GAP-analysis and needed actions to reach compliance to NIS2 directive in a global industrial manufacturing company

Abstract

This master’s thesis investigates the cybersecurity requirements and needed actions for achieving compliance with the NIS2 directive in a large industrial manufacturing company. The research obeys to the Design Science Research (DSR) methodology, which enables the creation of practical solutions through iterative processes. The primary goal of this thesis is to evaluate the current state of cybersecurity in the organization, identify critical security gaps, and propose actionable measures to close these gaps. The research process combines a literature review that establishes the theoretical framework with qualitative data gathered from interviews with key stakeholders. The interviews provide insights into the organization's cybersecurity challenges and opportunities. Quantitative data was collected with the ISF Information Security Healthcheck tool, which supported the analysis and prioritization of the identified gaps. Five critical security functions have been identified as the key areas needing improvement: asset management, information security risk management, business continuity, supply chain security, and security governance. The suggested solution is then assessed through interviews with experts from the target organisation, and further major initiatives are recommended based on the evaluation. Finally, this thesis provides a practical, clear framework for the company for meeting the NIS2 directive's critical requirements. Suggestions for future research are made based on the research findings and the feedback from the interviews after the identified solution has been evaluated.

Keywords: Information security, NIS2 directive, Cybersecurity, Manufacturing Industry, Compliance