NIS2 & KRITIS: Highly available internet as the key to
IT resilience

Trusted Advisor for IT & Telecommunications Sourcing

Why internet availability is crucial for your NIS2 resilience

You are facing increasing demands as a result of NIS2 – not only on your security architecture, but also on the operational capability of your entire IT. For many KRITIS-related environments and essential/important entities, one factor is taking center stage: availability.

What this means for you

Even a strong security architecture does not protect if locations become “blind” in the event of line faults
Cloud services, VPNs and control center communication can break down in the event of an incident
Responsiveness, incident reporting and ongoing operations come under pressure

What this article is about

This article shows how highly available Internet connections can become a practical lever for NIS2 resilience – and how SAVECALL can support you as an independent sourcing and delivery partner in design, provider selection and backup strategy.

Book a consultation

>20%
Savings

Learn more

99,99%
Availability

Learn more

24/7
Support

Contact

NIS2 Relevancy

The NIS2 directive raises cybersecurity to a new mandatory level in many industries – not only technically, but also organizationally. For KRITIS-related environments and many “essential/important entities”, this makes one point particularly critical: availability. After all, even the best security architecture is of little help if locations go “blind” in the event of line faults or if central cloud services, VPNs and control center communication break down.

This article shows how highly available Internet connections function as a practical lever for NIS2 resilience – and how Savecall, as an independent sourcing and delivery partner, provides support with design, provider selection and backup strategy.

For whom is NIS2 typically relevant?

NIS2 affects significantly more organizations than the previous NIS Directive. It is particularly common:

KRITIS-related operators and facilities (e.g. energy, health, transportation, water, digital infrastructure, public administration, etc.)
Companies with high availability requirements (e.g. control centers, production and logistics networks, data center and ICT service providers, platform/provider environments)
Many medium-sized companies in affected sectors (often the size logic “at least 50 employees or ≥ €10 million turnover” applies – depending on classification and exceptions)

Important: Whether an entity is “Essential” or “Important Entity” determines the supervision and sanction framework – it is therefore worth classifying it properly.

Make an appointment

1

Why KRITIS companies are under particular pressure

ICRITIS processes are socially and operationally critical. In practice, it is often not only cyber attacks but also “banal” outages (construction work, excavators, PoP disruption, power issues in the carrier environment) that trigger security and operational risks:

Standstill of control center/OT communication
Interrupted cloud and VPN connections (identity, SIEM, remote access, ticketing)
Delayed response to security incidents (because telemetry/logging no longer flows cleanly)

2

What NIS2 requires in practice – and why Internet resilience is part of it

NIS2 requires, among other things, appropriate technical and organizational measures as well as rapid incident reporting. These are typical:

Early warning “where possible” within 24 hours
Incident notification within 72 hours (with reliable information)

Key message: Availability is not a “nice-to-have”, but directly influences reporting obligations, responsiveness and damage limitation.

3

Backup Internet is not the same as highly available Internet

Many setups call themselves “redundant”, but in everyday life they are only emergency operations. Typical weak points of classic backup lines:

Switchover time: Failover only after failure detection – applications “notice” this
IP/routing changes: breaking VPNs, whitelists, cloud policies, control center tunnels or partner connections
Degraded performance: Backup is often narrowband or split
Costs without benefits: The second line lies idle during normal operation

The alternative is an approach in which several connections are used permanently (active-active): Load balancing, automatic interception of failures and – depending on the design – a stable egress IP for critical applications.

Practical blueprints: These Internet backup variants really work

Depending on the location, sector, risk and budget, the following variants are often combined:

Variant A: Two wired Internet accesses (carrier & route diversity)

Two different carriers / last mile
Ideally separate building entry/route/PoP dependencies
The “gold standard” for site resilience in many KRITIS environments

Variant B: DIA + Business Broadband as economic redundancy

Strong primary line (DIA/fiber optic)
Second line cost-efficient (business broadband)
Useful if bandwidth in failover does not have to be 1:1 identical

Variant C: Wired + Mobile communications (4G/5G) as “third air”

Mobile communications as additional failure protection (e.g. in the event of construction/route problems)
Particularly suitable for signaling paths, emergency operation, out-of-band accesses

Variant D: Active-Active Multi-Access (parallel operation instead of “cold start backup”)

Both/multiple lines run simultaneously
Automatic compensation in the event of faults (without “hard cut”)
Performance advantage in normal operation through load distribution

Variant E: Stable IP & clean failover for VPN/cloud/partner (routing design)

Goal: no application crashes due to changing sender IP
Depending on the setup: Multi-homing/BGP options or other egress concepts
Relevant for: Site-to-site VPN, cloud policies, partner whitelists, OT tunnels

Note: The appropriate variant depends heavily on which applications need to remain stable (control center, OT, cloud ERP, VoIP), which RTO/RPO targets apply and how diverse the local infrastructure is actually available.

Make an appointment

How SAVECALL provides provider-independent support for Internet & backup

SAVECALL does not start with “hardware”, but with operability and risk – and organizes the right solution via the provider ecosystem.

Typical SAVECALL procedure

As-is analysis & risk check: single points of failure (carrier, route, building, IP dependencies)
Variant design: active-passive vs. active-active, bandwidth and IP strategy, SLA requirements
Provider-independent market comparison: suitable carrier/access options per location (incl. alternatives to the last mile)
Procurement & coordination: requesting quotations, ordering, scheduling and construction coordination, escalation
Operational support: documentation, provider handling, structured fault clearance/incident support (according to agreed model)

In short: You get a resilient backup strategy for the Internet – and SAVECALL ensures that it is actually available and operable at your location.

Alpine landscape at sunrise with discreetly visible data streams between mountain peaks as a metaphor for stable IP transit connections.

What does this mean for NIS2 compliance – in concrete terms?

Fewer breakdowns → fewer reportable malfunctions
Faster response times because security monitoring/remote access remains accessible
Better audit evidence: clean design, documented redundancy, defined failover mechanisms
More stable communication with partners/authorities/service providers thanks to predictable connectivity

Conclusion

NIS2 is forcing many organizations to make resilience measurable.
High-availability Internet is one of the most pragmatic levers here – not as a “second line in the closet”, but as a well thought-out redundancy design that takes applications, IP dependencies and operating processes into account.

Book a consultation

Q&A: Frequently asked questions

Climbing team connected by ropes on a rock face - a symbol of stable mobile networks and reliable communication.

Do we really need two carriers – or is “a second line” enough?

Two lines on the same carrier can still be connected to the same PoP/backbone/route point. Diversity counts for real resilience.

Does the backup have to have the same bandwidth?

Not mandatory. The decisive factor is which applications must continue to run in the event of a fault (control center is not the same as normal office surfing).

Why is a fixed IP so important?

Many security and partner setups are based on IP whitelisting/VPN identities. IP changes cause avoidable outages – especially in the event of an incident.

Active-Active sounds expensive – is it worth it?

Often yes, because the second line is used in normal operation (performance) and failover is less “noticeable” – instead of expensive “dead” backup capacity.

How does this fit in with SASE/SD-WAN?

Very good: SASE/SD-WAN can intelligently control policies and failover – but the basis remains a cleanly designed, diverse Internet carpet pad.

Make an appointment