INVOICES AND FINANCE
WORKFLOW AND ARCHIVING
SECURITY
E-COMMERCE
MARKETING
ANALYTICS
DIGITISATION OF CONTENT
From regulation to action - NIS2 in the ERP ecosystem
The Network and Information Security Directive 2 (NIS2) is an EU piece of legislation that establishes common cyber security standards for EU member states. It replaces the earlier 2016 NIS Directive, expanding the scope of regulated entities and introducing stricter requirements for risk management, incident reporting and board responsibility.
NIS2 raises the bar on cyber security management, risk management and reporting throughout the European Union.
Find out how Lukardi and the Pathlock platform - which includes Application Access Governance (AAG), Continuous Controls Monitoring (CCM). and Cybersecurity Application Controls (CAC) for SAP - can help you meet the requirements NIS2 directives by implementing preventive, detection and reactive controls directly in business-critical applications.
.
Why do ERP systems matter in the context of NIS2?
They support key business processes.
They store sensitive commercial, operational and personal data.
Privileged access carries a high risk of fraud, data leakage and downtime.
Changes to applications can introduce vulnerabilities that undermine regulatory compliance.
Collecting and analyzing ERP technical data (telemetry) are key to quickly detecting threats and meeting reporting requirements.
Key responsibilities and requirements for risk management (NIS2)
- Approval of cyber security measures by the Board of Directors.
- Regular training for decision-makers.
- Supervision and responsibility for implementation in business and IT areas.
- Identity and Access Management.
- Secure configuration, network segmentation, zero-trust practices.
- Gap and patch management, secure software development and change management.
- Threat detection, response and business continuity planning (runbooks, backups).
- Supply chain risk management and participation in coordinated vulnerability disclosure.
- Early reporting within 24 hours of detecting a significant incident.
- Report the incident within 72 hours with preliminary assessment and indicators of compromise (if available).
- Final report within 1 month; progress reports for ongoing incidents.
- Targeted audits, security scans, requests for evidence, binding instructions from regulators.
- Administrative penalties: up to €10 million or 2% of global turnover for Essential entities or up to €7 million or 1.4% of global turnover for Important entities - for violations of Articles 21 and 23.
Tools - how Pathlock and Lukardi support NIS2 implementation
Cybersecurity Application Controls (CAC) for SAP
This area addresses the implementation of preventive and detection controls in the SAP environment to support NIS2 compliance.
Key modules:
- Threat detection and response: More than 1,500 detection signatures (defined potentially fraudulent events) based on more than 70 SAP log sources; continuous monitoring and automatic alerts.
- Vulnerability management: More than 4,000 configuration checks, automatic scanning, and patch prioritization to strengthen the system.
- Code scanning: Continuous ABAP code analysis with more than 150 checks in development and production environments.
- Control of shipments: Continuously check and automatically block risky shipments to prevent the implementation of susceptible changes into production.
- Dynamic access control (ABAC for SAP): Data masking, test data anonymization, and policy-based controls that prevent unauthorized data exports and contextually restrict transactions.
Automatic response mechanisms (SOAR) in CACs
Using this area, we can automate the response to critical events in the system.
- Activate automatic countermeasures (e.g., blocking risky shipments) when high-risk patterns are detected.
- Upload enriched threat events to the SIEM system to facilitate event prioritization and the escalation process.
- Apply policy-based restrictions in real time using ABAC to reduce the scale of the threat during an active incident.
- Generate audit-ready reports that document detections, actions taken and status - supporting NIS2 compliant reporting: 24h / 72h / 1 month.
Application Access Governance (AAG)
Access management - this module helps the company control who has access to what in ERP systems (e.g. SAP, Oracle).
Its main functionalities:
- It checks whether someone has too much authority - for example, access to approve invoices and create suppliers at the same time (this can lead to abuse).
- Mapping permission conflicts between systems (cross-system SoD) - e.g., in S/4 ERP creating a supplier, and in Ariba creating an order and initiating a purchase.
- It simulates "what if" scenarios - such as what would happen if a particular employee is given new rights.
- Automatically removes unnecessary accounts - for example, when an employee leaves.
- Manages temporary access (firefighter) - e.g., gives access only for the duration of an emergency, and then takes it away.
Continuous Controls Monitoring (CCM)
Continuous audit monitoring. This module monitors whether all security rules are being followed and helps you prepare for audits.
What does the CCM do?
- Gathers evidence that the company is using appropriate safeguards.
- It shows which problems are the most financially dangerous - for example, which mistakes can cost the most.
- Creates reports and charts to facilitate audit preparation and compliance with various regulations (e.g. NIS2, ISO, SOX).
