NIS2 compliance and cyber security: experts from secunet and the cyberintelligence.institute share insights

The growing cybersecurity threat in industry is a major issue for many of you – especially when it comes to data access within customer infrastructures, as well as implementing security requirements in supplier relationships and other highly networked projects. This trend has significantly intensified over the past two years.
These risks have long been a topic on this podcast, but today we want to take a step back: What developments have we seen – and more importantly, what lies ahead for you?
A key focus is the NIS2 directive. This new EU regulation is currently causing uncertainty for many businesses. Why do these requirements exist? What’s in the so-called “10-plus-1” catalog? And which measures are actually necessary – especially from an operational perspective?
We’re discussing these questions today with Prof. Dr. Dennis-Kenji Kipker. He is the Research Director at the cyberintelligence.institute and is known for his appearances on German public broadcaster ZDF and his work with the VDE Association for Electrical, Electronic & Information Technologies. He has spoken at numerous international conferences.
He’s active in international standardization committees and has contributed to studies on the implementation of the NIS2 directive at the EU level. Particularly exciting: today he’ll share insights into how other European countries are approaching the issue.
As always, we’ll also take a look at practical aspects: What specific requirements apply to you, your supply chains, and your contractors? What is considered to be state of the art? And how should the associated costs be assessed – are we really talking six-figure sums?
Joining the conversation are Frank Sauber, Global Head of Sales and Business Enablement, Division Industry at secunet, and Marlitt Stolz, Head of Management Systems and Audit – also at secunet.
You’ll find all the details as always at iotusecase.com and in the show notes.
So let’s jump right in.

A warm welcome to Frank, Marlitt, and Dennis!
Dennis, how are you? Where are you right now?

Dennis-Kenji

I’m currently in Cologne. We’re in the middle of a lecture week – which means I’m traveling across Germany from one cybersecurity talk to the next. The timing couldn’t be better, because just yesterday I gave a talk here in Cologne on cybersecurity compliance and governance, including for the executive board of a publicly listed company. These topics are definitely reaching leadership and decision-makers.

Very nice – sounds like a little roadshow across Germany.
Marlitt, where are you joining us from?

Marlitt

Hi from my side as well! After spending two days at the NIS2 Congress in Frankfurt, I’m back in Hamburg and currently not far from the Alster. I’m excited for this podcast and bringing along some practical insights from the congress

Great, I’m curious to hear more. Greetings to Cologne and Frankfurt! And Frank, where are you?

Frank

I’m in Munich – just the classic day at the office. I was on the road this week for sales meetings, of course, but now I’m back in the office and looking forward to our conversation.

Perfect. Then let’s dive right into the topic.
Dennis, I’d like to start with you. I already gave a short intro about you, but something I’d personally like to hear more about: At your institute, you have four interdisciplinary research areas, and you’re a recognized expert in your field.
Could you give us an overview of how IoT or IIoT plays a role at your institute?
And also: who is actually affected by the NIS2 directive – and what exactly is the EU trying to achieve with it? Let’s kick off the discussion there.

Dennis-Kenji

Absolutely. Absolutely. At our institute, the core mission is to build digital resilience through European innovation.
We have four departments, one of which is called Global Network & Intelligence. It takes a holistic view of cyber resilience – not only in Germany but also in the broader European and international context. For example, we look at what legal requirements exist in other countries and where we can learn from one another. That’s especially important in this field.
The second department, Research & Innovation, focuses on how we can drive innovation in the field of cyber resilience – meaning transformation projects that go beyond basic research and actually help people in practical ways.
Our third department is the more traditional Cybersecurity & Resilience. NIS2 plays a central role there, of course. For example, we’re currently working on an initiative funded by the Federal Ministry for Economic Affairs, aiming to provide concrete guidance for NIS2 – essentially developing “controls” to implement the requirements across industries and sectors.
And perhaps most importantly, our fourth department is Education & Qualification. This is often summarized under the term “awareness,” but it’s really about how we can make cybersecurity tangible and relevant for people. NIS2 explicitly requires this – both operational staff and especially management must have the necessary qualifications.

