NIS2 for Research Institutions and Universities

Why Research Institutions Fall Under NIS2

Research and development are the engine of economic innovation and technological sovereignty. When research results are stolen, manipulated, or destroyed, companies lose their competitive advantage, nations lose strategic capabilities, and years of invested work are lost. European legislation has recognized that research institutions are systematically targeted and therefore require dedicated protection.

NIS2 lists research institutions in Annex I as a sector of high criticality, albeit with an important qualification: covered are research institutions "insofar as their research results are of significant economic importance or relevance to national security." This wording does not include every research institution, but it captures a broad spectrum:

• Non-university research organizations: Fraunhofer institutes, Max Planck institutes, Helmholtz centers, Leibniz institutes, DLR, and other organizations conducting application-oriented or strategically relevant research
• Universities with significant third-party funded research: Technical universities and universities of applied sciences conducting industry-funded research, defense research, or EU research projects in key technologies
• Private research institutes: Industry-oriented research organizations performing development work on behalf of companies
• Federal agencies and departmental research: BAM, BfR, PTB, RKI, and other federal institutions with a research mandate

The thresholds (50 employees or 10 million euros in revenue/budget) are exceeded by most larger research institutions. A typical Fraunhofer institute has 200 to 500 employees and an annual budget of 20 to 80 million euros. Large Helmholtz centers employ several thousand staff.

Delineation is more difficult for universities. A university as a whole typically has thousands of employees and hundreds of millions of euros in budget, thus exceeding the thresholds. But do the research results of a philosophy faculty fall under "significant economic importance"? The precise delineation will need to be clarified through national implementation and BSI practice. What is clear: universities with engineering or natural science research in key technologies (AI, quantum computing, biotechnology, materials science, defense technology) are covered.

The Unique Threat Landscape: Research as a High-Value Target

Research institutions differ from most other NIS2 sectors in one fundamental aspect: they are preferred targets of state-sponsored attacker groups (Advanced Persistent Threats, APTs). The motivation of these attackers is not financial gain through ransomware but the theft of intellectual property, technological know-how, and strategic information.

State-Sponsored Attackers and Industrial Espionage

Multiple state intelligence services conduct systematic cyber espionage against European research institutions. The targets vary by actor:

• Technology theft: Research results in key technologies (semiconductors, AI, quantum technology, biotechnology) are stolen to accelerate domestic research programs
• Dual-use technologies: Research with both civilian and military applications is particularly attractive. Materials science, drone technology, cryptography, and cybersecurity research fall into this category
• Pharmaceutical research: Since the COVID-19 pandemic, vaccine development, drug research, and clinical trial data have come under increased focus

The Federal Office for the Protection of the Constitution regularly warns of these threats. Cyberattacks on German universities have increased significantly in recent years: the University of Giessen (2019), the University of Duisburg-Essen (2022), and the Karlsruhe University of Applied Sciences (2023) are just a few examples. Not all of these attacks are state-sponsored (ransomware is more common), but the strategically motivated attacks are particularly difficult to detect and counter.

The Dilemma: Openness vs. Security

Research thrives on openness. Scientists publish their results, collaborate internationally, invite visiting researchers, and share data across institutional boundaries. Networks at universities and research institutions are traditionally designed to be open because academic freedom and collaboration are considered the highest values.

This principle stands in fundamental tension with IT security:

• Open networks: University networks must be accessible to students, visiting researchers, and conference participants. At the same time, sensitive research data must be protected.
• BYOD (Bring Your Own Device): Scientists use personal laptops, tablets, and smartphones for their research. An MDM mandate is perceived as an infringement on academic freedom.
• International collaboration: Research data is shared with partners around the world, including countries known for conducting cyber espionage.
• Decentralized structures: Departments, institutes, and research groups traditionally have a high degree of autonomy, including in IT matters. Central IT directives are perceived as restrictions.

NIS2 requires actively managing this tension — not by replacing openness with isolation, but by designing security measures that protect research without impeding it.

Industry-Specific Requirements

Intellectual Property: The Most Valuable Asset

The most valuable asset of a research institution is not its IT infrastructure but its intellectual property: research data, algorithms, prototypes, patent applications, publication drafts, and know-how stored in the minds of scientists as well as on servers, in databases, and on laptops.

