NIS-2 Network Components: Run Cisco Meraki Compliantly
NIS-2 network components under §30 BSIG: hardening checklist for Cisco Meraki, supply chain duties and a 90-day plan to compliance.
NIS-2 Network Components: Run Cisco Meraki Compliantly
29,000 companies in Germany fall under NIS-2. [Source to be inserted] Each operates switches, routers and firewalls. Each device is subject to documentation, hardening and audit duties under §30 BSIG. Cisco Meraki is widespread in German mid-market and KRITIS environments. In factory state, the platform does not meet the NIS-2 requirements. This article shows what has to be added concretely, which gaps remain and how the transition is organised in 90 days.
NIS-2 Network Components: What §30 BSIG Actually Requires
§30 BSIG requires technical and organisational measures according to the state of the art for all network and information systems. The provision is drafted as a catch-all. Every component that transports, terminates or filters traffic falls under it. That covers switches, routers, firewalls, access points, SD-WAN gateways and their management plane. The Federal Ministry of the Interior documents the BSIG implementation duties in the ongoing interdepartmental coordination.
Compliance means four verifiable building blocks. First: documented risk analysis per asset class. Second: patch management with defined response time, typically 48 hours for critical CVEs [Source to be inserted]. Third: segmented networks with Layer 3 separation between functional areas. Fourth: logging with 12-month retention outside the monitored system itself. [Source to be inserted]
The NIS-2 Directive in Article 21 explicitly requires supply chain security and assessment of direct suppliers. Translated, that means: vendor audits, SBOM requirements and EU data residency for management clouds belong in the contract. The marketing brochure is not the right place for it.
Non-compliance carries sanctions. Fines reach up to €10 million or 2% of global turnover. [NIS-2 Directive Art. 34, link to be inserted] On top of that, personal board liability applies under §38 BSIG. To place this operationally, start with the NIS-2 compliance overview.
Cisco Meraki in the NIS-2 Context: Strengths and Gaps
The Meraki Dashboard is ISO 27001 and FedRAMP certified. EU data centres are available in Germany (Frankfurt) and the Netherlands (Amsterdam). The data region is configurable organisation-wide per tenant. For NIS-2 obligated entities in the EU, the EU region is mandatory.
Automatic firmware management is the operational strength of the platform. Security patches can be scheduled by maintenance window and roll out without manual intervention. This covers the §30 requirement for timely patching technically. The organisational duty to document the patch status per device remains with the operator.
The first gap: default configurations are not NIS-2 compliant. MFA is not enforced, local admin accounts exist in parallel to SAML login, API tokens do not rotate automatically. The second gap: cloud management dependency. If the organisation loses the Dashboard connection, devices continue with the last state, but configuration changes are impossible. A documented contingency plan including local backup configurations is mandatory.
Third gap: logging. MX firewalls deliver IDS/IPS and Advanced Malware Protection (AMP), but Meraki's own log retention is insufficient for 12 months. Syslog export to an external SIEM (Splunk, Elastic, Sentinel) is a precondition. Fourth gap: Meraki MV cameras are often classified as physical security systems, but technically they are network components with their own IP interface. They are subject to the same hardening and logging duties as an access point.
Concrete Hardening Checklist for Meraki Deployments
The following measures are mandatory in a NIS-2 obligated Meraki environment, not optional.
Identity and access. Enforce MFA for all Dashboard accounts. Deactivate local admin accounts. Couple SAML SSO with the identity provider (Entra ID, Okta, Keycloak). Enable just-in-time provisioning via SCIM so that personnel departures are automatically revoked.
API security. Set organisation-wide API keys to 90-day rotation. [Source or BSI Grundschutz reference to be inserted] Mirror every API access via the audit log to Splunk or Elastic. Strictly separate read-only keys for monitoring from write keys for configuration changes.
Segmentation. VLANs for OT, IT, guests, IoT and security systems strictly separated. Between segments, Layer 3 firewall rules with explicit default deny. Never route OT traffic into the office VLAN. Security systems (cameras, access control, patrol robots) receive their own segment.
Cryptography. Site-to-site VPN exclusively with AES-256-GCM and IKEv2. Disable legacy ciphers (3DES, MD5, SHA1). Pre-shared keys with at least 32 characters and 12-month rotation. Where available: certificate-based authentication instead of PSK.
Logging. Activate syslog export to external SIEM. At minimum severity level Informational for firewall events, Notice for switch events. Archive logs outside the Meraki cloud, since the platform's own retention is not sufficient for §30 BSIG.
Asset register. Document device locations, serial numbers, MAC addresses, firmware versions and last patch dates. §30 BSIG requires a complete asset inventory. A weekly JSON extraction via the Meraki API into a CMDB is the minimum standard.
Supply Chain Security: Cisco as Vendor Under NIS-2
NIS-2 Article 21 paragraph 2(d) requires assessment of the security practices of direct suppliers. The manufacturer of a critical network component is always a direct supplier in the sense of the directive. The assessment is subject to documentation and audit.
Cisco publishes PSIRT advisories and operates a formal CVE disclosure process. This satisfies the transparency requirement documentarily. What is missing is the contractual safeguard. The following clauses belong in the framework contract or SLA: notification duty on security incidents within 24 hours, provision of an SBOM for every major release. Added to this: an EOL roadmap with at least 5 years lead time [Source to be inserted] and defined response times for critical patches.
