NIS2 and AI Transformation of the Manufacturing Sector: How OpenKBS Ensures Compliance with Directive (EU) 2022/2555

Directive (EU) 2022/2555 (NIS2) extends the scope of cybersecurity regulation in the European Union to 18 sectors — 11 under Annex I (essential entities) and 7 under Annex II (important entities), including manufacturing. ENISA (European Union Agency for Cybersecurity) serves as the EU-level coordinating agency, while each Member State designates its own competent authority for supervision and enforcement.

Medium and large manufacturing enterprises fall within scope as "important entities" (enterprises with at least 50 employees and EUR 10 million annual turnover, in the sectors listed in Annex II of the Directive). Fines reach up to EUR 10 million or 2% of global annual turnover for essential entities and up to EUR 7 million or 1.4% for important entities.

For these organisations, NIS2 poses a concrete challenge: how to integrate AI solutions into production processes without increasing regulatory and cybersecurity risk. This publication describes how the OpenKBS platform addresses the requirements of Directive (EU) 2022/2555 for its enterprise clients.

Infrastructure Security Through AWS

OpenKBS builds the infrastructure of its clients entirely on Amazon Web Services (AWS). This is not merely a hosting choice — it entails inheriting a comprehensive catalogue of independently audited certifications and attestations, including:

  • ISO/IEC 27001 — information security management system;
  • ISO/IEC 22301 — business continuity management;
  • ISO/IEC 27017 — security controls for cloud services;
  • SOC 2 Type II — controls for security, availability, processing integrity, confidentiality and privacy;
  • C5 — Cloud Computing Compliance Criteria Catalogue, developed by the German BSI.

AWS holds over 150 independently audited security certifications worldwide. In the context of NIS2, this is material because Art. 21(1) of Directive (EU) 2022/2555 requires risk management measures to reflect the "state of the art." The use of certified infrastructure demonstrates compliance with this principle.

In Germany, AWS is already part of the national Critical Infrastructure (KRITIS). Amazon EC2 and Amazon CloudFront fall within the scope of KRITIS regulation, and AWS is a member of the UP KRITIS initiative — a joint effort between industry and the German federal government to establish cybersecurity standards.

Shared Responsibility Model

AWS applies the Shared Responsibility Model:

  • AWS is responsible for the security of the cloud infrastructure — physical data centres, network, hypervisor, managed services;
  • The customer is responsible for the security of what is built in the cloud — application code, configurations, access control.

For enterprise clients, every solution undergoes a structured security audit and review process before deployment to production.

Dedicated AWS Account per Enterprise Client

Among the central requirements of NIS2 is ensuring business continuity and crisis management (Art. 21(2)(c) of Directive (EU) 2022/2555). The Directive also emphasises supply chain security (Art. 21(2)(d)), including the management of risks arising from dependencies on technology suppliers.

OpenKBS addresses these requirements through a dedicated AWS account model.

How It Works

Each enterprise client receives a dedicated AWS account, in which all resources are deployed:

ResourceDescription
Lambda FunctionsServerless compute for business logic (up to 20 per project)
S3 StorageObject storage for files and data
Aurora PostgreSQLManaged relational database with automatic backups and point-in-time recovery
CloudFront CDNContent distribution with TLS encryption
EventBridgeScheduled tasks and automations

The resources of one client are physically isolated from those of every other client at the AWS account level. This is not logical separation (namespace, tag or virtual network), but a hard boundary at the account level, enforced by AWS Identity and Access Management (IAM).

Infrastructure Transfer on Contract Termination

On contract termination or when otherwise needed, the dedicated AWS account can be transferred in its entirety to the client. The process includes:

  1. Changing the account root user to a client-owned email address;
  2. Confirmation by the client and setting of a new password;
  3. Removal of the account from the OpenKBS AWS Organization;
  4. The client adds a payment method and assumes full control;
  5. The client removes OpenKBS access by deleting the cross-account IAM role.

Nothing is migrated. Lambda functions continue to run, data in S3 and Aurora remains in place, CloudFront distributions serve traffic without interruption. The client obtains full control over their infrastructure with no data loss and no downtime.

All resources are standard AWS primitives — no proprietary formats, no vendor lock-in. The client can continue to manage the infrastructure independently or with another provider.