The EU introduced the NIS2 Directive because cyberattacks have become a real threat – not just to the economy, but also to industry. And it no longer only affects traditional IT companies, but many different sectors. Can you explain who is actually affected and what exactly the EU aims to achieve with this directive?

Dennis-Kenji

The NIS2 Directive essentially builds on the original NIS1 Directive. Back then, the focus was on regulating so-called essential services – in other words, services equivalent to what we in Germany refer to as critical infrastructure. These are sectors essential to the functioning of our society: energy supply, transportation, banking, financial market infrastructures, healthcare, and so on.
Over the past decade, digitalization has accelerated rapidly. Everything is becoming increasingly interconnected – and with that, more vulnerable to attacks. As you mentioned in the introduction, cybercrime has grown significantly in importance. Attacks have become more sophisticated. “Cybercrime as a Service” is now a profitable business model, often operated from abroad, and it poses a serious threat to Western Europe as well.
At this point, it became clear: cybersecurity is no longer just an issue for critical infrastructure operators – it concerns the entire economy. It’s about protecting digital business operations.
Any company that has undergone digital transformation – for example, through digital supply chains or cloud services like Software as a Service – is potentially affected.
The EU has made it clear with NIS2: cybersecurity compliance must become a general business requirement.
One of the reasons is that, until now, too little has been done at the executive level. Cyberattacks, especially ransomware, are no longer rare exceptions. We see reports about them every day – not just in industry publications, but also in major national news outlets like Der Spiegel, Die Zeit, or Welt, often with live updates similar to breaking news coverage. Many people now react with: “Again? Not surprised anymore.”
That’s why the directive’s clear goal is to protect digital economic activity.
This includes manufacturing companies, mechanical and plant engineering, the chemical industry, and basically any kind of manufacturer – for example, in plastics processing.
When you add up all these additional businesses, especially SMEs from newly covered sectors, we’re talking about approximately 30,000 to 40,000 companies in Germany alone that will need to implement a cybersecurity compliance management system in the future.

Yes, absolutely. You also just mentioned digital supply chains and new digital offerings – that’s a huge topic.
A good example from our network would be ALD Vacuum Technologies. They manufacture metallurgical systems – classic mechanical engineering from Hanau – and have about 500 to 1,000 employees.
So that would be exactly the kind of company that will fall under NIS2 in the future due to their digital services for customers, right?

Dennis-Kenji

Yes, those are classic examples of companies that previously weren’t really on the radar for such regulations.

Okay. But larger companies too – I had an earlier episode with secunet and CLAAS, for example. CLAAS is also a machinery manufacturer, but they have more than 10,000 employees. So this applies to both large corporations and small to mid-sized businesses, right?

Frank

Correct.

Great. So what are the typical obligations companies will have under NIS2? What will businesses have to do that they maybe haven’t had to do before – what’s new with NIS2?

Marlitt

Good question. First of all, companies need to determine whether they’re actually affected – that’s step one. In Germany, we’re currently talking about the national implementation law. It hasn’t been finalized yet, so there’s still some uncertainty. I don’t want to go into legal details here, but the law is definitely coming – and there’s already a draft version. Companies can and should start aligning with that now. So, if a company – like the ones you just mentioned – has determined that it’s within scope, the first step is an assessment: What cybersecurity measures do we already have in place? And I want to emphasize something important here – I don’t want to discourage anyone – every company is already doing something for information security. I’m absolutely convinced of that. Even basic things like using passwords to log in or having an access badge system are already contributing to cybersecurity. If you then look at the implementation law and consider what specifically needs to be done – and the EU directive already outlines this – the core requirement is risk management, specifically information security-related risk management. And that’s really key. You need to ask: what “assets” do I have in the company? “Assets” is originally an English term, but it’s been adopted into German usage. It simply means: what valuable things exist in your organization? This can range from something like the Coca-Cola formula locked in a safe, to complex circuit diagrams, machinery, or engineering designs. Everything you do builds on knowing what you’re trying to protect.

