The NIS2 Directive significantly raises the bar for cybersecurity and operational resilience across the EU. For many organizations, the challenge is not understanding what NIS2 requires, but how to translate regulatory obligations into concrete processes, systems, and responsibilities. In our last blogpost we proposed a basic process to establish NIS2 compliance. Now we are looking at a basic set of infrastructure components that are fundamental when operating in a regulated sector.
At the core of the proposed architecture lies an Information Security Management System (ISMS) aligned with international standards such as ISO/IEC 27001.
An ISMS provides:
Clear responsibilities and governance
Structured risk management
Transparent and repeatable processes
This foundation directly supports NIS2’s requirements for accountability, risk management, and continuous improvement.
On top of the ISMS sits the Security Information and Event Management (SIEM) layer.
As the central security control hub, a SIEM:
Collects security events from firewalls, servers, endpoints, and cloud services
Correlates data in real time2
Detects suspicious patterns early
This enables faster detection, response, and reporting — all essential under NIS2.
Our hypothetical architecture is completed by three essential technical pillars:
1. Vulnerability Management
NIS2 compliance is not static. Continuous vulnerability scanning, combined with automated patching and updates, reduces the attack surface and demonstrates ongoing risk management.
2. Identity & Access Management (IAM) and MFA
Clear role definitions, access controls, and rapid adjustment to staffing changes are critical. Multi-Factor Authentication (MFA) significantly reduces the risk of credential-based attacks — a common root cause of major incidents.
3. Encryption
NIS2 requires cryptographic protections wherever technically feasible. End-to-end encryption for data at rest and in transit protects sensitive information and reduces both security and regulatory risk.
Please note that this list is by no means exhaustive and always depends on the individual situation of a company in a specific industry. We are only showing a basic setup here.
One of the most impactful changes introduced by NIS2 is the strong focus on supply chain and third-party security. IT service providers act as intermediaries between vendors and customers, which makes them high-value targets for attackers. Organizations must assess supplier risks, define security requirements in contracts, document shared responsibility models, and ensure that incident notification obligations are clearly defined across the supply chain.
Companies that work with Swisscom Trust Services on electronic signature and identification issues benefit from the fact that the company is certified as a qualified trust service provider in both the EU and Switzerland. This means that Swisscom is committed to complying with the highest security standards.
Do you want to dive deeper into the NIS2 regulation? Download our latest whitepaper to get an overview of the implementation in European countries and to a self-assessment for your NIS2 readiness.