AWS Organizations allows the creation of up to 50,000 accounts within a single organisation, at no additional charge for the account itself. Only resource consumption within the account is billed.

Implications for NIS2 Compliance

  • Art. 21(2)(c) (business continuity): The infrastructure does not depend on the operational status of OpenKBS. In the event of the supplier's cessation of activity, the client can continue operations.
  • Art. 21(2)(d) (supply chain security): The risk of single-vendor dependency is minimised through the guaranteed ability to transfer fully.
  • Clause 5 of NIS2 contractual requirements (termination assistance and data security): Covered by design — data already resides in an account the client can assume in its entirety.

Data Residency and Serverless Architecture

Hosting in the European Union

All enterprise client resources are deployed in the AWS region eu-central-1 (Frankfurt, Germany) by default. The central platform database (AWS Aurora DSQL) operates exclusively in eu-central-1.

Data does not leave EU territory. Each client project receives:

  • S3 storage in eu-central-1;
  • Aurora PostgreSQL instance in eu-central-1;
  • Lambda functions executed in eu-central-1;
  • CloudFront distribution with edge locations in the EU.

Data residency is a key factor in the NIS2 risk assessment. Deploying infrastructure within the EU simplifies compliance with data protection requirements and facilitates interaction with national regulatory authorities.

Serverless Architecture and Reduced Attack Surface

OpenKBS uses a fully serverless architecture for client resources. This means:

  • No servers to maintain — no operating system to patch, no SSH access, no open ports;
  • AWS manages the runtime environment — Node.js 24.x on Lambda, with automatic security updates;
  • Execution-level isolation — each Lambda function runs in a separate microVM environment;
  • TLS 1.2+ for all communications — via CloudFront, with no exceptions.

From the perspective of Art. 21(2)(e) of Directive (EU) 2022/2555 (security in the acquisition, development and maintenance of network and information systems), the serverless architecture eliminates an entire class of vulnerabilities — unpatched operating systems, misconfigured servers, unauthorised network access.

Security of AI-Generated Code

The Reality of Modern Development

A significant and growing share of code in industry is generated with the assistance of AI models. This trend is irreversible. The question is not whether AI will generate the code, but what processes ensure the quality and security of that code.

AI-generated code is not inherently insecure. Modern language models (such as Claude by Anthropic) detect vulnerabilities in code more effectively than most manual reviews — including SQL injection, XSS attacks, unauthorised access, improper session management, and dozens of other categories from the OWASP Top 10 and CWE classifications.

The risks of AI-generated code do not stem from the model itself, but from the absence of audit and validation processes. A system in which generated code is deployed directly without review is risky — regardless of whether the code was written by a human or an AI.

The OpenKBS Process for Enterprise Clients

OpenKBS applies a structured security review process for each new version of the client solution:

Automated security audit for each version:

  • Static code analysis for OWASP Top 10 vulnerabilities;
  • Checking for SQL injection, XSS, CSRF, SSRF, command injection;
  • Dependency audit for known vulnerabilities (CVE);
  • Checking for sensitive data exposure (hardcoded credentials, API keys, connection strings);
  • Input validation and access control review;
  • Checking for unauthorised information disclosure in HTTP responses and error handling.

Infrastructure review:

  • Review of IAM policies and least privilege principle;
  • Validation of encryption in transit (TLS) and at rest (AES-256);
  • Checking for publicly accessible resources (S3 buckets, Lambda endpoints);
  • Network configuration and firewall rules audit.

Documented report:

  • Each audit generates a documented report with findings and recommendations;
  • Critical vulnerabilities are remediated before deployment to production;
  • Reports are available to the client and can be provided to regulatory authorities during audits.

This process addresses the requirements of Art. 21(2)(e) (security in development and maintenance) and Art. 21(2)(f) (policies and procedures for assessing the effectiveness of risk management measures).

AI Supply Chain Consolidation

An organisation that wishes to use AI models from multiple providers (OpenAI, Anthropic, Google) must enter into separate contracts, conduct separate risk assessments, and ensure NIS2 compliance for each of them.

OpenKBS consolidates access to multiple AI models through a single proxy, operating within the EU infrastructure of the platform. The client interacts with one provider (OpenKBS), which manages the integration with AI vendors.

