Implementing NIS2: Gap Analysis and Prioritized Actions Before Year-End
6. November 2025
Current Status 2025 – What Companies Have Already Achieved
Although national implementation of the NIS2 Directive is still underway, many companies are already acting in accordance with the new requirements. Responsibilities and reporting channels have been defined, risk analyses are established, and SOC structures have been expanded. The development of operational control mechanisms for incident response and cyber risk management is visibly progressing.
According to Bitkom (CISO Report 2025), 64% of affected companies have implemented formal cyber risk management, and over 70% have defined incident response processes. Progress is evident, yet operational practices reveal significant differences in depth, integration level, and system coverage.
NIS2 Compliance Reality Check: Technical Deficiencies and Operational Gaps
Despite these advances, critical implementation gaps remain. Audits and technical assessments show that many companies fulfill key requirements only partially or in a purely formal manner:
- SIEM infrastructures exist but are not fully integrated. OT assets and external service providers are often not actively monitored.
- Identity & Access Management (IAM) is frequently incomplete – privileged access often lacks MFA, and shadow IT bypasses central controls.
- Patch management and vulnerability scanning are still mostly manual or infrequent – especially concerning third-party applications or IoT components.
- Supply chain security is addressed organizationally but lacks technical enforcement via monitoring, certification, or penetration testing.
- Business continuity plans exist, but failover tests and recovery time objectives (RTO/RPO) are rarely validated in practice.
Final Sprint for NIS2: Prioritized Actions by Year-End
In the remaining months, the focus is on controllable, auditable mechanisms:
- Network segmentation and fine-grained access policies
Zero Trust principles, microsegmentation, and software-defined network zones reduce lateral movement. Remote access, especially in OT environments, should be secured via ZTNA. - Automated vulnerability and patch management
Regular scans, risk-based prioritization, automated rollouts, and asset categorization by criticality enhance surface protection and audit readiness. - MFA and privileged access security
Privileged accounts need consistent MFA policies, session monitoring, and just-in-time access. OT environments must receive the same level of protection. - Technical supply chain security
SBOM-based transparency, API gateway policies, dependency scanning, and Zero Trust access for vendors ensure practical control of third-party risks. - Operationalizing incident response
SOAR-driven playbooks, red team simulations, recovery drills, and KPIs (MTTD/MTTR) boost responsiveness and audit validity.
The focus is clearly shifting toward reproducible technical control mechanisms.
NIS2 in Critical Sectors: Architecture Patterns That Work
Cross-sector patterns show that technical consistency and traceability define maturity levels. Implementation examples from critical sectors highlight proven architectural strategies. The key takeaway: security controls must be technically embedded, not just added as a compliance afterthought.
- Finance & Tax:
Identity-first controls, consolidated SIEM pipelines across core banking and cloud workloads, privileged session monitoring, and automated response processes with defined MTTD/MTTR targets. - Energy & Utilities:
OT telemetry integrated into SOC, SCADA segmentation, ZTNA for remote access, and compensating controls for unpatchable components. Failover testing ensures service continuity. - Healthcare & Life Sciences:
Full asset visibility in clinical networks, hardened medical devices, controlled identity chains for patient data, and validated recovery processes in hybrid models. - Manufacturing:
IIoT integrated into vulnerability management, segregated production networks, automated anomaly detection, and predefined containment paths to avoid downtime.
Across sectors, NIS2 succeeds when security logic is integrated into infrastructure and operational processes.
Technical Architecture for NIS2: Modularity, Automation, Control
A stable, modular IT architecture is essential for implementing NIS2 effectively. Companies that rely on API-first strategies, containerization, and composable architectures can integrate security controls flexibly, rapidly, and without legacy constraints.
Automation is also becoming increasingly important. RPA-based incident detection, automated ticketing systems, and AI-driven anomaly detection not only enhance efficiency but also ensure auditability – a key requirement for reporting obligations.
Operationalizing NIS2: Embedding Security into IT Operations
In the months ahead, the focus will shift from initial implementation to stable operational routines. However, viewing NIS2 as a one-time obligation is short-sighted – the goal is permanent technical integration into day-to-day operations.
CONVOTIS helps companies embed security mechanisms structurally into their architecture, deployment, and monitoring – so that compliance is not just met, but truly lived.