The NIS2 risk analysis must systematically capture this intellectual property:

• Which research projects contain confidential or strategically relevant results?
• Where is this data stored? (Institute servers, cloud services, personal laptops, external collaboration platforms)
• Who has access? (Researchers, students, visiting researchers, collaboration partners)
• What classification do the data have? (Public, internal, confidential, secret)

Many research institutions have had no systematic data classification to date. Research data is stored on local hard drives, sent by email, and transported on USB sticks. NIS2 requires these practices to be replaced by controlled processes — without paralyzing research operations.

Third-Party Funded Projects: Compliance as a Contractual Obligation

Third-party funded projects bring their own compliance requirements that go beyond NIS2:

EU research programs (Horizon Europe): The EU requires compliance with data security requirements in Horizon Europe projects, particularly when projects are classified as "EU Classified Information." This applies to projects in defense, space, and internal security.

Industry projects: When a research institute conducts research on behalf of an industrial company, the company has an interest in the confidentiality of the results. Non-disclosure agreements (NDAs) are standard, but the technical implementation (encrypted storage, access control, secure collaboration) requires IT security measures.

Defense research: Projects with a defense dimension may be subject to the security clearance oversight of the Federal Ministry for Economic Affairs. This means personnel security vetting, shielded rooms (security zones), and specific IT requirements that go far beyond NIS2.

Export control: Research results in the dual-use domain are subject to the EU Dual-Use Regulation. The uncontrolled transfer of such data abroad can be a criminal offense. IT security measures must ensure that export-controlled data does not flow out in an uncontrolled manner.

The ISMS of a research institution must be capable of mapping these project-specific requirements without developing a separate security concept for each project. A tiered protection model that translates the requirements of different project types into defined protection classes is the right approach.

High-Performance Computing and Research Data Management

Many research institutions operate high-performance computing clusters (HPC) on which computationally intensive simulations, machine learning, and data analyses run. These systems are indispensable for research and pose special security requirements:

• Shared infrastructure: HPC clusters are used by many users from different projects with different protection needs. Tenant separation must ensure that users of project A cannot access data from project B.
• Performance vs. security: Security measures (encryption, access control, monitoring) must not significantly impair computing performance.
• Data storage: Research data can reach enormous volumes (terabytes to petabytes). Backups, encryption, and access control must function performantly at these data volumes.

Network Architecture: Segmentation Despite Openness

The network architecture of a research institution must bridge the gap between openness and security. This is achieved through consistent segmentation into zones with different protection needs:

The campus network remains open, but sensitive areas are protected by firewalls and access controls. Scientists can move freely on the campus network, but access to the confidential research network requires authentication and a project-specific authorization.

NIS2 Measures for Research Institutions

Risk Analysis: Project-Based Rather Than Blanket

The risk analysis of a research institution must be conducted on a project basis because the protection need varies from project to project. A basic research project in mathematics has a different protection need than an industry project for developing a new semiconductor material.

Recommended approach: Define three to four protection classes and assign each research project to a protection class — in ISMS Lite, this project-based protection class assignment can be directly linked to the respective assets and risk assessments. The assignment is based on criteria such as confidentiality agreements, export control relevance, patent potential, and client.

Access Control: Role-Based and Project-Specific

The access management concept must reflect the decentralized structure of research institutions. Scientists change projects, visiting researchers come and go, and doctoral students work on multiple projects simultaneously.

Recommended approach:

• Institute staff: Basic access to the campus network and institute-owned data storage. Access to project-specific areas is granted per project.
• Visiting researchers: Temporary access, time-limited, restricted to the specific project. Onboarding process with security briefing.
• Students/research assistants: Restricted access, no access to confidential projects without explicit approval from the project leader.
• Administrators: Privileged access with MFA and audit logging. Separation of duties between IT operations and research data access.

Incident Response: Academic Peculiarities

The incident response plan of a research institution must account for several peculiarities:

• Academic freedom: Measures that restrict research operations (network isolation, account lockout) must be weighed and proportionate. A blanket shutdown of the entire network for a localized incident would be disproportionate.
• Securing research data: Research data collected over years is often irreplaceable. The incident response plan must prioritize the preservation of research data.
• Notification to funding bodies: In industry projects, a security incident that compromises the confidentiality of research data can trigger a notification obligation to the client (in addition to the BSI notification under NIS2).
• Coordination with DFN-CERT: Universities and research institutions connected via the German Research Network (DFN) can leverage the incident response expertise of DFN-CERT.