This reduces:

  • the number of suppliers subject to assessment under Art. 21(2)(d) of NIS2;
  • the number of contracts that must contain the five mandatory supply chain security clauses;
  • the administrative burden of periodic supplier reviews.

Additional Compliance Measures

Encryption

In accordance with Art. 21(2)(h) of Directive (EU) 2022/2555 (policies on the use of cryptography):

  • In transit: TLS 1.2+ for all communications, with no exceptions;
  • At rest: AES-256 for sensitive data (connection strings, API keys), AWS-managed encryption for S3 and Aurora;
  • Access tokens: Stored as SHA-256 hashes; the original text is not retained;
  • MQTT communications: SigV4-signed WebSocket connections with temporary STS session tokens (15-minute validity).

Access Control

In accordance with Art. 21(2)(i) (human resources security, access control):

  • JWT-based authentication (RS256) with limited validity duration;
  • Per-project API keys with explicitly defined permissions;
  • Automatic key rotation on each deployment;
  • STS session credentials with 15-minute validity for cross-account access.

Audit Trail

In accordance with Art. 21(2)(f) (assessment of effectiveness of measures):

  • Administrative audit log: action type, affected resource, details, IP address;
  • Resource consumption tracking by project and period;
  • CloudWatch metrics for each function (invocations, duration, errors).

Backups, Recovery and Disaster Recovery Plan

In accordance with Art. 21(2)(c) (business continuity, backup management, disaster recovery and crisis management):

Database (Aurora PostgreSQL Serverless v2):

  • Automatic continuous backups, managed by AWS;
  • Point-in-time restore with second-level precision, for a configurable period of up to 35 days;
  • Data is stored in six copies distributed across three Availability Zones within the eu-central-1 region;
  • On primary instance failure, Aurora automatically fails over to a standby replica.

Object Storage (S3):

  • Object versioning — every modification or deletion preserves the previous version;
  • AWS S3 provides 99.999999999% (11 nines) data durability;
  • Data is stored across multiple Availability Zones within the region.

General Principles:

  • Soft delete for all resources — no irreversible deletion;
  • The serverless architecture eliminates the need for server recovery — on Lambda instance failure, AWS automatically starts a new one;
  • CloudFront CDN ensures traffic serving even during partial origin server unavailability.

Summary: Coverage of Minimum Measures Under Art. 21 NIS2

Measure under Art. 21(2)How OpenKBS addresses it
(a) Risk analysis and information security policiesStructured audit process for each version; documented reports
(b) Incident handlingIncident response procedure; 24-hour early warning to client
(c) Business continuityDedicated AWS account; Aurora PITR up to 35 days; S3 versioning; 6 copies across 3 AZ
(d) Supply chain securityConsolidated AI proxy; single contract; transferable account
(e) Security in development and maintenanceSecurity audit for each version; serverless architecture
(f) Assessment of effectiveness of measuresAudit trail; resource monitoring; CloudWatch metrics
(g) Cybersecurity trainingConsultancy and documentation for client teams
(h) Cryptography and encryptionTLS 1.2+; AES-256; SHA-256 for tokens; SigV4 for MQTT
(i) Access controlJWT authentication; per-project keys; automatic rotation
(j) MFA and encrypted communicationEncrypted WebSocket connections; STS session credentials

Next Step

OpenKBS works with manufacturing enterprises across Europe that are implementing AI solutions while maintaining compliance with Directive (EU) 2022/2555.

If your organisation falls within the scope of NIS2 and is considering an AI transformation, contact us for a consultation on:

  • assessment of your current infrastructure against NIS2 requirements;
  • design of an AI solution in a dedicated AWS account with EU Data Residency;
  • security audit processes for AI-generated code;
  • business continuity and crisis management plan.

The services described — security audit, dedicated AWS account and AI-generated code review — are part of the OpenKBS Enterprise plan.

This publication is for informational purposes only and does not constitute legal advice. For specific questions regarding the application of Directive (EU) 2022/2555 or national transposition legislation, please consult a qualified legal adviser.

Book a Strategy Call
NIS2Directive EU 2022/2555cybersecuritymanufacturingproductionAWSAIsupply chainENISAenterprise