The Cisco Trust Portal delivers audit-ready certification evidence (ISO 27001, SOC 2, FedRAMP, Common Criteria). This evidence belongs in the company's own compliance dossier, with versioning and expiry date. For KRITIS deployment under KritisV, the BSI trustworthiness declaration under §9b BSIG for critical components must also be checked. The KritisV defines thresholds and sectors that operate NIS-2 obligated network components.
The operational consequence: supplier assessment is not a one-off procurement step, but an annual review process. The KRITIS-Dachgesetz checklist lists the parallel duties for physical components.
Integration With Physical Perimeter Protection
NIS-2 covers network and physical security as an integrated scope. Separate compliance silos between IT and plant security are no longer permissible. The BBK coordinates the cross-sectoral implementation on exactly this logic.
Concretely: Quarero patrol robots QR-2 and QR-3 use Meraki MR access points for the WLAN backhaul connection, with LTE fallback on AP failure. Robot telemetry runs over a dedicated VLAN with Layer 7 firewall rule, isolated from office and OT network. The data streams: live video to the VMS, sensor heartbeat to the control centre, event logs to the SIEM.
Meraki MV cameras and the LiDAR data of the QR-3 with LiDAR and drone detection are correlated in the same SIEM. Double detection (camera motion plus LiDAR object) reduces false alarms by 60 to 80% compared to single-sensor setups. [Source to be inserted] Operationally, that means: patrol control room and Network Operations Center work on the same event pipeline.
The documented incident response process covers both domains. A network anomaly (lateral movement in the OT VLAN) and a perimeter breach (LiDAR detection at the fence) trigger the same escalation path. Tabletop exercises test both scenarios quarterly. A pure IT exercise does not satisfy the NIS-2 requirement. For practical implementation see perimeter protection in industrial parks.
Board Liability for Non-Compliant Network Components
§38 BSIG codifies personal liability of management for implementation and oversight of the risk measures. The provision is sharply worded. Delegation to IT leadership does not relieve. The board must approve the risk management system, review it in a documented manner and complete training itself.
The liability is insurable only if documented duty of care is proven. That includes supplier assessment, audit trails and training records. D&O insurers check these documents before cover is granted. In a damage event, the same review takes place again. If proof is missing, cover falls away. Companies under BaFin supervision are additionally subject to MaRisk AT 7.2 with stricter documentation duties on IT governance.
Operationally decisive is the reversal of burden of proof. On an incident, the board must actively prove compliance. The authority does not prove the breach, management proves the duty of care. Whoever cannot present a current audit report and training history has lost. The proceeding is then already decided. Details on the liability question are in board liability under NIS-2.
Audit Preparation: What Auditors Demand of Meraki Setups
Auditors demand six artefacts in Meraki environments. That applies for BSI examinations, commissioned auditors and statutory auditors in the annual financial audit. Whoever keeps these ready survives the audit without follow-ups.
Complete asset list. MAC address, serial number, physical location, firmware version and last patch date per device. Format: CSV or CMDB export, no PDF.
Configuration exports. JSON via Meraki API with timestamp, archived at least quarterly in a write-protected repository. Version diff on every change documented.
MFA evidence. Screenshots or API export proving MFA activation for 100% of Dashboard accounts. No exception account. Service accounts run via API keys with a separate rotation audit.
Penetration test reports. Renewed annually, focus on cloud management plane and API endpoints. External provider with OSCP or CREST certification.
Incident response playbook. Named roles, escalation chain, Recovery Time Objective (RTO) under 4 hours for critical network segments. [Source to be inserted] Last test no older than 12 months.
Training records. Administrators and management under §38 paragraph 3 BSIG. Content, attendee list, examination result, repetition interval.
If one of these artefacts is missing, the audit result is "material finding". With two missing, overall compliance is denied.
Next Steps: 90-Day Plan to NIS-2 Compliance
The following schedule is achievable in mid-market environments with 200 to 2,000 Meraki devices. Precondition: a dedicated project lead and a board mandate.
Day 1 to 14: inventory. Extract asset inventory via Meraki API. Audit the organisation: how many admin accounts, how many API keys, which data region, which licence class per device. Enforce MFA and SAML SSO. Deactivate local accounts or secure them with MFA.
Day 15 to 45: technical hardening. Put VLAN segmentation into production. Implement Layer 3 firewall rules with default deny. SIEM integration via syslog in production. Renegotiate supplier contracts with Cisco and distributors: 24-hour notification, SBOM, EOL roadmap.
Day 46 to 75: organisational maturity. Write the incident response playbook and test it in a tabletop exercise. Management participates, not just IT. Complete training for administrators and the board, including examination and certificate.
Day 76 to 90: auditing. Commission an external audit. Close residual measures from the audit report. Finalise the compliance dossier with all six artefacts from the previous section.
In parallel to the network layer, physical perimeter protection must be reviewed. NIS-2 and KRITIS-Dachgesetz demand an integrated view. Whoever buys in guard services compares the cost base via the guard service TCO comparison. Whoever switches to autonomous patrol checks the Robotics-as-a-Service model, since CapEx acquisition is rarely budget-suitable in 2025.
The operational compliance check starts with a structured self-assessment. The entry point is the NIS-2 compliance overview. Templates for asset register, supplier assessment and incident response playbook are filed there and can be transferred directly into a Meraki environment.