Exactly. Now if we look at our audience – many of them come from manufacturing – they’re primarily focused on IIoT and internal digitalization projects. One example from our network is the use of ultra-wideband technology to locate devices and assets on the production floor. Or, as mentioned earlier, ALD Vacuum Technologies – a machinery manufacturer. We also have Rolls-Royce in our network, where it’s about machines and equipment deployed in the field at customer sites. The data is used both to provide digital services to customers and to support internal networking. Could you give us a practical example of what a cybersecurity measure might look like in one of these cases, in line with the upcoming national implementation law?*

Marlitt

Yes, in fact, every company has some form of production or core business – and NIS2 doesn’t make any distinction there. In the case of a machinery manufacturer, for example, engineering designs are core assets. What companies need to do now is assess their individual situation:
What threats do I face? How likely are they to occur? And have I already implemented sufficient measures? That’s the first step. Many companies already have a good sense of this – especially production managers usually know quite well what risks they’re exposed to. As a result, the measures required can vary significantly. For example, if your production site is located next to a river that frequently floods, you need to assess the risk: is this location still suitable? Even environmental risks like that fall under the scope of information security.
Beyond that, the national implementation law – just like the directive itself – also defines additional areas that must be taken into account. One example is information security in supplier management. The goal is to identify which suppliers have a critical impact on your core business and key assets. And then: what measures do I potentially need to pass on to my suppliers to ensure they implement them? In other words, becoming aware of the criticality of your suppliers and checking whether they have sufficient information security measures in place.
There are also very practical topics involved, such as secure software development or, in a production context, the entire network architecture and security design. How is my network structured? At the NIS2 Congress, this came up a lot. People said things like: “Everything is in one hall, all connected to the same network, even multiple halls are linked – old and new systems running together.” That clearly introduces risks that need to be assessed. And in cases like that, it’s very likely that additional protective measures will be required.

[14:01] Challenges, potentials and status quo – This is what the use case looks like in practice

What are the typical issues or challenges companies are currently facing? Both in the lead-up to the congress and in your day-to-day work at secunet with clients and partners. Are they the ones you just mentioned, or are there other pressing concerns?

Marlitt

Some of it is definitely what I just described – the implementation of specific information security measures. That includes, for example, how to handle legacy and new systems in production environments or processes around secure software development. And let’s be honest: IT professionals and developers often aren’t particularly fond of documentation. These are very practical issues for which NIS2 specifies concrete requirements. These are topics that should be addressed based on best practices or specific standards.
But what is being expressed to me much more frequently at the moment is a level above that. In many mechanical engineering companies we work with, there are historically grown structures – different subsidiaries, multiple sites, often developed individually over decades. And that’s exactly where the challenge lies: simply figuring out who is actually responsible for information security. There are often very different internal dynamics and political interests – for example, between the managers of different plants. This is currently one of the biggest hurdles: The need is recognized, but a coherent strategy for information security is often missing, especially in complex organizations with multiple locations.

Yes, exciting. Yes, really interesting. Frank, how did it come about that secunet is now increasingly working with such partners? You both represent secunet, one of Germany’s leading providers of high-security IT solutions. We’ve already done one or two episodes together on highly connected production systems and critical infrastructure – I’ll link to those in the show notes as well. But how exactly did this collaboration come about? I would be interested to hear more about that.