Practical Example: Research Institute with 200 Employees

Starting position:

The Institute for Applied Materials Research (fictitious example, modeled on a typical Fraunhofer or Leibniz institute) is based in Baden-Wuerttemberg. 200 employees (of which 120 scientists, 30 technical staff, 50 administration), annual budget 32 million euros, of which 22 million euros in third-party funding. The institute researches high-performance materials, coating technologies, and additive manufacturing (3D printing). Its clients are automotive manufacturers, aerospace companies, and defense companies.

The IT infrastructure:

• HPC cluster: 200 compute nodes, 2 petabytes of data storage, for materials simulations and machine learning models
• Laboratory networks: 3 laboratories with a total of 45 networked measurement instruments (electron microscopes, spectrometers, 3D scanners, testing machines)
• Server infrastructure: 12 physical servers (VMware cluster, file server, Active Directory, GitLab, backup)
• Workstations: 170 PCs and laptops (scientists, technicians, administration)
• Cloud services: Microsoft 365, Confluence (knowledge management), Zoom (video conferencing), AWS (for on-demand ML training)
• Collaboration platforms: Nextcloud (on-premise) for data exchange with external partners
• ERP system: SAP (for finance and third-party funding management)
• Campus network: Open Wi-Fi for employees, students, and guests, separate VLANs

The IT department comprises 8 staff: one IT manager, 4 system administrators, one HPC administrator, one security engineer, and one help desk employee. The institute has an IT security officer who fills the role part-time (20 percent of his working hours). No formal ISMS exists, but basic security measures (firewall, endpoint protection, backup) are implemented. Network segmentation is rudimentary: VLANs exist, but firewall rules are permissive.

Special situation: The institute is conducting three classified projects (clients from the defense sector). A physically isolated security zone with dedicated workstations exists for these projects, but the separation from the rest of the IT infrastructure is not cleanly documented.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: The institute falls under NIS2 with 200 employees and a 32 million euro budget. Research on high-performance materials and coating technologies for aerospace and the defense sector is of significant economic importance and national relevance. Classification: essential entity.

Regulatory inventory: In addition to NIS2, the institute is subject to the following regulations: classified information oversight by the Federal Ministry for Economic Affairs (for defense projects), EU Dual-Use Regulation (export control for certain research results), DSGVO (GDPR) (employee data, clinical study data if applicable), Horizon Europe requirements (for EU research projects).

Strengthen CISO role: The existing IT security officer's time allocation is increased from 20 to 50 percent. The security engineer in the IT department provides operational support.

Create asset inventory and project inventory:

Project inventory (protection classes):

Key finding: 23 of 120 scientists store research data on local hard drives of their laptops, without encryption and without backup. 7 laptops with confidential industry project data are regularly taken on international business trips. The Nextcloud instance for external data exchange has no access logs and no data classification.

Phase 2: Risk Analysis (Months 3-4)

Identified as particularly critical: The lack of laptop encryption and uncontrolled data storage on local hard drives. A laptop theft at an international conference can lead to the loss of confidential research data.

Phase 3: Technical Measures (Months 5-8)

Laptop encryption and backup (Month 5, highest priority):

• All 170 workstations (PCs and laptops) receive full-disk encryption (BitLocker)
• Research data may not be stored exclusively locally. An institute-wide research data repository is established to which scientists synchronize their project data. Local copies are permitted, but the repository is the authoritative system
• Laptops taken on business trips additionally receive pre-boot authentication

Network segmentation (Months 5-7):

The existing VLAN concept is extended with restrictive firewall rules:

• Campus network: General internet access, no connection to internal research networks
• Standard research network: For open and internal projects. Access via 802.1X authentication
• Confidential research network: For confidential industry projects. Access only with MFA and project-specific authorization. No direct internet access, external data exchange only via the hardened Nextcloud
• HPC zone: Access via SSH key and MFA. Tenant separation on the cluster via job scheduler and filesystem ACLs
• Laboratory networks: Dedicated segments per laboratory. Measurement instruments communicate only with defined data collection systems
• Security zone: Physically isolated, remains unchanged (already set up per classified information requirements)

Harden GitLab (Month 6):

• MFA for all GitLab users
• Access audit: Who accessed which repository when?
• Externally accessible repositories are reviewed: Are any confidential projects inadvertently publicly accessible?
• IP-based access restriction for repositories of confidential projects

Harden Nextcloud (Months 6-7):

• Enable and regularly evaluate access logs
• Implement data classification: Each shared folder receives a protection class
• Automatic detection and alerting on unusual download behavior (large data volumes, many files in a short time)
• External shares: Time-limited, password-protected, with audit log

Secure cloud usage (Months 7-8):

• AWS usage: Encryption of all data at rest and in transit. Review IAM policies. No confidential data without explicit CISO approval
• Microsoft 365: Conditional Access Policies, DLP rules for confidential research data

Institute-wide MFA (Month 8):

MFA for all access points: VPN, cloud services, GitLab, Nextcloud, HPC cluster, administrator accounts. For the campus network, 802.1X with certificates is introduced.

