NIS2 Network Requirements: What Companies Need to Implement

While many organisations focus their NIS2 compliance efforts on organisational measures, one critical area is consistently underestimated: the network infrastructure. Yet it is precisely this that forms the technical foundation for implementing security and achieving compliance.

Why Networks Are Central to NIS2

NIS2 requires, among other things: risk management measures, access controls, incident detection, and system hardening. None of these are achievable without clean network architecture. An unsegmented or historically grown network makes compliance effectively impossible.

Key Requirements for Network Infrastructure

1. Network Segmentation

Flat networks are one of the greatest risks. What is required:

• Separation of production, office and management networks
• Isolation of critical systems
• Clear communication rules between segments

Without segmentation, any compromise automatically becomes a full-network incident. A structured network security assessment reveals where segmentation gaps actually exist in practice.

2. Access Control and Least Privilege

NIS2 requires controlled access. At network level, this means:

• Restrictive firewall rules
• No any-to-any communication
• Access only to necessary systems

In practice, many organisations fail precisely here: firewall rules have grown over years, documentation is sparse, and nobody knows why certain ports are still open.

3. Monitoring and Logging

Networks must become visible. Minimum requirements:

• Centralised log collection (firewalls, switches, VPN)
• Anomaly detection
• Traceable connections

Without logging, no incident is provable — and therefore no compliance. NIS2 demands not just protection, but also traceability in the event of an incident.

4. Secure Remote Access (VPN)

Remote access is a critical attack vector. Requirements:

• Strong authentication (e.g. MFA)
• Clean network separation for VPN users
• No direct integration into the internal network

Many VPN implementations grant users blanket access to the entire internal network upon successful authentication — directly contradicting the least-privilege principle.

5. Documentation and Traceability

An often underestimated point: NIS2 requires not just security, but provability. Specifically needed:

• Current network diagrams
• Documented data flows
• Clearly defined security zones

Missing or outdated documentation is an immediate audit finding — regardless of whether the infrastructure itself is technically sound.

Typical Weaknesses in Practice

Real-world environments consistently show the same patterns:

• Grown networks without structure — developed over years without consistent planning
• Unclear firewall rules — nobody knows what applies to what any more
• Missing segmentation — production systems in the same segment as office PCs
• No centralised visibility — logs exist in silos or not at all

These problems prevent compliance — regardless of tooling, budgets or organisational measures. They can only be resolved through structured architecture redesign, not policy documents.

Conclusion

NIS2 is not purely a governance issue. Implementation is decided in the network infrastructure: architecture, segmentation, access control. Organisations that are not properly set up here will not meet the requirements — regardless of policies or documentation.