Frank

It actually started with two leading questions, and Marlitt touched on them earlier. One is the technical question, “Am I affected?” And the other is the mindset – especially at the management level.
I really appreciated that Dennis mentioned earlier how the topic is slowly making its way into executive leadership. But what we still often experience in sales, especially in SMEs: Our contacts in IT actually know exactly what needs to be done. They tell us: “I know what we should be doing, but I don’t have the budget, I don’t have the people. And now NIS2 is being added on top of everything.”
Very often we hear: “How am I supposed to explain to the board that this is important?” And that’s the key issue: the mindset. As Marlitt said earlier: if I have multiple sites, information security only works when leadership understands that data sovereignty and trust in data are fundamental prerequisites for digital transformation – and that this also impacts the supply chain.
Because if my supplier experiences a cyber attack, I may not receive any goods. This means that I have to take a closer look, not only at the company itself, but also along the supply chain.
Once that’s understood, the next question becomes: “Am I affected?” And that’s not a question you should only ask in the context of upcoming legislation, but from the perspective: “I need to protect my business.” And this is exactly where we still see a major gap in understanding – one that urgently needs to be closed. The goal is to get this topic into the minds of decision-makers.
So, how did the collaboration with Dennis come about? That’s exactly the mission of the cyberintelligence.institute – to bridge the gap between regulation, legislation, and real-world relevance.
And part of that is addressing the management level – to create that moment of insight.
As we’ve already said: the risks vary from one company to another. But you have to engage with them. You have to ask: “What is my specific risk?” And once you start doing that, you naturally arrive at processes – which already brings you quite close to what the legislation is asking for.
And that’s how this collaboration came to life: With the goal of supporting companies not only technically, but also strategically – and at the management level.

Okay, very nice. So, if you’re listening now, I’d be interested to know how you implement this in your company. Feel free to write in the comments if you are already working on this or have a plan on how to approach the topic. I’d be very curious to hear.
And maybe, Frank, let’s go back to the keyword “convincing the board.” In the end, it always comes down to investing in technology and security — which also means investing time resources. What do you see as convincing arguments to win over the board? Can that be translated into a business case?

Frank

That really depends, because companies are very different, the risks vary widely, and the dependencies differ a lot as well. For example, if I’m a company that supplies critical infrastructure, then my prerequisites are completely different just because of my customer base. Working with Marlitt and her team, it is perfectly possible to calculate a business case for individual customers. But to say something like “you have to do this and you’ll save ten percent” — of course that doesn’t work in general.

Marlitt

Maybe just to add from my side: There is no stable core business anymore without information security. So in that sense, it’s actually a pretty simple calculation. If you look at the revenue and profit a company generates, it’s clear: without information security, that won’t be possible anymore in the future.

Yes, and do you have specific figures? I’d be interested in what implementing such a catalogue of measures under the NIS2 regulation costs. I know, of course, that’s hard to quantify and always depends on the use case and the company — but do you still have a rough estimate?

Marlitt

Well, first of all, you need someone to take care of it. This means that the first step takes time. That’s absolutely essential. And it doesn’t just take time from the person responsible. I’m not saying it has to be a full-time role — that really depends on the company. But you definitely need someone with enough capacity to deal with information security within the organization. That’s the first cost factor you’ll face.
And if someone has never dealt with it before, it’s hard to implement alone. Either training measures are needed, or consulting services have to be brought in. And the topics must also be implemented in a holistic way.
I always like to give a somewhat vivid example, especially in the context of production halls. In Germany, we’re very polite and like to hold the door open for one another, even on the factory premises. So it can happen that someone gains access to a production hall simply because someone politely held the door open for them. Of course, that goes against the principles of information security. Because access to production halls or data centers should only be granted to authorized individuals. A concrete measure in this case would be installing a turnstile, as already exists in many companies.
That means: implementing information security requires a combination of organizational-process-related and structural measures. This includes, for example, a clearly defined process for onboarding and setting access rights. At the same time, structural measures such as the installation of a turnstile may also be necessary if the risk analysis identifies such a need.
As you can tell, I’m being very vague about the costs. Because the first step is really to create time and space for employees so that they can deal with the implementation. And then it’s about providing the necessary tools. That’s where we at secunet are, of course, happy to help.

