Annex.II.4 NIS2

NIS2 Annex.II.4: Research Organisation Cybersecurity Requirements

What This Control Requires

Annex II identifies research organisations defined as an entity the primary goal of which is to carry out applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions.

In Plain Language

Nation-state actors have been systematically targeting research organisations for years, stealing intellectual property in areas like advanced materials, biotechnology, pharmaceuticals, defence technology, and AI. NIS2 responds to this threat by classifying applied research organisations with commercial intent as important entities under Annex II.

The challenge in research environments is cultural as much as technical. Open collaboration, data sharing, and academic freedom are deeply embedded values that often clash with strict cybersecurity controls. Researchers may push back against measures that slow down experiments or limit how they share findings. Getting this balance right requires careful thought and genuine engagement with the research community.

Not all research data carries the same risk, which is exactly why a one-size-fits-all approach fails here. Some projects involve commercially valuable IP or dual-use technologies that demand strong protection. Others produce publicly funded results intended for open publication. The security approach needs to reflect that difference.

How to Implement

Start by classifying research projects and data based on sensitivity and commercial value. Build a scheme that distinguishes between commercially sensitive research with significant IP value, dual-use or export-controlled work, collaborative projects requiring controlled data sharing, and publicly funded research with specific protection requirements.

Apply tiered security controls based on that classification. For high-sensitivity projects, provide restricted access environments with enhanced authentication, encrypt research data in storage and transit, monitor for data exfiltration attempts, and deploy secure collaboration tools for sharing findings with authorised partners.

Secure research computing infrastructure. HPC clusters, specialised lab equipment, and cloud analysis platforms all need proper access controls, data protection for datasets, security monitoring on research networks, and secure configuration for any lab equipment connected to the network.

Address the human factor head-on. Researchers often use personal devices, informal collaboration tools, and external services without thinking about security. Provide targeted security awareness training that resonates with researchers (not generic corporate training), offer secure collaboration platforms as genuine alternatives to informal tools, set clear BYOD policies, and issue travel security guidance for conferences and partner institution visits.

Protect against insider threats and targeted recruitment. Nation-state actors actively try to recruit researchers through social engineering. Apply personnel security measures to researchers with access to sensitive projects, monitor for anomalous data access patterns, and establish exit procedures that safeguard sensitive research when people leave.

Meet sector-specific obligations including export control regulations, data sharing agreements with research partners, and any cybersecurity requirements attached to research funding. Some grants explicitly require specific security measures as a condition.

Evidence Your Auditor Will Request

Research data classification scheme and implementation records
Tiered security controls documentation for different sensitivity levels
Research computing infrastructure security assessment
Security awareness training records specific to research personnel
Compliance with export controls and funding body security requirements

Common Mistakes

All research treated with the same low level of security regardless of sensitivity
Researchers use personal cloud storage and informal tools for sensitive data sharing
No monitoring for data exfiltration from research environments
Personnel security measures not applied to researchers with access to sensitive projects
Open research culture resists necessary security controls without management support

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.12	Related
ISO 27001	A.5.13	Related

Frequently Asked Questions

Are universities in scope for NIS2?

NIS2 explicitly excludes educational institutions from this definition. However, applied research units within universities that conduct commercially oriented research may be in scope depending on how they are structured and how your Member State has transposed the directive. If you are in that grey area, check with your national competent authority.

How do we balance open research collaboration with NIS2 security requirements?

Take a risk-based, tiered approach. Publicly publishable research can run with standard controls and minimal friction. Commercially sensitive or dual-use research needs enhanced protection. Give your researchers secure collaboration tools that make controlled sharing easy and convenient - if the secure option is harder to use than Dropbox, people will use Dropbox.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment