The NIS-2 Congress in Frankfurt brought together industry leaders, cybersecurity experts, and compliance experts to discuss one of today’s most critical regulatory challenges – effectively implementing the new NIS-2 directive. However, the event made it clear that the goal is not just about achieving compliance, but building resilient, adaptable cybersecurity frameworks capable of withstanding evolving threats and supporting long-term business goals.

With the EU’s NIS-2 regulation set to significantly expand the scope and depth of cybersecurity requirements for a wide range of organizations, the congress provided a critical platform for sharing insights, strategies, and best practices. It highlighted that while compliance is essential, true resilience requires a proactive, forward-looking approach that integrates technology, governance, and a strong security culture. Here are four key topics that dominated the discussions:

1. Compliance and Regulatory Requirements under NIS-2
   The NIS2 Directive establishes a new benchmark for cybersecurity and operational resilience, expanding significantly on the original NIS framework. It introduces more stringent requirements across several critical areas, including legal compliance, executive accountability, supply chain security, and incident reporting. Organizations will be expected to adopt comprehensive risk management practices, define roles and responsibilities with precision, and elevate cybersecurity to a board-level concern.

Discussions emphasized the need for proactive governance to minimize risk exposure and reinforce organizational responsibility for security posture. In an era of global uncertainty, aligning strategically with European-based solution providers was also highlighted as a key factor in ensuring digital sovereignty and long-term resilience.

2. Information Security and Risk Management Practices
   Participants underscored the vital importance of implementing comprehensive cybersecurity management systems (such as SMS and GRC), along with integrating crisis response and business continuity management (BCM) to navigate a rapidly changing threat landscape. Key topics included awareness training, cyber insurance, and human risk management—highlighting the crucial role of the human factor in cybersecurity.

Experts emphasized that effective risk management must extend beyond technical controls. It should include regular audits, realistic incident simulations, and a strong emphasis on fostering a risk-aware organizational culture. While the NIS2 Directive provides essential guidance, it was widely agreed that the most critical component remains people— according to the Human Risk Score, 95% of data breaches occurred due to human mistakes. It is therefore important to ensure that security and risk considerations are embedded in everyday decision-making at all levels of the organization.

3. Advanced Cybersecurity Technologies Enhancing Compliance
   Discussions at the congress also focused on the transformative role of cutting-edge technologies. Zero Trust Network Access (ZTNA), OT security, AI-driven threat detection, and advanced email security were identified as essential elements for building robust cyber defenses and stay compliant with the evolving regulatory landscape.

ZTNA, in particular, was highlighted not just as a technical framework, but as a strategic approach requiring continuous verification of users and devices, facilitating secure access to applications across diverse environments, including on-premises, cloud, and SaaS.  In his session on ZTNA, our CPO Stefan Keller focused on how to implement the various requirements in a phased and practical manner, ensuring that the effort goes beyond just an attempt – covering everything from third-party access to universal ZTNA. The emphasis was clearly on feasibility, scalability, and achieving a balance between security and performance.

Reflecting on the discussions, it became clear that regulatory frameworks like NIS2, ISA/IEC 62443, and similar standards are not just theoretical guidelines, but real-world challenges that demand practical, phased approaches. Topics like 3^rd party access and universal ZTNA received significant attention, emphasizing the need for scalability, security, and performance without compromising operational efficiency. The lively panel discussions also reinforced the idea that Zero Trust, while powerful, comes with its own set of hurdles – from technical complexities to the cultural shift required within organizations.

4. Email Security for KRITIS Organizations
   For critical infrastructure (KRITIS) operators, email remains one of the most common attack vectors, making robust email security a top priority. Discussions highlighted the need for comprehensive protection against phishing, business email compromise (BEC), and targeted attacks. This includes advanced threat detection, real-time analysis, and integrated incident response capabilities. Given the sensitive nature of communications within KRITIS sectors, ensuring the confidentiality, integrity, and availability of email systems is essential to maintaining operational resilience.

Looking Ahead: From Compliance to Resilience
As organizations operating in Europe prepare to align with NIS-2, the consensus at the congress was clear – regulatory compliance is just one piece of the puzzle. True cybersecurity resilience demands a holistic approach that integrates robust technology, strong governance, and a proactive security culture. With its deep expertise in Zero Trust and SASE, Open Systems continues to support organizations on this journey, helping them close the gap between compliance requirements and real-world security challenges.

Ready to take your cybersecurity strategy to the next level? Contact us or Meet us next time at the NIS-2-Congress in Germany.