Okay, yes, that was a very illustrative example. But do you still have some best practices for how companies can better estimate or make more transparent the costs and benefits of cybersecurity in the context of the NIS2 directive? Are there any insights from your projects?

Marlitt

Well, unfortunately, information security still has a pretty bad reputation in some areas — it’s often seen purely as a cost driver. That’s why we’re currently trying to approach it differently. No more long policy documents or extensive guidelines, but instead short, concise handouts. That helps companies work more efficiently and brings structure to their processes.
That’s more or less our approach. What I want to say is: information security doesn’t have to be complicated. It can actually help companies get more organized in certain areas, because it automatically brings more sustainability into the organization. And if we’re being honest, we hear this from many companies: a lot of employees are close to retirement. So a generational shift is coming anyway, and that means companies also need to think about how to secure knowledge and structures in the long term.
Information security is a good starting point for finally creating certain types of documentation, tailored to the specific needs of the company.

[23:45] Solutions, offerings and services – A look at the technologies used

Dennis, how do you see it from the perspective of the institute, or personally? Many companies are already working with experts like secunet, some have internal resources, others maybe not yet. How do you assess the situation — also in terms of outsourcing and responsibility? Are companies already capable of implementing this? Or what else do you think is needed in terms of organization to make this work?

Dennis-Kenji

Yes, as Marlitt already mentioned: companies are of course in very different positions. We have organizations that have already been subject to KRITIS regulation for ten years and thus have relevant experience. There are already industry-specific security standards — known as B3S — along with strict reporting and documentation obligations. Then there are companies that have already implemented information security measures even though they weren’t legally required to. And finally, there’s the large majority of companies for whom information security is a relatively new topic — something they may have heard about, but haven’t actively addressed yet.
For these companies, it’s now about allocating appropriate budgets — budgets that reflect the actual risks. One thing that often gets overlooked: there’s the so-called “10-plus-1” catalog, which is also mentioned in the current §30 draft of the NIS2 implementation law. It lists minimum cybersecurity requirements. This catalog is often seen as a kind of “basic document”, along the lines of: you simply have to take a few additional measures now, plus one or plus n.
But what many don’t realize is: these measures must be tailored to the company’s individual risk profile. There’s no one-size-fits-all solution, no silver bullet for cybersecurity. Companies need to design their measures proportionately, and to do that, they first need to assess their risks.
This involves questions like: What’s the extent of my organization’s risk exposure? A defense contractor will obviously have very different requirements than a furniture manufacturer. How large is the company? How likely is a security incident? How severe could the impact be — socially, economically, or in terms of supply security? Are there technical standards and cost estimates already available?
Management has to ask itself these questions: How critical is my organization? Is it particularly exposed in public? How reliant am I on interconnected IT systems? Do I have digital supply chains that I need to include in my risk assessment? All of these points are explicitly addressed by NIS2. Have there already been cyber incidents in the past, or is it likely that there will be in the future — for example, because I operate in particularly exposed sectors?
And maybe the most important question: What could potential attackers achieve if they successfully compromised my company? Everything depends on that.
What we’re still seeing, to some extent, is that company leadership says: “Yes, there are fines, but it probably won’t be that bad. The BSI doesn’t have the capacity to audit 30,000 to 40,000 companies in Germany.” In other words: where there is no plaintiff, there is no judge.
But what’s often overlooked is that these obligations don’t exist in isolation — they impact the entire supply chain. They’re often passed on contractually, from one partner to the next. And in the event of a security incident — especially one that affects OT, halts production, prevents contract fulfillment, stops deliveries, or blocks incoming goods — the result is economic damage.
At that point, a contractual partner might say: “I’m claiming damages.” And then the legal question arises: What level of due diligence should you, as a company, have applied to your IT and OT infrastructure? If it then turns out that a company would have fallen under NIS2, but has largely ignored the requirements, the path to corresponding claims for damages is not far away.
That’s exactly what I try to make clear to management: it’s not just about fines or the idea that the BSI will suddenly show up in 2025. It’s about the fact that cybersecurity is relevant to your daily operations — and to your customer relationships. That message needs to be made clear, and awareness needs to be raised.

