If it seems you’re suddenly hearing more about the the European Union’s Network and Information Security 2 (NIS2) Directive, that’s because the directive just crossed an important deadline—as of October 2024, all EU member states are now required to have national laws on the books enforcing the cybersecurity framework’s security measures, which are aimed at protecting Europe’s critical infrastructure and services from cyberattack.
Like other recently announced cybersecurity legislation, which include an Executive Order issued by the Biden-Harris administration earlier this year to strengthen cybersecurity at US ports and last year’s amendment to the NYDFS Part 500 among others, the NIS2 Directive’s regulations are heavily focused on strengthening identity and access control, demonstrating how foundational securing identity has become to overall cybersecurity.
Read on to learn more about NIS2, whether your business needs to comply, and best practices for meeting the directive’s critical identity security–related requirements.
What is NIS2?
An extension to 2016’s original NIS Directive, NIS2 provides a comprehensive framework for enhancing cybersecurity resilience across the EU, with the goal of creating a unified and effective approach to cybersecurity across member states and fostering a culture of readiness, crisis management, knowledge sharing, and rapid incident reporting.
NIS2 imposes stricter compliance requirements on a broader range of sectors and entities than its predecessor, which means more businesses, including those outside the EU, will need to comply. Some EU countries are at a more mature state of NIS2 law adoption than others, and there may be some deadline extensions, but companies required to comply should be prepared to do so sooner than later.
Who needs to comply with NIS2?
NIS2 covers entities in sectors deemed critical to EU society. Entities in these critical sectors are classified into one of two categories: “essential” or “important.” This classification hinges on the potential severity of cyber incidents.
- Essential entities are those in sectors considered vital for the day-to-day functioning of society and the economy. These include energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, public administration, and space.
- Important entities operate in sectors that, while not as critical to immediate public safety or security, are crucial for the economic and social well-being of EU states. Examples include postal and courier services, waste management, chemicals, food, manufacturing, research, and noncritical tech like search engines.
The compromise of an essential entity poses a more significant threat to public safety, security, or economic stability. However, both essential and important entities are subject to the same baseline security requirements under NIS2. Noncompliance can result in a hefty fine of up to 10 million EUR or 2% of global turnover. Companies with fewer than 50 employees and an annual turnover of less than 10 million EUR are generally excluded from NIS2, though some may still be required to comply based on their sector.
Crucially, NIS2 requirements dictate that covered entities must manage the cybersecurity posture of their pipelines, so global organizations contracted to supply goods and services to covered entities must comply with NIS2 regulations as well, regardless of whether they have offices in the EU. If you are doing business with a company that falls under NIS2 laws, you will need to have NIS2-compliant controls and reporting protocols in place to keep your contract.
How is NIS2 related to other EU regulatory frameworks?
NIS2’s cybersecurity requirements overlap and work in conjunction with those of the EU’s General Data Protection Regulation (GDPR) and Digital Operations Resilience Act (DORA), though each framework has a slightly different scope and goal.
GDPR has been in place since 2018 and applies directly to companies in the EU, unlike NIS2, which, as a directive, must be enforced through laws enacted by individual EU member states. GDPR is aimed at protecting personal data processed by EU organisations, so many more companies must comply with it, but its requirements are more narrowly focused on safeguarding specific types of data versus shoring up cybersecurity in general.
DORA, like GDPR, is an EU regulation that applies directly to entities across the EU. And like NIS2, DORA’s goal is to improve general cyber resilience. However, DORA’s regulations apply specifically to the financial sector, with the goal of making EU banks and financial service providers better able to prevent and withstand breaches. There’s a lot of overlap between NIS2 and DORA by design, as both are aimed at keeping important services up and running and improving threat knowledge sharing across the EU. DORA is set to go into effect in early 2025.
NIS2, GDPR, and DORA have all been issued in response to a changing cyber threat landscape that continues to evolve as more organizations move to cloud-based and remote operations. As such, all are written to include current cybersecurity best practices based on the concept of zero trust, as laid out by gold-standard guidelines like the International Organization for Standardization (ISO) 27001 standard and the recently released National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0.
