EXECUTIVE SUMMARY

The project’s main focus is NIS 2, a new EU directive that comes into effect in October 2024 and defines more stringent cybersecurity standards that certain companies in pre-defined sectors must adhere to. The directive defines 18 sectors as “critical industries” and categorises them as “essential” and “important”. During this project, the student consultant team aimed to understand the implications of NIS 2 and how RISE can support affected companies in the Austrian and German markets, simultaneously expanding the company’s products and services.

Goal

The project’s main goals were twofold:

1. Understanding how-affected companies struggle with NIS 2 implementation

2. Defining how RISE can support these struggling companies

 

In order to achieve these goals, our project was divided into two phases. Phase one focused on understanding what the new directive means, how it is received by the different industries and different cybersecurity experts, and finally which companies are affected in the Austrian and German markets. Phase 2 was then about understanding the struggles of these affected companies, analysing what existing products/services exist that provide support with NIS 2 and which (IT/Cybersecurity) firms offer such support. Finally, the existing gaps in the market that RISE could fill were analysed.

Methodology

Our project utilized multiple tools, which were different both for phase one and two of our research. In phase one, our research was split into primary and secondary research. Our primary research was made up of interviews with experts. Our secondary research was focused on a weighted scoring matrix. The components of this matrix were web-scraping to build a database of NIS 2-affected companies, an industry potential calculation, and the results of our expert interviews. Online forums on the topic of NIS 2 were also analysed for additional insights. The matrix results and online forum findings were then used to select industries that we would focus on in our next research phase. Phase two consisted of a larger number of interviews with experts and affected companies in the selected critical industries, as well as a competitor analysis, the creation of a competitor map and a comparison of RISE’s portfolio with existing products/services on the market to generate specific recommendations. Throughout the research process, several AI tools were used.

Results

The results of this study can be again divided into the results of phase one and phase two of our research. The results of the different phases build on each other. The findings of phase one were that the energy, transportation, and manufacturing & processing sectors struggle the most with the implementation of NIS 2 measures. Moreover, our forum analysis indicated that there was a lack of understanding regarding NIS 2 at a managerial level in most companies, due to the directive’s vagueness. Interview insights highlighted struggles with old OT and IT infrastructure and emphasized that smaller and medium sized companies struggle most with implementation, especially because of their limited resources and influence on supply chain security.

Phase two interviews were then conducted exclusively with companies from these three struggling industries. The findings of these interviews confirmed our phase one findings. Specifically, our interview partners also placed great emphasis on their struggles with supply chain management, as well as on uncertainty surrounding NIS 2, based on its vagueness. Interviewed companies also stated that they often lack the resources to implement NIS 2 measures. Our competitor analysis revealed that RISE’s key competitors in providing NIS 2 support are the larger IT-providers T-systems Secunet, and Rohde & Schwarz, and the smaller IT-providers Axians, Telent, Proact, and Genua. The least addressed service areas are multi-factor authentication & secured communication, cryptography & encryption, and supply chain security. Our project team’s final and specific product and service recommendations for RISE to provide are education services, expansion of consulting services with SOCs (Security Operation Centres) and tailoring the TISAX, a supplier risk assessment framework used in the automotive industry, to fit NIS 2.

Cooperation Partner

• RISE – Research Industrial Systems Engineering

• Concorde Business Park F, 2320 Schwechat, Austria

• https://www.rise-world.com/en/

Contact Person

• Dominik Schmelz - dominik.schmelz@rise-world.com

Student Team

• Gulbagh Sing Bains

• Juan-Nikolas Engel

• Isabel Engelbrecht

• Katrin Linda Hagedorn

• Katharina Lentsch

• Kate Esther Udvardi

Project Manager

• Melina Mazzucato, M.Sc., M.Sc.

• Caroline Fabian, M.Sc., M.Sc.