Okay, so what’s needed is essentially a mindset change — especially at the management level. And I’ll also include the link to those “10 plus 1” measures in the show notes. I think many people may already be familiar with it, but I’ll just include it again. Maybe to wrap up, let’s take a look at implementation. Many companies are just now getting started and want to begin the journey. So here’s a question for you, Marlitt — and also for Frank — from secunet: How exactly do I implement this? And what does collaboration with you look like? Could you walk us through an example project — even if you can’t name the client — to show how you go about it? What do you offer, and how do you support companies in implementation?

Marlitt

Yes, so it’s really important to me to emphasize that companies shouldn’t feel overwhelmed. A lot of them are now facing the NIS2 implementation law and thinking, “What am I supposed to do? Do I need to have all of this done by tomorrow?” But the most important thing — the absolute foundation — is having a plan. Think about: What measures do I need to implement? How do I want to do that? And even if an incident happens six months from now, the crucial thing is that this plan exists — that you can prove you’ve already started working on the implementation. Just like Dennis said earlier: if an incident occurs, it comes down to fines, and you need to show that you’ve engaged with the implementation requirements.
So how do we start? This may sound trivial, but it starts with an initial assessment. That can be based on different topics or best-practice standards. Right now, we recommend doing an assessment loosely based on ISO 27001 — I’d call it “light.” It’s really focused on the areas specifically required by NIS2. I won’t go into this in detail now, but there is a corresponding standard and also recommendations from the BSI that can be used as a guide.
At secunet, we’re already running several NIS2 projects, and we’ve found that these assessments no longer need to be conducted on-site through long interviews. Instead, we often use self-assessment questionnaires — especially since many of these companies have complex structures: one plant here, another there, maybe a subsidiary or sister company as well.

With these self-assessment forms, we get a good initial sense of the company’s information security maturity level. We look at eleven topic areas, which are structured and covered very compactly — about two to three pages per area. That gives a solid basis for evaluating current maturity.

And you also look at what your suppliers are actually doing. That should be part of it too, right?

Marlitt

That’s actually the next step. First, you examine how the current supplier management process works. Is there even a complete list of all suppliers? In many companies, something like that doesn’t exist yet — and that’s okay for now. That’s the case in many organizations at the moment. There’s often a very non-transparent supplier landscape because departments place orders independently or use different systems.
That would then be a concrete implementation step: if you discover there’s no clear process and information security isn’t contractually required, then that’s exactly where you need to start. Because you also need to buy information security — meaning, you need to require your suppliers to implement appropriate measures.
If you realize that hasn’t been happening so far, we at secunet have a very helpful handout that outlines exactly what such a process should look like. Then we look together: does this fit the company’s existing structures? And we develop the process jointly. There are one or two templates for implementation — for example, a supplier register where you list and assess relevant partners. All kept very compact, because implementation is of course a complex topic — I don’t want to gloss over that. That’s why it’s all the more important that the guidance and support are clear, easy to understand, and well-structured.

Are there things like minimum measures where you’d say: You should definitely start with this — it’s absolutely essential? Are there pitfalls you see that can be avoided? What measures are truly necessary, and what typical mistakes should companies steer clear of?

