An internationally operating machinery manufacturer has prepared for the implementation of the new NIS2 Directive requirements. To this end, the organization conducted an NIS2 gap analysis. During implementation, the globally active production company collaborated with secunet Security Networks AG. The company provides its clients with solutions, products, and services in the field of IT security and also offers sustainable information security consulting.
The challenge: Digital industry and rising risks
Large parts of the industry have transitioned to digital processes. Modern machines are connected to backend systems, analyze operational and field data, and receive updates. They also communicate with each other and with machines from other manufacturers. This interconnectivity increases the attack surface for unauthorized access and manipulation. The European Commission therefore requires the EU Member States to take measures to strengthen cybersecurity through the Network and Information Security Directive 2 (NIS2 Directive).
What the NIS2 Directive requires from companies
Based on the NIS2 Directive, each EU Member State is obliged to enact corresponding national legislation. The directive defines parameters to determine whether companies and organizations are subject to its requirements.
To assess whether an organization falls within the scope of the national NIS2 implementation law, the following criteria must in particular be taken into account:
industry or sector (field of activity) and company size (number of employees, annual turnover, and annual balance sheet total).
To support organizations in assessing their relevance under the German NIS2 implementation law, the Federal Office for Information Security (BSI) provides a dedicated assessment procedure.
A central element required by both the NIS2 Directive and the national implementation laws is the establishment of an information security risk management system. This forms the foundation of information security and enables organizations to evaluate individually whether the measures taken are appropriate to continuously enhance their information security level.
The German NIS2 implementation law defines binding areas and measures that affected companies must implement. These include, in particular, technical and organizational cybersecurity measures that meet the current state of the art. This involves securing and maintaining IT infrastructure and industrial systems, as well as measures related to personnel security and effective management of service providers. In addition, security policies must be established, maintained, and consistently followed. Another key requirement is the obligation to report significant security incidents to the competent authorities within 24 hours of becoming aware of them.
The new regulations also significantly increase the responsibility of executive management, which is liable for violations in accordance with the company’s legal form. Furthermore, organizations face substantial fines of up to 10 million euros or alternatively two percent of their global annual turnover. These stricter requirements create significant pressure for companies to promptly adapt and strengthen their IT security measures and processes.
Implementation: How the project was carried out
The organization conducted the relevance assessment independently. The first project step was a kickoff meeting to coordinate the specific approach and raise awareness among all participants about the topic. Subsequently, gap analyses were prepared for each site in the form of self-assessments. For this purpose, secunet created questionnaires and made them available for completion. Depending on the consolidated results of the questionnaires, additional interview sessions were conducted. Complex subject areas were also examined in greater detail during these interviews. In addition, reviews of selected policy and guideline documents were carried out. The overall results were presented in a final presentation, which included the current status, identified findings, a potential treatment plan, and the maturity levels of various subject areas along with corresponding prioritization. The assessment was based on the following twelve subject areas. These also form the foundation for the subsequent implementation phase, which began after the completion of the analysis.
