NIS2 (the EU’s second Network and Information Security Directive) raises the baseline for cybersecurity and operational resilience across large parts of the economy.
In Germany, the implementing law entered into force on December 6, 2025, and the BSI portal for registration and reporting has been live since January 6, 2026. The first weeks are defined by a small set of time-critical obligations: determine whether your organization is in scope, assign accountable owners and governance, register via the BSI portal, ensure incident reporting capability (including decision-making and communications), and implement and document risk management measures under management accountability. Registration must be completed within the transitional window that ends on March 6, 2026. Reporting duties are explicitly time-critical (early warning followed by a full notification within defined hours/days), which makes operational readiness and clear responsibilities non-negotiable.
Recent data from Bitkom Research (2026) shows that 73% of German companies consider the country insufficiently prepared for hybrid attacks, and 74% see geopolitical tensions as increasing the likelihood of such threats.
Against this backdrop, the broader threat environment cannot be ignored. For pharmaceutical companies, this shifts resilience from an IT topic to a strategic governance issue.
Base: All surveyed companies (n=604) | Percentages for "Fully agree" and "Somewhat agree" | Source: Bitkom Research 2026
Scope: almost everyone is affected
The BSI distinguishes between operators of critical infrastructures (KRITIS) and entities classified as particularly important and important under the German NIS2 implementation (mirroring the NIS2 logic of essential vs. important entities). For pharma, chemicals, and MedTech, the practical implication is decisive and NIS-2 Readiness is a regulatory and strategic imperative: compared to the former KRITIS-only world, scope expands significantly through lower thresholds and a broader sector set, and the line between “directly regulated” and “indirectly compelled” becomes thin.
By the time registration and reporting obligations bite, the working assumption for these value chains should be that almost everyone is affected – either directly (KRITIS, particularly important entity, important entity) or indirectly as a supplier, contract manufacturer, or service provider that must be demonstrably integrated into a regulated customer’s security and continuity regime. In practice, regulated customers will flow down requirements into supplier management, contracts, evidence expectations, and escalation paths. This means that even organizations that consider themselves “out of scope” can face NIS2-equivalent expectations through customer and partner obligations.
Robuste digitalisierte Betriebsabläufe
Robust digitalized operations
Pharmaceutical companies digitalize to reduce process risk and improve quality and delivery reliability. This creates a three-part model:
- Compliance (GxP including EU GMP Annex 11, US FDA Part 11, GAMP 5, qualification/validation)
- Resilience (NIS2/KRITIS, cybersecurity and business continuity, aligned for example with ISO 27001/22301 and the BSI 200-x standards)
- Manufacturing Operations (process optimization and IT/OT orchestration, Quality by Design, Review and Release by Exception).
Pharma NIS2 Readiness | Copyright msg industry advisors ag
Regulatory frameworks (EU GMP Annex 11, NIS-2, ISO 27001/22301) demand robust Business Process execution. The guiding principle is simple: Digitalization without resilience exposes companies to operational and compliance risks. Resilience is the enabler that makes digitalization sustainable
Harmonized, not multiplied
NIS2 meets organizations where many ingredients already exist, but are often not consistently connected: quality management, risk and compliance processes, validation logic for critical systems, and established governance bodies. If NIS2 requirements are placed alongside these, additional roles, documentation, and decision pathways emerge that are hard to govern, expensive to maintain, and difficult to justify in audits.
A robust approach therefore harmonizes management systems instead of creating a parallel track. Overlapping requirements should be integrated into one coherent control and evidence model across quality, risk, resilience, and supplier management. This is particularly relevant in regulated manufacturing, where control already exists, just not always aligned across IT, Quality, and Operations and based on a combination of management systems. The goal is a single, auditable set of responsibilities, processes, and evidence that supports both compliance and day-to-day delivery.
Globally run, locally regulated
Practical complexity starts when a new legal framework must be integrated into existing structures, into both the technical operating model and the business operating model. This goes beyond generic implementation playbooks because NIS2 applies locally, while organizations typically operate globally or regionally. If this integration is not designed up front, even well-structured regulatory routines will not work reliably in day-to-day operations.
A common pattern captures the challenge: central procurement sits in the US and selects suppliers, while deliveries go to Germany and the EU. Those suppliers must be assessed and contractually embedded in line with German and European requirements, even though selection and steering sit outside the EU. This often exposes gaps that are organizational rather than technical: missing owners, unclear responsibilities, and no end-to-end process across procurement, supplier management, and the business functions.
NIS2 readiness therefore becomes a question of international orchestration.
- How do you ensure that procurement outside the EU applies EU-driven criteria consistently?
- Which suppliers are critical because they deliver into the EU, and
- What additional agreements, escalation paths, and evidence are required?
Without a deliberate model, for example consciously defining what is local, regional, or central by default, organizations risk building an uncontrolled set of parallel processes and artifacts, weakening both compliance and operational performance.
Business continuity makes NIS2 measurable
NIS2 is ultimately about keeping services and critical processes available and recoverable under disruption, not only preventing incidents. This is where business continuity becomes the operational proof point: it turns policies and controls into a capability that can be demonstrated, exercised, and improved.
Reference: BSI Standard 200-4 "Business Continuity Management"
The link to NIS2 is direct. NIS2-driven reporting timelines require organizations to rapidly assess impact, determine scope, coordinate stakeholders, and communicate accurately under pressure. That is not achievable without a practiced crisis setup, clear escalation and decision-making, and an operating model that can sustain critical processes while recovery is executed. In regulated manufacturing, the driver is obvious. GxP-relevant systems are increasingly networked beyond internal boundaries (remote access for maintenance, cloud, IoT, “Pharma 4.0”), expanding the threat landscape, and ransomware incidents have repeatedly shown that companies can be temporarily unable to produce and deliver. Effective crisis management must therefore go beyond incident response. It requires predefined decision rights, clear escalation logic across IT, OT, Quality and Operations, and the ability to operate in a validated environment under pressure. What differentiates organizations in practice is whether they can switch into a controlled emergency mode, run recovery in parallel, and return to standard operations in a governed way, rather than experiencing prolonged, uncoordinated restart phases. Supplier dependencies are part of the same equation: if key services and partners are not integrated into continuity and incident processes, NIS2 compliance remains paperwork rather than operational readiness.
Turning NIS2 into a value driver
NIS2 delivers value when it is set up as an integrated resilience and governance initiative.
- Determine applicability based on critical processes and dependencies, including suppliers delivering into the EU.
- Harmonize management systems instead of building additional structures, aligning Quality, Risk and Compliance, business continuity, and NIS2 with shared artifacts and clear accountability.
- Define a Target Operating Model that bridges global organization and local obligations, including roles, responsibilities, decision pathways, and supplier governance across US, Germany, and EU realities.
- Anchor business continuity as an operating principle, documented and tested, implemented in a way that resilience accelerates digitalization rather than slowing it down.
- Hybrid threats are not primarily an IT problem – they are a stress test for leadership, governance and operational resilience.
Author
Would you like to learn more about this topic or discuss individual challenges?
Our contacta are available for a personal consultation.
