NIS-2 in Practice: How a Managed SOC Supports Compliance with Regulatory Requirements

The NIS 2 Directive deliberately does not specify any particular technologies. It is based on the “state of the art” and defines capabilities that organizations must demonstrate.

Essentially, three key requirements can be identified:

•    Early detection of security incidents

•    Continuous monitoring of IT systems

•    Structured response to incidents

Standards such as ISO 27001 or the “BSI Grundschutz” have emphasized the importance of continuous monitoring, structured incident management, and clearly defined security processes for years.

The three key requirements of NIS-2 are closely interlinked. Without continuous monitoring, incidents cannot be detected early on. And without clear processes, the response in an emergency will remain inadequate. This makes it clear: NIS-2 does not require specific tools, but rather the ability to reliably detect, assess, and handle security incidents.

But this is precisely where companies face a difficult challenge: embedding these requirements effectively within their organizational structure and translating them into functional processes. One example is the mandatory reporting of IT security incidents: Companies subject to NIS-2 must not only detect incidents but also assess them within defined timeframes and report them to the relevant authorities. Without clear processes, defined responsibilities, and a functioning incident response system, this is virtually impossible to implement in practice. The shortage of skilled workers, limited internal resources, and a lack of expertise in IT security present companies with major hurdles.

Precisely because these challenges are often not adequately addressed in practice, NIS-2 specifically holds senior management accountable for cybersecurity and makes them liable for any failures. Given the threat landscape, this is a logical step toward giving IT security the business-critical priority it deserves.

Cybercrime is a multi-billion-dollar industry, and every company is a potential target. An example from last year illustrates the potential consequences of an attack: Fasana, a long-established napkin manufacturer, was forced to file for bankruptcy following a ransomware attack. But other companies are also failing to recover from severe cyberattacks, as reported in the Security Insider article “Cyberattacken treiben deutsche Unternehmen in den Ruin”. It also becomes clear: It could have happened to any other organization. This is exactly where NIS-2 comes in: The directive aims to ensure that companies are able to detect attacks early, assess them, and respond effectively. Before the situation becomes business-critical.

This is where a Security Operations Center (SOC) becomes relevant, particularly in its managed form. It specifically addresses the gap between requirements and implementation.

A managed SOC translates the abstract requirements of NIS-2 into concrete operational capabilities:

•    24/7 monitoring of security-related events

•    Analysis and prioritization by specialized teams of analysts

•    Detection of attack patterns based on defined use cases

•    Structured incident handling with clear processes and escalation paths

The key added value lies in operational feasibility: companies do not have to attempt to build the aforementioned capabilities within an internally operated SOC, but instead can leverage the existing expertise and infrastructure of experienced service providers. For small and medium-sized businesses in particular, setting up and operating a SOC in-house is not cost-effective, as 24/7 operations require approximately eight specialized staff members who must first be recruited or properly trained. Support from external experts helps alleviate the burden on internal IT teams. Of course, a trusting partnership is the foundation of this. Responsibilities must be defined, relevant data sources integrated, and processes coordinated. Without this foundation, even a SOC cannot be effective.

It is important to note that a Managed SOC is not a regulatory requirement. In practice, however, it is often the most efficient way to reliably meet the required capabilities.

A SOC or Managed SOC is central to operational security, but it can only be one component of a comprehensive security strategy.

The following are also required for the sustainable implementation of NIS-2:

•    A functioning information security management system (ISMS)

•    Systematic risk management

•    Business continuity management (BCM)

•    Awareness-raising and training for employees and management

Even the best technology only realizes its full value when combined with human input. All employees also play a crucial role in IT security. Through training, they learn how they can contribute to greater security. Employee training sessions cover topics such as social engineering and phishing, whereas management-level training primarily focuses on expanding knowledge of risk management and emergency procedures.

NIS-2 establishes a binding framework for cybersecurity. In practice, however, it is clear that the greatest challenge lies not in the technology itself, but in operational implementation—with responsibilities and seamless processes being key factors here. This is also reflected in the relatively low registration rate at the time of publication. It shows that many companies are still in the early stages when it comes to translating regulatory requirements into robust processes.

A Managed SOC helps ensure compliance with NIS-2. However, security is not achieved by implementing individual solutions, but through the interaction of various security measures in day-to-day operations. NIS-2 defines the minimum standard. Whether companies achieve true resilience beyond this is demonstrated by the consistent operational implementation of their IT security strategy, which consists of various building blocks. And then, when an attack occurs, it is nipped in the bud thanks to 24/7 monitoring by security experts.