In a recent article Stephane Lacrampe explained why MBSE is Becoming Essential for Modern Cybersecurity, especially for designing secure and resilient systems.
Building on this perspective, this article explores how MBSE can support cybersecurity efforts in the context of the NIS2 directive.
NIS2, a major shift in cybersecurity regulation
With the NIS2 Directive, the European Union has significantly raised the bar for cybersecurity across critical and strategic sectors.
Adopted as Directive (EU) 2022/2555, NIS2 introduces a unified framework to ensure a high level of cybersecurity across the EU, extending its scope to 18 critical sectors, including energy, transport, healthcare, and digital infrastructure.
Compared to its predecessor, NIS2 brings stricter requirements. It imposes risk management measures, incident reporting obligations, and stronger governance responsibilities, including accountability at the executive level.
The directive also reflects a fundamental shift. Cybersecurity is no longer limited to IT systems. It now explicitly includes operational technologies and complex cyber-physical systems, where digital components interact with the physical world and where cyber incidents can lead to real-world consequences.
For organizations, this means one thing. Compliance is no longer just about implementing controls. It requires a deep understanding of systems, their dependencies, and their risks.
NIS2 challenges traditional engineering and compliance approaches
While NIS2 defines clear objectives, its implementation raises significant challenges.
Organizations must deal with increasing system complexity. Modern cyber-physical systems combine software, hardware, networks, sensors, and external dependencies, often across organizational boundaries. Understanding how vulnerabilities propagate across such systems is far from trivial.
At the same time, NIS2 promotes a risk-based approach that requires continuous assessment. Identifying critical assets, evaluating risks, and adapting mitigation measures cannot rely on static documentation alone.
Another key dimension lies in supply chain security and interdependencies. Organizations are expected to assess not only their own systems, but also those of their partners and suppliers.
In addition, strict incident reporting timelines impose new operational constraints. Organizations are required to issue an early warning within 24 hours, followed by more detailed notifications. These reports are not sent to a centralized European body, but to national competent authorities or CSIRTs designated by each Member State. This decentralized model requires organizations to align with country-specific implementation frameworks while maintaining consistent internal processes. It also implies having strong visibility into systems and their behavior to detect, qualify, and report incidents within tight deadlines.
Finally, compliance requires a high level of traceability and governance. Organizations must be able to demonstrate how risks are identified, how decisions are made, and how security measures are implemented throughout the lifecycle.
In practice, many organizations still rely on fragmented tools and document-based approaches. These make it difficult to maintain consistency, ensure traceability, and adapt to evolving threats.
The need for a system-level and continuous cybersecurity approach
To address NIS2 effectively, organizations need to move beyond siloed practices and adopt both a system-level and an enterprise-level continuous cybersecurity strategy, especially in the context of cyber-physical systems.
At the system level, such an approach relies on a global understanding of systems and their interactions. In cyber-physical systems, risks often emerge at the intersection between digital and physical components, which makes a holistic perspective essential. This is where Model-Based Systems Engineering plays a key role, by structuring the way systems are designed, analyzed, and validated.
However, NIS2 compliance does not rely solely on how systems are engineered. It also requires a broader, organization-wide perspective, as achieving compliance depends on the ability to provide a holistic view of the organization, its governance, its processes, its information systems, and its technologies. This enterprise-level approach complements MBSE by ensuring that cybersecurity is not only embedded in system design, but also consistently governed and aligned across the entire organization.
This dual perspective also implies continuous risk assessment. Systems and organizations evolve over time, and so do threats. Security cannot be treated as a one-off exercise, whether at the system level or at the enterprise level.
Collaboration between stakeholders is another key factor. Cybersecurity in cyber-physical systems involves system engineers, software teams, hardware specialists, security experts, enterprise architects, and operational actors. Aligning their perspectives is critical to ensure coherent decisions from strategy to implementation.
Traceability across the lifecycle is equally important. From requirements to architecture, and from risks to mitigation measures, organizations must be able to demonstrate consistency and control, both within the system itself and across the broader enterprise landscape.
These needs closely align with the principles of Model-Based Systems Engineering, while being reinforced by a Continuous Enterprise Architecture approach that ensures alignment between strategy, governance, and operational reality.
To better understand how enterprise architecture specifically supports NIS2 compliance at the organizational level, you can refer to the dedicated article by Jean-Luc Merelli on Continuous Enterprise Architecture. In the remainder of this article, the focus will be on how MBSE contributes to addressing these challenges at the system level.
How MBSE supports NIS2 compliance
Model-Based Systems Engineering (MBSE) provides a structured way to address the complexity and traceability challenges introduced by NIS2, especially in the context of cyber-physical systems.
By relying on system models rather than fragmented documentation, MBSE offers a shared and consistent view of the system. Architecture, components, interfaces, and data flows are explicitly represented, including the interactions between physical and digital elements. This makes it easier to identify critical assets and potential attack surfaces.
This shared model also improves collaboration. Engineers, cybersecurity experts, and decision-makers can work on a common representation, which facilitates communication and alignment across disciplines.
When a vulnerability is identified, the model becomes a powerful tool for impact analysis. It enables teams to quickly understand which components are affected, how risks may propagate through both digital and physical layers, and which mitigation actions should be prioritized.
Traceability is another major contribution. Security requirements can be linked directly to system elements, identified risks, implemented controls, and verification activities. This provides a structured and auditable way to demonstrate compliance with NIS2 requirements.
MBSE also supports a continuous approach to cybersecurity. As cyber-physical systems evolve, the model can be updated and analyses revisited, ensuring that risk management remains aligned with reality.
More broadly, MBSE helps bridge the gap between engineering and governance. By structuring information and making relationships explicit, it becomes easier to connect technical decisions with regulatory expectations.
In this context, solutions such as Capella, an open-source MBSE platform, provide a practical way to implement these principles and structure cybersecurity activities in line with NIS2 requirements, as will be explored in an upcoming article.
Conclusion
NIS2 marks a turning point in how organizations must approach cybersecurity.
Compliance is no longer just about implementing security measures. It requires a deep, continuous understanding of complex cyber-physical systems, their risks, and their interdependencies.
In this context, MBSE stands out as a key enabler. By providing a system-level view, improving collaboration, and enabling efficient impact analysis and traceability, it helps organizations move from reactive compliance to proactive cybersecurity management.
Adopting MBSE is not only a way to facilitate NIS2 compliance. It is a strategic step toward building more secure and resilient cyber-physical systems.
In my next article, I will focus on another EU cybersecurity directive: the Cyber Resilience Act (CRA). Stay tuned!
In the meantime, if you would like to learn more about the NIS2 directive and its impact on system design, feel free to contact us.