Skip to Content

NIS-2 & CAN

A technical classification
February 4, 2026 by
---

NIS-2 and the Limits of Traditional Network Security: A Technical Classification


Since December 6, 2025, the NIS-2 Implementation Act applies in Germany. For around 30,000 companies, a fundamental question arises: Do the existing security architectures meet the new legal requirements – or is action needed?

The Regulatory Starting Point


The NIS-2 Implementation Act significantly expands the circle of regulated companies. It now affects not only traditional critical infrastructure operators but also companies in the manufacturing sector, IT service providers, and numerous other industries. The threshold is set at 50 employees or 10 million euros in annual revenue.

New is primarily the personal liability of management. Section 38 of the BSIG obliges managing directors and board members to "approve and monitor" risk management measures. A waiver of claims for breach of duty is expressly invalid.

The penalty frameworks differentiate by company category: Up to 7 million euros or 1.4% of global annual revenue for "important entities," up to 10 million euros or 2% for "particularly important entities."

Where Traditional Architectures Reach Their Limits


The Perimeter Problem


Most companies rely on a combination of perimeter firewalls, VLANs, and VPN access. This architecture follows the "Castle-and-Moat" principle: a strong protective wall on the outside, trust on the inside.

This model has a systematic blind spot: East-West traffic. Communication within the network remains largely uncontrolled. An attacker who has breached the perimeter – for example, through phishing or compromised credentials – can move laterally through the network.

The numbers are sobering: Over 70% of successful cyberattacks utilize lateral movement. 96% of this behavior does not trigger an alert in SIEM systems. The average time to complete compromise is 48 minutes.


VLANs: Segmentation without control


VLANs segment networks at Layer 2 but do not control communication within a segment. They require manual ACL configuration – with all the associated sources of error. Studies show that 70-80% of all firewall rules in large companies are outdated or redundant.

NIST SP 800-207 puts it succinctly: "Perimeter-based network security has proven inadequate, as attackers can move laterally unhindered after breaching the perimeter."


VPNs: Once authenticated, everything is open


VPNs authenticate users upon connection and then grant broad network access. A compromised VPN access – whether through stolen credentials or a VPN zero-day – means access to the entire network.

The NIS-2 requirement for "continuous authentication" (§30 para. 2 no. 10) is diametrically opposed to this model.


What §30 BSIG specifically requires


The law defines ten mandatory measures for risk management. Three of these are particularly difficult to demonstrate with traditional architectures:

Access control and access management (No. 9):Control is required not only at the network entry point but across all communication relationships. Service accounts make up over 70% of network identities, but only 2.6% of the granted permissions are actually used.

Continuous Authentication (No. 10):The law explicitly requires "solutions for multi-factor authentication or continuous authentication." One-time authentication at the perimeter does not meet this requirement.

Supply Chain Security (No. 4):This also concerns the security providers themselves. US-based SASE solutions are subject to the CLOUD Act. US authorities can enforce data disclosure – regardless of the server location, without prior notification. The use of US cloud services is not permitted for classified information.


The BSI IT Basic Protection as a guideline


The BSI has created a detailed catalog of requirements with the IT Basic Protection. Three components are central to network security:

NET.1.1 Network Architecture and Designrequires "network separation into security zones" with a whitelisting principle. Traditional VLANs formally meet this requirement but fail in the dynamic reality of modern IT environments.

ORP.4 Identity and Access Managementrequires the "principle of least privilege" and, in cases of increased protection needs, "multi-factor authentication with cryptographic certificates."

CON.1 Cryptographic Conceptrequires the "selection of appropriate cryptographic methods considering BSI TR-02102." The recommendation to migrate to post-quantum cryptography by 2030 should be taken into account for long-term architectural decisions.


Sector-specific requirements


Manufacturing industry


The IT/OT convergence presents manufacturing companies with particular challenges. OT systems have lifecycles of 15-20 years, many are based on legacy operating systems without native security features. The priority is on availability – production downtime incurs immediate costs.

IEC 62443 defines the zones-and-conduits concept. Security Level 2 requires "protection against intentional violation with simple means," SL-3 "with advanced means and IACS specialized knowledge."

Solutions that protect legacy OT systems through "virtual patching" – that is, protective measures in front of the device rather than on the device – address both requirements: compliance without interfering with sensitive production systems.


Energy sector


Energy suppliers are "operators of critical facilities" and are additionally subject to the IT security catalog of BNetzA as well as the EU Network Code on Cybersecurity. Certification according to ISO 27001 and ISO 27019 is mandatory.

§31 BSIG additionally requires "systems for attack detection" – a requirement that goes beyond the standard NIS-2 measures. The reporting obligations are stricter: 24 hours for the initial report, a contact point available around the clock.

The use of US SASE providers must be critically assessed for KRITIS operators. The Scientific Service of the Bundestag confirms that US authorities can compel US companies to release data – regardless of the server location.


Technical solution approaches


The alternative to the perimeter model is identity-based segmentation. Instead of defining network boundaries, each asset is given a cryptographic identity. Communication occurs only between explicitly authorized identities.

This approach systematically addresses the NIS-2 requirements:

  • Risk analysis:Automated asset inventory through cryptographic identities
  • Access control:Technical enforcement of the least privilege principle
  • Continuous authentication:Each connection is authenticated individually
  • Cryptography:End-to-end encryption of all traffic
  • Supply chain security:Installation in the customer environment, no third-country transfer

The BSI position paper on Zero Trust 2023 recommends "gradual integration while maintaining existing security measures." The approach does not immediately replace everything but complements and strengthens existing investments.


The question of sovereignty


When selecting security solutions, one aspect deserves special attention: the jurisdiction of the provider.

US-based providers are subject to the CLOUD Act. This specifically means:

  • Access to data regardless of server location
  • No prior notification to the customer
  • Applicable even in contradiction to local law

The Schrems II ruling by the CJEU declared Privacy Shield invalid. The successor framework DPF is based on an executive order and can be revoked at any time.

For companies with increased protection needs – especially in the critical infrastructure environment – the question of data sovereignty is therefore not academic, but operationally relevant.


CriterionUS-based solutionEU-sovereign solution
CLOUD Actapplicablenot applicable
Key controlat the providerat the customer
VS-NfD suitabilitynopossible
Schrems II riskpresentnot present


Questions for audit preparation


The NIS-2 oversight will require evidence. The following questions should be answered by each organization:

  1. Segmentation:Can you prove each security zone with owner, review date, and change log?
  2. Lateral Movement:How do you technically prevent a compromised system from communicating with other systems?
  3. Authentication:Is each connection authenticated individually or just the network entry?
  4. Encryption:Is your East-West traffic encrypted or just the perimeter traffic?
  5. Supply chain:Is your security provider subject to the US CLOUD Act?
  6. Documentation:Can you export and audit all communication relationships?


Conclusion


The NIS-2 Implementation Act marks a paradigm shift in German cybersecurity regulation. The requirements for continuous authentication, documented segmentation, and supply chain security go beyond what traditional perimeter architectures can provide.

The decision for a specific security architecture is no longer just a technical question. It has regulatory, liability, and – in the case of US providers – geopolitical dimensions.

Companies that want to meet the NIS-2 requirements and maintain their digital sovereignty should systematically assess their existing architecture against the legal requirements. The questions from the audit section provide a starting point for this.


Stay informed:

Thank you for registering!

Subscribe

This post is based on a technical analysis of the NIS-2 requirements and their implementation in different security architectures. For an individual assessment of your compliance situation, we recommend consulting with your legal and security advisors.

Quellen und Gesetzestexte

Zero Trust & CAN
Technology included