Marlitt

There are definitely measures that can significantly reduce the attack surface — that is, reduce risks substantially and contribute meaningfully to information security.
I always recommend a bottom-up approach and, without a doubt, a penetration test. Just to take a practical look at the network and systems: Are there any immediate vulnerabilities or entry points? This isn’t explicitly required by the NIS2 directive, so I don’t want to overemphasize it here, but in practice it’s simply a very sensible step.
If you really want to be compliant with NIS2, risk management is absolutely essential. It runs through the entire legislation. It’s crucial to take this seriously.
What I find difficult, honestly, is to isolate individual measures, because every topic is important and brings different facets. One thing that must not be missing is employee awareness training. It starts with very simple things, like not plugging in a USB stick you found in a restroom into your company PC. These awareness issues are a huge gateway for attackers and therefore a central part of any security strategy

Dennis, you’re often at conferences and talk to many companies. Are there things you’d say: Watch out — absolutely avoid this? Do you have something to share there?

Dennis-Kenji

Yes, there are definitely some classic mistakes we need to talk about. And what many companies are still lacking are basic principles of information security. I’m not even talking about a mature ISMS with established processes — it’s often the absolute basics that are missing.
The USB stick example is, of course, a textbook case. Ideally, it even says “Private Photos” on it — and that’s exactly why someone plugs it in. But it’s also about very fundamental things like backups. That you create regular backups in the first place, but that these do not remain in the active network or somewhere in the cloud, where they are encrypted at the same time in an emergency. There’s also often a lack of understanding about why software and operating systems need to be patched regularly. It’s not just done out of routine — it’s because vulnerabilities have been identified that need to be closed.
I was just discussing this with participants at an event yesterday. Awareness has become a bit of a buzzword, but it’s still a highly relevant issue. Many cyberattacks only succeed because that very awareness is lacking — both at work and in private life.
A recent example: the fake DHL campaigns. People get SMS messages, click on fake websites, enter their credit card details — and just like that, cybercriminals are financing their next sports car or luxury shopping spree. And these aren’t new tactics. These DHL phishing campaigns have been around for over a decade — they’ve just been continually refined because they’re so profitable.
What’s still lacking is a basic understanding of information security — and that’s exactly what we’re working on at the cyberintelligence.institute. With our campaigns, we hope to raise awareness a bit more — right where it’s needed.

Frank

And I believe it starts at the top. If the management’s first reflex is to call a lawyer to clarify what this law is — instead of asking what the actual risk is — then that’s already the wrong starting point. This isn’t a one-time measure that gives you peace of mind for two years. It will be a permanent part of business operations — and remain so.

Yes, absolutely. Especially in the IoT space, projects are evolving extremely quickly. We see so many exciting use cases in our network — for example, accessing data in customer infrastructures. Even there, of course, it’s clearly regulated which data is accessible and how. But the projects keep developing, constantly. That’s exactly why it’s an ongoing issue — particularly in the IoT sector. It’s always about checking: Who has access to which data? When? How? And in these highly complex, connected systems, it’s becoming increasingly important to continuously deal with such questions.

Marlitt

Yes, and also to keep an eye on the threat landscape. Every time something changes in the production environment, you should ask: Is my risk assessment still up to date? That’s why it’s so important to work closely with manufacturers or your own development team — to ensure that the level of information security remains high over time.

Exactly. When, for example, product development rolls out a new feature that suddenly provides access to data sources you didn’t previously have, then that needs to be considered right from the start. That’s where it begins — and sometimes it really does come full circle back to a USB stick.

Marlitt

Yes, absolutely! We’re currently supporting projects where new technologies have been introduced — like a brand-new point-of-sale system, super modern, everything seemed perfect. But in the end, it had to be completely dismantled because the communication connection wasn’t secure and couldn’t be adjusted appropriately. There are plenty of examples like that. That’s why: information security needs to be considered from the very beginning — in every project, in every area of the company. In the long run, that’s the most cost-effective way. Because if you retrofit it later, it’s usually much more expensive.

