete Guide : The security model you are migrating toward
- OPC UA Wrapper product page: Download and licensing