Example scenarios for using Pathlock tools against NIS2
Platform | NIS2 scope | Example of Pathlock application |
SAP S/4HANA / ECC | Article 21 (hardening), Article 23 (reporting) | CAC automatically blocks risky transports and generates enriched alerts to the SIEM. ABAC restricts access to sensitive transactions during an incident, |
Oracle ERP (Cloud/EBS) | Article 21 (access control) | AAG prevents SoD conflicts between "Commitments" and "Purchasing" modules; JIT access allows emergency operations without leaving permanent administrative privileges. |
Microsoft Dynamics 365 (F&SCM) | Article 21 (configuration monitoring), Article 32 (surveillance evidence) | CCM monitors critical configuration changes and estimates potential financial losses; "one-click" reports provide complete evidence sets for audits. |
Workday | Article 20 (management) | Periodic certification of access to HR and payroll roles; automatic removal of orphaned accounts as evidence of management oversight. |
Salesforce | Article 21 (access to data) | Regulatory-compliant provisioning for integration users; SoD rules between applications prevent combinations that enable mass export and abuse of regulated data. |
Recommendations and next steps - how to implement NIS2 with Pathlock and Lukardi
Stage 1
Management should be involved from the beginning of the project in ensuring NIS2 compliance. At the outset, those responsible for security in the ERP area (e.g. SAP, Ariba, Oracle) are to be appointed.
Stage 2
Next is the introduction of a set of controls compliant with NIS2 Articles 21-23. For this, the CCM module, which facilitates the collection of evidence of compliance in various systems, taking into account risk analysis, will be useful.
Stage 3
To ensure that the principle of least-privilege-access (i.e., minimum access as a standard) is met, one can use the AAG tool, whose main features are control over SoD (Separation of Duties) rules, temporary access (JIT), or implementation of quarterly access reviews.
Stage 4
The technical layer of ensuring an adequate level of SAP security involves adjusting both the configuration and implementation of monitoring. This thread is implemented by the CAC module in SAP. It provides continuous threat detection, automatic transport blocking, ABAC policies, vulnerability management linked to change windows.
Stage 5
The next step is to prepare incident reporting scenarios through integration with SIEM, for example. This supports the automatic collection of data for reports. Remember that you have 72h to report an incident with submission of basic analysis elements.
Stage 6
Use best practices to close the buckle on preparing environments for NIS2 directive requirements. Those from either ISACA (COBIT, CISM, CRISC) or ISC2 (CISSP) help you manage risk, provide controls and respond to incidents.
Why is the implementation of the NIS2 Directive important for business?
Minimizing the risk of cyber attacks
NIS2 enforces the implementation of security standards that reduce vulnerability to ransomware attacks, phishing or data leaks - protecting business continuity.
Compliance with the law and avoidance of penalties
The directive imposes legal obligations. Failure to implement can result in heavy financial and reputational penalties.
Building partner confidence
Meeting NIS2 requirements shows that the organization takes security seriously, which increases credibility in the eyes of contractors and the market.
Increase in business resilience
Implementing NIS2 is not just about compliance - it's an investment in process stability and continuity, which protects against costly downtime and losses.
Questions and answers
1. why is the NIS2 Directive important for companies in Poland?
NIS2 aims to raise the level of cyber security across the EU. In Poland, this means an obligation to implement procedures and technologies to protect against cyber attacks, which is crucial given the growing number of incidents and threats to critical infrastructure.
2. since when is NIS2 effective in Poland?
The directive came into force in the EU in January 2023, and member states had to implement it by October 17, 2024. In Poland, the regulations are being implemented as part of an amendment to the Law on the National Cyber Security System, which is to take effect from 2025.
3 Who is covered by NIS2?
NIS2 primarily includes companies in key (energy, transportation, health, banking, digital infrastructure) and important (postal services, waste management, food production, ICT providers) sectors. Criterion: more than 50 employees or turnover >10 million euros.
4 What are the main obligations under NIS2?
Among the main obligations under the NIS2 Directive are:
- IT risk management
- Incident response procedures
- Ensuring business continuity
- Risk assessment in the supply chain
- MFA, encryption, access control
- Security audits and tests
- Training for employees
5. what is the incident reporting process?
- 24h - initial application
- 72h - main report
- 30 days - final report with analysis and corrective actions
6. what are the penalties for non-compliance with NIS2?
- Key Entities: up to €10 million or 2% global turnover
- Valid entities: up to 7 million
In Poland, an additional up to PLN 100 million for serious violations.
7. does NIS2 apply to small businesses?
No, unless they operate in critical sectors (e.g., DNS service providers, cloud). Normally covers medium and large enterprises.
8. how to prepare a company for NIS2?
- Security audit
- Cyber security policies and procedures
- Employee training
- Incident reporting mechanisms
- Risk assessment in the supply chain
9. how does NIS2 interact with RODO and DORA?
NIS2 requirements must be consistent with RODO (data protection) and DORA (operational resilience in finance). Companies must avoid conflicts between regulations.
10. why implement NIS2 now?
Early deployment reduces the risk of cyber attacks, avoids penalties and builds a competitive advantage through better security.
Your Needs
Our Support
Lets Talk!
Your needs, our support.
Lets Talk!
Your needs, our support. Let's talk
