Simplifying NIS2 Compliance for a Pharmaceutical Company

Written By Erik Dvergsnes

A mid-sized European pharmaceuticals company with a turnover of €10 million was growing rapidly but faced new regulatory pressures as it expanded its operations into multiple EU countries. With the introduction of NIS2, the company’s management realised that cyber security had moved from a back-office concern to a strategic business risk.

The Challenge

The company was no stranger to IT security measures; they had ISO 27001 in place with security measures like firewalls, endpoint protection, encryption, MFA, etc., as well as relevant policies and procedures. But as their Board prepared to engage larger institutional investors, the governance and reporting standards imposed by NIS2 became a pressing concern. The Management, however, was frustrated by the vague guidance around the new directive, primarily related to operational technology systems used in the pharmaceutical industry and aligning those with the company’s existing IT protocols.

Despite being an experienced technologist, the CTO found the conversation around compliance with NIS2 daunting. Like many, he struggled with breaking down the new directive for the board and implementing changes without overwhelming his team or disrupting operations. 

Key Symptoms

  • Disconnection between IT and Operational Technology (OT): The company’s IT team was separate from the OT team responsible for factory operations, making it difficult to align cybersecurity practices across the board.

  • Lack of a Centralized Risk Management Approach: The CTO did not have a unified method for assessing cyber risks across the company and conveying that to leadership.

  • Leadership and Investor Pressure: The board and investors increasingly requested assurance that the company complied with the latest regulations, including NIS2. However, the CTO lacked the tools to communicate progress.

  • Although the organisation is already ISO27k certified, it still doesn’t have the right approach to identify the risk and a mitigation plan.

  • The organisation initially didn’t have a structured project management approach to involve cyber security strategy.

Our Approach

When we partnered with the company, we understood that jumping into the technical specifics of NIS2 wouldn’t help the CTO or the board. Instead, we focused on translating complex regulatory requirements into business terms that everyone could grasp, from the CTO to the CEO

1. Detailed Assessment

The company first completed our NIS2 readiness assessment, which identified gaps that would need to be closed for NIS2 compliance. Having completed this, the company was convinced it needed support to do everything it needed to do and engaged Deverg to help.

We began with a comprehensive assessment to map the company’s existing ISMS measures against the NIS2 requirements. This included:

  • Assessing the complete environment against NIS2 controls

  • Conducting a detailed risk assessment using a NIST cyber security framework approach

  • Understanding the critical functions, Infrastructure, and application data flows between systems to identify the potential risk The findings and identified gaps were presented and discussed, focusing on high-risk areas critical for NIS2 compliance without overwhelming the team with every technical detail.

This helped the board to understand where the company was vulnerable to cyber risk and what needed to be done to mitigate such risks.

Some specifics of what was identified during our detailed assessment included:

  • The organisation was failing to meet with BCP for critical services and infrastructure

  • The organisation didn’t have a structured incident management process in place

  • The organisation failed to perform a security impact analysis before onboarding any third-party supplier

  • The organisation didn’t have a regular Information security training schedule and governance in place

2. Develop a Strategic Compliance Roadmap

We combined the ISO 27001 and NIS2 frameworks and developed short and longterm achievable goals:

  • Implementation of IT security controls and management governance program

  • Governance & reporting: governance management of security projects and regular reporting to management

  • Incident management process: incident management policy and process was developed so the company would have a framework for how to respond in case of cyber-attack and crisis management

  • Implementation of security tools and technologies

  • Developed a detailed plan for business continuity and DR planning

The presented roadmap, aligned with business objectives and goals, helped the CTO visualise the path forward and provided clarity to the board, shifting their perspective from seeing cyber security as a technical headache to viewing it as a business continuity priority.

3. Engagement with External consultant

We worked closely with the CTO and their team to implement the roadmap. By phasing in the changes, we ensured the company could continue normal operations without overwhelming their IT or OT departments. Some key steps were:

  • We implemented the SIEM solution, MFA & encryption methodology

  • Worked out the incident response plan and tested the mock drill to ensure the response plan worked

  • We tested the DR capabilities by identifying the critical services in scope

  • Implemented the detailed incident response plan and communicated with regulatory bodies

Results

  • Improved Investor Confidence: The transparent, phased approach to NIS2 compliance reassured the board and institutional investors. With regular updates and reports, the CTO was able to demonstrate that the company was not only meeting regulatory demands but also improving its overall security posture

  • Reduced Operational Risks: By centralising cybersecurity oversight across IT and OT systems, the company significantly reduced its exposure to risks and was able to mitigate potential disruptions in production

  • Efficient Use of Resources: Instead of hiring a sizeable external team, the CTO’s existing IT staff managed most of the changes, guided by our tailored roadmap. This kept costs down and empowered the in-house team to handle future compliance updates

  • Streamlined Reporting and Governance: The company’s leadership now had a clear governance framework that made reporting to regulators and investors straightforward. The CTO’s team no longer needed to scramble to gather data when asked for compliance updates

  • 100% compliance level met

  • Structure reporting to the management

  • Clearly defined roles and responsibilities

  • Strong developed ISMS environment

  • Transparent communication and reporting plan

Takeaway:

For the CTO, the biggest win was clarity. NIS2 compliance no longer felt like an overwhelming technical challenge. By breaking it down into a strategic initiative that supported both business continuity and growth, the company could meet regulatory requirements and become more resilient in the face of future threats.

This case study demonstrates that while NIS2 can seem intimidating, a structured, business-focused approach makes implementation smoother and more manageable. The Deverg team offers technical expertise and strategic support to help CTOs meet compliance goals without derailing their core operations.

Erik Dvergsnes
Next

A Cancer Research organisation affected by Ransomware