michael-hettwer.com

Direct Connect

← Back to Blog
·12 min read

NIS2 for Techies: What the directive actually means

NIS2SecurityCompliance

What is NIS2?

The NIS2 directive (Network and Information Security Directive 2) is the successor

to the 2016 NIS directive and came into effect in January 2023. Companies in

certain sectors must implement appropriate measures by October 2024.

Specifically affected sectors include: Energy, transport, healthcare, digital infrastructure,

public administration, food, waste management – and any organization with more than

50 employees or 10 million euros in annual revenue in these sectors.

What does NIS2 technically require in practice?

Many articles remain vague. I'll try to be more specific:

1. Risk Management

NIS2 requires a documented process for identifying and evaluating risks.

For IT teams, this means:

  • Inventory of all critical systems
  • Risk classification (What happens if system X fails?)
  • Documented procedure for risk decisions

2. Incident Response

Companies must report security incidents to authorities within 24 hours

and submit a preliminary report within 72 hours.

Technically, this means:

  • Monitoring and alerting for security-relevant events
  • Defined escalation path
  • Documented incident response plan
  • Log aggregation (syslog, SIEM) for traceability

3. Patch Management

Security-relevant updates must be applied promptly. No exact time window

is defined, but "promptly" is evaluated in audits. Structured patch management

with Ansible or similar tools is the foundation here.

4. Access Control and Authentication

  • Role-Based Access Control (RBAC)
  • Principle of Least Privilege
  • Multi-Factor Authentication for critical systems
  • Documented user and permissions management

5. Network Security

  • Network segmentation: Production environments separated from development/testing
  • Firewall rules documented and regularly reviewed
  • Encryption of sensitive communication (TLS, VPN)

6. Supply Chain Security

NIS2 also addresses suppliers: Who has access to your systems? Are third-party providers

adequately vetted? This is an often-underestimated point.

Practical Recommendations

Start with a gap analysis. Before investing in measures, understand

where you stand. A structured analysis against a benchmark (e.g., CIS Controls) helps

to estimate the effort realistically.

Prioritize by risk. Not everything has to be perfect right away. Harden,

document, and monitor critical systems first.

Automate what can be automated. Patch management, configuration management,

compliance checks – all of this can be automated, making it repeatable and

auditable.

Document your progress. In audits, not only the current state is important,

but also the demonstrable process.

Conclusion

NIS2 is not purely a legal matter – there are concrete technical requirements

that must be implemented in the infrastructure. Many points are good hygiene that you

should have anyway. The difference is the obligation to document and the defined

reporting process for incidents.

For questions regarding NIS2 compliance in your infrastructure – contact me.

Questions or feedback regarding this article?

Send Message