Phase 4: Organizational Measures (Months 8-10)

Training program:

• All employees: 45-minute module on cyber hygiene and research data protection. Content: Recognizing phishing, handling confidential data, secure business travel, export control
• Scientists: in-depth training on secure data storage, data classification, handling visiting researchers and international collaborations
• Project leaders: responsibility for classifying their projects into protection classes, compliance with project-specific security requirements
• IT team: incident response, APT detection, forensics fundamentals
• Institute management: NIS2 obligations, personal liability, export control, classified information protection

Onboarding process for visiting researchers:

• Security briefing before granting access (30 minutes, with signature)
• Access only to the campus network and the specific project area
• No administrator rights, no access to other projects
• Time-limited access, automatic deactivation upon departure
• For visiting researchers from security-relevant countries of origin: additional coordination with the classified information officer

Supplier assessment:

Business continuity plan:

Tabletop exercise: Scenario: An APT attack is discovered. A visiting researcher has systematically exfiltrated data from confidential industry projects over a three-month period. Nextcloud access logs show unusual download patterns. Result: The visiting researcher's access is immediately revoked. Affected industry partners are notified within 24 hours. The BSI is notified. The domestic intelligence service is engaged. Improvement potential: Automatic detection of unusual download patterns could have uncovered the incident three months earlier. The corresponding anomaly detection is prioritized for implementation.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit:

Findings:

1. 5 of 45 laboratory instruments are connected to the standard research network even though they are located in laboratories where confidential projects are conducted. Corrective action: Move laboratory instruments to the confidential research network.
2. The protection class assignment of research projects is unclear for 4 of 41 projects. Corrective action: Require project leaders to complete and document the classification.
3. The security zone for defense projects is physically isolated, but documentation of the separation from the rest of IT is incomplete. Corrective action: Complete network documentation, conduct penetration test of the isolation.

BSI registration: The institute registers with the BSI as an essential entity in the research sector.

Management review: Institute management approves the residual risk catalog, the budget for the following year (focus: anomaly detection for data exfiltration, expansion of the research data repository), and the training plan. Institute management confirms the protection class system and requires all project leaders to classify their projects.

Budget Overview

Not included are costs for the classified information area, which are funded from the defense project budget, and HPC-specific security measures, which come from the HPC operations budget. Tool costs can be reduced: ISMS Lite covers all ISMS modules 500 Euro pro Jahr, without per-seat licenses or hidden costs.

What You Should Do Now

If you manage a research institution or university and need to implement NIS2, the following first steps make sense:

1. Create a project inventory and data classification. Which projects exist, what protection do they need, and where is the data stored? Without this inventory, you can neither conduct a meaningful risk analysis nor implement targeted protective measures.

2. Introduce laptop encryption immediately. This is the measure with the best cost-benefit ratio. Every unencrypted laptop containing research data is a risk that can be eliminated with minimal effort using BitLocker or FileVault.

3. Network segmentation by protection need. The open campus network can remain, but confidential research data must not reside in the same segment. Segmentation by protection classes enables openness where it is needed and security where it is required.

4. Formalize the visiting researcher onboarding process. Visiting researchers are a security risk that can be significantly reduced through a structured onboarding process. Security briefing, limited access, and automatic deactivation upon departure are the fundamental elements.

Research institutions face the challenge of reconciling security and openness. This is not a contradiction but requires a well-thought-out concept. An ISMS that respects the research culture and positions security measures as protection of intellectual property will be accepted by scientists. An ISMS that makes security appear as bureaucracy and restriction will face resistance. The key lies in communication: security protects the results of years of research work and is therefore in the interest of every individual scientist.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• Risk Assessment in the ISMS: Methods, Criteria, and Practical Examples
• Creating an Access Management Concept: Who May Do What and Why
• Security Awareness Program: Employees as a Security Factor
• Encryption in the Enterprise: What, When, and How to Encrypt