Yes, very true. I can only encourage you all: Keep engaging with this topic. I’ll include a few helpful links in the show notes, and Marlitt, Frank, Dennis — I’d also like to link your LinkedIn profiles. Feel free to connect, share best practices on how you’re tackling information security in your companies, and just start the conversation.

[39:16] Transferability, scaling and next steps – Here’s how you can use this use case

Projects are constantly evolving, and now suddenly the topic of AI is everywhere. AI algorithms are increasingly being integrated into data platforms. Especially in mechanical engineering, this is currently a hot topic that’s featured at many trade fairs. It often also comes down to questions around monetization. But what I’d like to know is: From your perspective, what else is coming in the future — for us and for companies?

Marlitt

Well, attacks will definitely change — they’ll become more complex and more sophisticated. Sure, companies are using AI to optimize production or develop new products. But at the same time, attackers are also using artificial intelligence for their own purposes.
Companies must therefore prepare for much more targeted attacks in the future — from the internet, from all over the world, and with entirely new facets. That’s something I clearly see coming. But Dennis, I’m sure you have an interesting take on this as well.

Dennis-Kenji

Yes, as you said, Marlitt, AI has definitely changed not just the threat landscape, but also the cybersecurity industry itself — and not just since the rise of large language models. Automated anomaly detection in computer networks using AI has been in use for years. I actually co-authored a book back in 2019 that covered exactly these kinds of technologies.
What’s new, though, is that cyber attackers are also increasingly using AI — for example, to optimize their attacks, improve efficiency, and deliberately acquire information that wasn’t previously available to them.
Another future topic I see is quantum computing. I’m following it closely — also from a cybersecurity perspective. For instance, the NSA is already storing data that it currently can’t decrypt, because it’s protected by today’s encryption standards.
Things are also happening here in Germany: the German Cyber Agency recently published a call for tenders for the development of the first mobile quantum computers. We’ll see how feasible that really is, but progress is clearly being made.
And not without reason: The U.S. National Institute of Standards and Technology already published the first three finalized post-quantum encryption standards in mid-August of last year. That clearly shows: We’re facing profound changes in information security over the next few years. I’m convinced the next five years will be critical in this field.

That definitely warrants a follow-up episode on this topic! I think there’s still so much more to discuss. But thank you already for your exciting insights into the future. And maybe just a final thought from my side: you can clearly see that this is not just a classic regulatory topic — it’s also about mindset changes, especially at the executive level, about clarifying responsibilities, and ultimately about technical implementation.
That looks different in every company. All the better that there are experts for exactly this. So once again, I can only encourage you: keep engaging with this topic, reach out to Dennis, Marlitt, or Frank, connect, ask questions.
From my side, all that’s left to say is: Thank you for being here today! It’s been truly insightful, and I’d like to give you the last word.

Marlitt

Yes, definitely: Don’t let yourselves get overwhelmed — that’s really important to me. Take it step by step. Every single step toward information security is important and the right one. Don’t be discouraged by the regulatory side — I really want to stress that. Information security is so, so important — for its own sake, for your business. And sometimes minimal measures are enough to fend off attacks.

Frank

I’d say: Tackle it, don’t wait – just do it. Get started. Don’t count on the German NIS2 implementation law perhaps only coming at the end of the year, giving you ‘a bit more time.’ The hacker couldn’t care less about that. So: get started.

Dennis-Kenji

Yes, I’d say: we should also think about cybersecurity from a positive perspective. If I’m resilient as a company, then I’m also innovative — because I’m establishing new best practices. And: cybersecurity is increasingly becoming a selling point. If I can prove I’m compliant, I can differentiate myself from other companies or providers who haven’t yet implemented that compliance in these uncertain times. That’s why I can only repeat Frank’s message: Start now — don’t wait. Because honestly, if you’re only starting now, you’re already late.

Marlitt

Let’s not be so negative here – we want to motivate, after all!

But that’s a nice concluding thought for today. With that, thank you all very much, and I wish you a great rest of the week. Take care – see you soon!