Preventing cyberattacks: EU-wide standards for security

According to a study by the digital trade association Bitkom, 70% of Germans consider the risk of cyberattacks to be high and believe that the country is poorly prepared. In addition, 61% fear a cyberwar, while 64% consider Germany to be inadequately equipped to deal with one. Of the 30 cybersecurity measures planned in the National Security Strategy, only two have been implemented so far. Bitkom president Dr. Ralf Wintergerst warns of a growing threat in which the boundaries between cybercrime and hybrid warfare are becoming blurred. He calls for digital security to be strengthened, especially in government agencies, critical infrastructure, and businesses. The results of the study were presented at the Munich Cyber Security Conference (MCSC) in February 2025.

What is the NIS2 Directive?

The EU NIS2 Directive sets uniform minimum cybersecurity standards for operators of critical infrastructure in Europe. Its implementation into German law was slated for completion by October 2024. However, due to the early federal elections, insiders say this will likely be delayed until at least fall 2025.

Over 30,000 companies in Germany are affected, including operators of critical facilities, large and federal institutions, along with some special cases. In addition to the existing KRITIS sectors, large parts of the economy are now also included in the regulation. The directive requires companies to implement comprehensive security measures, including risk management, incident reporting, technical protective measures, and overarching cybersecurity governance. Operators of critical facilities must provide evidence of compliance with security requirements every three years, while other institutions are subject to documentation requirements and random checks by authorities. Government oversight is strengthened by expanded registration, verification, and reporting requirements, with various authorities such as the BSI, BBK, and BNetzA playing a role.

In addition, sector-specific laws such as the Telecommunications Act (TKG) and the Energy Industry Act (EnWG) will be amended to meet the requirements of the NIS2 Directive. Special regulations apply to financial companies under the Digital Operational Resilience Act (DORA). Sanction regulations will also be tightened, with fines ranging from €100,000 to €20 million, some of which will be linked to a company's global revenue.

Supply chains under pressure

In addition, the Supply Chain Due Diligence Act increases the pressure to ensure information security throughout the entire supply chain. Companies must not only minimize internal risks, but also adapt contractual arrangements with suppliers to ensure compliance with the new security standards. Violations can result in substantial fines and damage to their reputation. 

Implementing information security takes time

Reaching the goal of efficiently establishing information security within a company requires time and careful planning. The business needs not only to comply with laws and standards, but also to adapt them to its specific requirements. For security measures to be effective in the long term, they must become part of the corporate culture. Depending on the size of the company and the complexity of its IT infrastructure, it can take over a year to fully establish an information security management system (ISMS).

The most effective way to implement the requirements of the NIS2 Directive is to introduce an ISMS in accordance with ISO 27001. This internationally recognized standard provides a structured framework for the systematic protection of information.

In addition, companies should integrate components of a business continuity management system (BCMS) to ensure that operations are not impacted in the event of security incidents.  

In Germany, companies also need to pay special attention to the reporting requirements of the Federal Office for Information Security (BSI). They must register there and are obliged to report relevant incidents within a specified time frame. The combination of a certified ISMS, a functioning BCMS, and compliance with legal reporting requirements enables companies to meet the requirements of the NIS2 Directive efficiently and in a legally compliant manner.   

SAP S/4HANA in the focus of information security 

Information security plays a central role in the development of new SAP S/4HANA systems, as these often manage business-critical processes and sensitive data. Companies should implement technical security measures even before the first test migration. An important step in this process is penetration testing (colloquially known as pentesting), which identifies vulnerabilities at an early stage. These tests should be carried out not only before commissioning, but also regularly throughout the entire life cycle of the system in order to detect and remedy new threats at an early stage.

Recommended measures:

• Protective mechanisms of the SAP Message Server 
• Review of security-related system parameters 
• Securing the SAP Internet Communication Manager (ICM) 
• Security of the SAP Web Dispatcher 
• Encryption of data and communication  
• Protection and integrity of the transport system 
• Security of the SAP Gateway 
• Securing interfaces (e.g. RFC, web services) 
• Security of authentication and login procedures 
• User and authorization concept 
• Logging and monitoring 

The SAP system environment must be fully integrated into the information security management system in order to meet the requirements of the NIS2 Directive. This includes a comprehensive risk assessment that analyzes threats and vulnerabilities across the entire system environment and defines countermeasures.

It is also crucial to ensure security at the application level. This is achieved through the targeted configuration of log settings in SAP S/4HANA, which enable the seamless logging of security-related events. Continuous evaluation of log data helps to detect unusual activities at an early stage and quickly resolve security incidents. This ensures comprehensive protection of SAP systems that meets both legal requirements and corporate security objectives.

Information security as an integral part of corporate culture

Companies must view information security not only as a technical issue, but also as an integral part of their corporate culture. Establishing a robust information security management system (ISMS) is essential in order to meet increasing threats and legal requirements, such as the NIS2 Directive. This requires time and continuous adjustments, as security measures must be incorporated into all aspects of business operations.

Conduct regular penetration tests

An effective way to achieve this is to establish an ISMS in accordance with ISO 27001, supplemented by components of a business continuity management system (BCMS) and the regular performance of penetration tests. Companies should integrate their SAP system landscape into the ISMS and conduct a comprehensive risk assessment to identify security gaps at an early stage. It is also crucial to strengthen security at the application level, for example by correctly configuring log data and evaluating it regularly.

The SAP pentesting packages

By establishing information security as a long-term priority and systematically implementing security standards, companies can not only meet legal requirements but also protect themselves against growing digital threats.

1. Initial pentest package

• Project duration: 4PT 
• Test level: SAP application level
• Advantages: 
  
  • Basic security check (“health check”)
  • Uncomplicated introduction
  • Reporting and assistance in closing vulnerabilities     

Suitable for: Companies that want an initial security assessment of their SAP applications.

2. Standard pentest package

• Project duration: 6PT
• Test level: SAP application level, database
• Advantages:

• • Detailed review of critical SAP components

  • Identification of vulnerabilities at the application and database level

  • Protection of sensitive and critical data  

Suitable for: Companies with more complex SAP environments that require testing beyond the application level. 

3. Complete pentest package 

• Project duration: 10PT
• Test level: SAP application level, database, operating system, network
• Advantages:

• • Holistic security assessment of the SAP system  

  • Analysis of vulnerabilities at all relevant levels

  • Comprehensive protection through in-depth testing of infrastructure and applications

Suitable for: companies with high security requirements that want to achieve complete protection for their SAP environment.

Cost estimate: SAP pentesting