Case Study: Achieving NIS2 Readiness in 6 Months — A Utility Company Shows How It’s Done

1 min Reading Time

A utility company with 900 employees achieved NIS2 readiness in 6 months — with a limited budget and without external consulting firms. The key: consistent use of existing frameworks as a basis.

TL;DR

A utility company with 900 employees achieved NIS2 readiness in 6 months – with a limited budget and without external consulting firms. The key: consistent use of existing frameworks (ISO 27001, BSI IT-Grundschutz) as a basis and focusing on actual gaps rather than complete rebuilding.

Initial Situation

The utility company supplies a major city with electricity, gas, water, and district heating. As a KRITIS operator, an ISMS according to ISO 27001 was already implemented. However, the NIS2 gap analysis revealed significant gaps:

Reporting processes not aligned with 24h/72h deadlines
Supply-chain security not formalized
Management training not documented
OT security only rudimentarily integrated into the ISMS

The 6-Month Plan

Month 1-2: Reporting Process

Incident classification with thresholds for “significant incidents”
Automated escalation via ticket system when thresholds are exceeded
Reporting templates for early warning (24h) and complete report (72h)
24/7 on-call duty with clear escalation path

Month 2-3: Supply-Chain Security

Inventory of all 127 IT service providers and software suppliers
Risk assessment in 3 stages (critical, important, standard)
Security clauses for new contracts (standard template created)
Quarterly review of top 20 suppliers

Month 3-4: Management and Governance

One-day workshop with management on NIS2 obligations
Quarterly security reporting to management formalized
Formal approval of security strategy by management
D&O insurance checked for NIS2 coverage

Month 4-5: OT Security Integration

OT asset inventory integrated into ISMS
Network monitoring for OT segments introduced
Separate emergency plans for IT and OT incidents
Cross-training: IT team learns OT basics and vice versa

Month 5-6: Testing and Documentation

Tabletop exercise with ransomware scenario (including reporting process)
Documentation review for audit readiness
Internal audit of NIS2 measures

Budget

Total costs: approx. 95,000 EUR

Personnel costs (internal): 60,000 EUR (1.5 FTE over 6 months)
OT monitoring solution: 25,000 EUR
Management training (external): 5,000 EUR
Miscellaneous (templates, legal advice): 5,000 EUR

Key Facts

Industry: Energy supply / utility company (KRITIS)

Starting Point: ISO 27001 certified

NIS2 Readiness Achieved in 6 Months

Total Budget: 95,000 EUR (without external consultants)

Highest Effort: Supply-chain inventory (127 suppliers)

Fact: The BSI (Federal Office for Information Security) counts over 1,500 utility companies and municipal suppliers in Germany, the majority of which fall under the KRITIS regulation.

Fact: According to ENISA, municipal infrastructures were the third most frequent target of attacks in the EU in 2024 – after the healthcare and financial sectors.

Frequently Asked Questions

Can NIS2 readiness be achieved without external consultants?

Yes, if a solid foundation exists (e.g., ISO 27001). The key lies in a structured gap analysis and focusing on actual gaps rather than complete rebuilding.

Which NIS2 requirement causes the most effort?

Experience shows that supply-chain security does: inventorying all IT service providers and software suppliers, risk assessment, and contractual safeguards are time-consuming but essential.

What special challenges do utility companies face in NIS2 implementation?

Utility companies often operate heterogeneous IT and OT landscapes with established structures. Many systems date back to a time before modern security standards. Additionally, limited IT budgets and a shortage of skilled workers in municipal operations make NIS2 implementation particularly demanding.