Companies that are already voluntarily following these standards will be in a good position to comply with NIS2, GDPR, and DORA, as well as with upcoming US regulations like the Cybersecurity Maturity Model Certification (CMMC), which applies to companies working on US Department of Defense contracts. Which is to say, implementing zero trust–based cybersecurity best practices is now critical to doing business across sectors in the EU and US.
The main pillars of NIS2 and how identity security fits in
Identity security sits at the foundation of modern cybersecurity, so strong identity and access controls are core to NIS2 compliance. Let’s outline the key NIS2 cybersecurity requirements and how identity plays a role.
Cyber risk management
Covered entities must take measures to manage network and information system risk and be prepared to respond to cybersecurity incidents and emergencies appropriately. This means companies must have detailed plans in place for
- Risk analysis and regular risk management assessments
- Security incident handling
- Business continuity during and after an incident
- Supply chain security assessments and management
- System procurement and vulnerability handling
- Data and computer hygiene practices and training
- Multi-factor authentication and cryptography and encryption policies
- Secure access control policies and reporting
These cybersecurity risk management measures are built around a zero trust model, which assumes that all users, non-human identities, third-party providers, devices, and the like interacting with systems and data are potentially compromised. Strong identity and access controls based on the principle of least privilege underpin this model, enabling companies to prevent risky access, limit the impact of breaches, and respond quickly to issues.
Incident reporting
NIS2 introduces strict cybersecurity incident reporting obligations, including a 24-hour deadline for early warnings and a 72-hour deadline for incident notifications. A clear understanding of who has access to sensitive data and systems is critical to being able to quickly identify, respond to, and accurately report security incidents.
Cross-border cooperation
The directive also promotes increased cooperation and information sharing between EU member states. This requires secure identity governance to facilitate safe collaboration while protecting sensitive data.
NIS2 and modern identity governance
Companies must be able to clearly view, analyze, and manage access to in-scope data and systems to proactively prevent identity-related breaches and act immediately when a breach occurs to stay operational. The ability to quickly identify and audit compromised access in the event of an incident is also crucial to timely communication and reporting.
But getting visibility into and control of access is not a human-scale task in today’s tech environments, especially for companies large enough to fall under the NIS2 Directive’s purview. So having a modern, security-focused identity governance and administration (IGA) solution in place that provides the visibility and automation needed to proactively manage identity risk is key to staying compliant.
A modern IGA solution will allow you to
Get complete visibility into access: Centralizing visibility of all identity and access across your full range of applications, cloud services and infrastructure, and on-prem systems is a necessary first step for implementing NIS2-required risk management practices.
Automate identity lifecycle management: Managing joiner, mover, and leaver (JML) scenarios is critical in NIS2’s context of maintaining secure access environments. Automating JML workflows ensures users only have the access appropriate for their current job function and revocations happen as soon as access needs change.
Implement dynamic access controls: Proactive access controls based on roles (RBAC), attributes (ABAC), and/or policies (PBAC) allows you to ensure alignment with your company’s NIS2-compliant security policies and the principle of least privilege.
Enforce just-in-time access: Automating self-service just-in-time access for sensitive privileges helps you move toward zero standing privileges, further limiting your potential attack surface area and meeting NIS2’s requirements for limiting access to sensitive systems and data.
Shine a light on shadow apps: NIS2 emphasizes the need for comprehensive risk management, which includes identifying and securing shadow IT usage, which is proliferating with the ease of SaaS adoption.
Identify active access risks: Part of effective cybersecurity risk management is catching potential issues before they can be exploited. A real-time view of access-related risks like orphaned or overprivileged accounts that enables quick remediation of those risks is paramount to limiting attack potential.
Automate user access reviews and reporting: NIS2 mandates regular security audits and risk assessments, a key component of which are user access reviews. Automation streamlines the entire review process, from scoping to reviewer notifications and insights to comprehensive reporting for auditors.
Keep a full audit trail: All access changes and usage patterns should be logged to facilitate the incident response and reporting required by NIS2.
Security starts with identity
Identity is foundational for NIS2 compliance. It’s the common thread that runs across most of the directive’s compliance requirements.
ConductorOne is a modern IGA solution that equips customers with the ability to not only meet the letter of compliance frameworks like NIS2 but significantly improve their cybersecurity resilience with strong identity security.
Get a demo of ConductorOne to see how it can support your organization’s NIS2 compliance journey and overall security goals.
