NIS2 & Co.: From the Executive Board to the Shop Floor – Where Cybersecurity Really Takes Shape!

With the mandatory implementation of the NIS 2 Directive, the topic of cybersecurity has finally made its way into the boardrooms. Article 20 of the European directive clearly stipulates that management bodies are responsible for implementing the prescribed security measures. On the one hand, this raises awareness in key areas, but it also carries the risk that cybersecurity will be reduced to a mere compliance issue—which would also expose the core of the problem: a certificate on the wall alone has never stopped a hacker!

Processes, technology, people! In our view, comprehensive security can only be achieved through the effective interplay of these three factors. However, in our daily consulting and penetration testing projects, we are increasingly finding that companies tend to focus heavily on processes—or policies—while often neglecting the technical and human aspects.

Policy and the Shop Floor: Lost in Translation, or: A Classic from OT

To comply with national legal requirements (e.g., NISG 2026 in Austria) and avoid severe penalties, it is, of course, necessary to thoroughly understand the NIS 2 topics. However, such regulations should not become an end in themselves, but rather be seen as another opportunity to strengthen one’s own cyber resilience and ensure future readiness. A look at reality, however, often paints a different picture.

Let’s take a look at a classic scenario from the OT world: Our example company has, commendably, recently implemented a brand-new secure network concept to achieve NIS2 compliance. This concept addresses topics such as “network zoning,” “microsegmentation,” and “zero trust,” along with additional monitoring and logging capabilities. What sounds logical and straightforward on paper, however, presents the OT engineer with nearly insurmountable challenges: a historically evolved infrastructure with decades-old controllers, legacy protocols, and operating systems—whose security updates may soon be discontinued—simply does not fit into this new concept. The engineer now faces the challenge of translating a state-of-the-art IT security concept to their systems, which, on the one hand, were not built for this purpose and, on the other hand, prioritize system availability above all else. If the specific cyber security integration expertise is lacking here and any intervention carries the risk of bringing production to a standstill, there is a high risk that the painstakingly developed and purchased policy will degenerate into a useless piece of paper, and the plant will remain unprotected.

Is the attack vector human or technological?

According to a study, more than 60% of all cyberattacks begin with phishing (see ENISA Threat Landscape, October 2025) or social engineering! This means that the most common attack vector is the human being themselves. One might therefore think that raising awareness is far more important than implementing technical measures. Our clear answer to this argument is: YES AND NO. Because while the initial attack is often triggered by human “mistakes,” the uncontrolled spread within the network clearly occurs on a technical basis. So if an employee clicks on a well-crafted phishing email and thereby unintentionally hands over their password to the attacker, that’s annoying. However, a stolen password alone does not normally cripple an industrial plant. That only happens when the technical infrastructure offers no resistance.

Dragos’ OT Cybersecurity Year in Review Report confirms this annually and highlights the following patterns: Attackers exploit (e.g., through phishing) compromised VPN access credentials of external maintenance service providers and can then move unimpeded through insecure interfaces between IT and OT networks. In doing so, they do not circumvent abstract governance structures, but simply exploit the fact that the network segmentation required on paper was never fully configured on the decades-old system from our example. Clicking on the phishing email was the trigger; the lack of technical measures was the actual cause of the damage.

What are we trying to say? Traditional cybersecurity awareness training is an essential tool for building an initial, effective line of defense against cyberattacks at the employee level. However, this line of defense can be breached, particularly due to the increasing sophistication of covert attacks in this area. We must therefore assume that such cyberattacks will occur and will be successful. However, such compromises only escalate into major security incidents when established policies cannot be translated into actionable measures.

The Paradigm Shift: From Awareness Training to True Cyber Resilience

Article 21 of the NIS2 Directive explicitly requires “state-of-the-art” risk management measures. To comply with this requirement, the interplay between the three key factors mentioned above must be strengthened. Management establishes guidelines based on the directives (processes), technology provides the necessary tools, and the human factor—the decisive element—orchestrates all of this into a functioning cybersecurity system.

At a time when the threat posed by cyberattacks is constantly growing, there is a need for well-trained professionals with specialized technical skills and knowledge in the areas of cloud computing, OT security, and secure coding. However, according to the annual (ISC)² Cybersecurity Workforce Study, the industry faces a severe shortage of such professionals.

We must therefore focus on providing skilled professionals with a solid education that empowers them technically. An empowered OT engineer, for example, knows how to set up “zones and conduits” in a brownfield network, how to properly configure firewalls, and how to best implement incident response for their systems. In software development, the focus should ideally be on “secure design” rather than reactive bug fixes. Developers know how to create threat models even before the first line of code is written, how to securely manage secrets, validate inputs, and integrate automated security tests directly into the CI/CD pipeline.

Conclusion

If we succeed in taking the necessary steps toward robust training and professional development, security will no longer be viewed as a burdensome obligation. It will establish itself as an integral part of the engineering discipline, thereby closing the loop and translating strategic objectives into effective and sustainable security through guidelines. Companies that want to sustainably translate their NIS2 strategy from paper into practice invest in precisely this interface. They bring people on board and equip them with the tools for implementation. When these teams are empowered to create secure architectures, design error-free code, and develop and operate products securely, then policies, technical measures, and human expertise mesh seamlessly.