Skip to main content
Informationssicherheit / NIS2

Network segmentation

Network segmentation is the division of an IT network into separated zones in order to control traffic and contain the spread of attacks.

Network segmentation refers to the logical or physical division of a corporate network into several separated subnetworks (segments, zones or VLANs), between which traffic is deliberately controlled by firewalls, access control lists or routing rules. The goal is to restrict communication to what is functionally necessary and thereby reduce the attack surface. Typically, external, demilitarised (DMZ) and internal zones are separated, along with particularly sensitive areas such as production, administration or backup networks.

The key security benefit lies in containment: if an attacker manages to compromise a system, consistent segmentation prevents unhindered lateral movement across the network. Malware such as ransomware can thus be confined to a single segment instead of spreading across the entire organisation. In modern architectures the principle is refined down to microsegmentation, where individual workloads or applications are isolated from one another, and it forms a technical foundation of the zero-trust approach.

From a compliance perspective, network segmentation is a central technical measure within risk treatment. The NIS2 Directive and its national transposition oblige essential and important entities to implement appropriate technical measures for network and information security; the BSI IT-Grundschutz addresses segmentation in its network architecture modules (NET layer), and ISO/IEC 27001 requires the separation of services and networks in Annex A. The specific design must be derived from the protection needs assessment and risk assessment and documented in the security policy.

Legal Basis

Art. 21(2) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001 Annex A 8.20-8.22; BSI IT-Grundschutz module NET.1.1 (Network architecture and design)

Practical Example

After a ransomware incident, a mid-sized machine-building company splits its flat network into clearly separated zones: a client network for office workstations, an isolated OT network for the production machinery, a DMZ for externally reachable services, and a strictly sealed-off backup segment that can only be written to in one direction. The information security officer defines firewall rules at each transition following the least-privilege principle and documents the zoning in the security policy. During the next penetration test, the testing team confirms that a compromised office PC no longer has direct access to control systems or backup data.

FAQ

Classic segmentation divides networks coarsely into zones such as client, server or DMZ areas, usually via VLANs and firewalls. Microsegmentation refines this principle down to the level of individual workloads or applications and isolates them even within the same zone. It is a core building block of zero-trust architectures.
The NIS2 Directive does not mention segmentation by name, but Art. 21 requires appropriate, risk-based technical measures for network and information security. Segmentation is regarded as state of the art for containing attacks and is therefore practically indispensable for affected entities.
Sound segmentation limits the lateral movement of malware. If a system is infected, ransomware cannot spread freely to other areas but ideally remains confined to one segment. An isolated backup segment in particular protects the ability to recover.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Zero trust architecture Firewall Ransomware BSI IT-Grundschutz System hardening
Back to Glossary