The original 2016 NIS Directive focused primarily on establishing core cybersecurity measures to protect some key EU interconnected services. The focus was on infrastructure that was deemed essential (such as energy, water, transportation, healthcare, and banking) and covered by the basic protections set out by the directive.
The NIS2 Directive expands the scope of the original NIS Directive by encompassing additional sectors and entities. It covers operators of essential services (OES) in sectors such as energy, transportation, banking and financial market infrastructure, healthcare, water supply, and digital infrastructure (such as online marketplaces, cloud computing, and search engines), as well as the organisations that support OES.
Organisations included in NIS2 need to comply with its directives by October 17, 2024. It’s in an organisations’ best interest to meet that deadline: apart from providing effective cybersecurity recommendations, NIS2 also comes with fines of up to 2% of global turnover for organisations that fail to comply in certain situations.
But while NIS2 is clear about who needs to follow the directives and what the penalties are for failing to comply, one thing it doesn’t define is how organizations should prepare. So, let’s review the NIS2 guidelines and the best practices that organizations should take to meet compliance and defend themselves from emerging threats.
To better define the organizations that need to be included, two basic criteria were set: sector and size. To address sector, NIS2 Annex 1 and 2 identify “Highly Critical” (aka essential entities) and “Critical”(aka important entities) sectors. There are eleven Highly Critical sectors, largely those linked to the day-to-day operations of a country’s economy, such as energy, transport, banking, water services, healthcare, digital infrastructure, government, and space. Critical sectors are associated with key services that support a country’s economy, such as manufacturing and distribution of food, chemicals, and goods, waste management, digital providers such as internet service providers (ISPs), and research.
To address size, NIS2 categorizes organizations as either Large or Medium-sized. Large organizations are those with more than 250 employees and revenue of at least €50 million. Medium-sized organizations are those with fewer than 250 employees and annual turnover not exceeding €50 million.
To address cooperation, NIS2 also lays out a structure for reporting incidents. This includes the formation of components such as competent authority, single point of contact and CSIRT (Computer Security Incident Response Team). Article 23 lays out what needs to be reported and the timelines.
Enforcement is defined by organizations’ adherence to implementing the recommended Cybersecurity Risk Management Measures and Reporting requirements. Fines for non-compliance for these businesses can be as high as €10 million (or up to 2% of global turnover) for “Highly Critical” entities or €7 million for “Critical” entities.
By 17 October 2024, member states must adopt and publish the measures necessary to comply with the NIS2 Directive. But what does that mean exactly for affected businesses?
NIS2 outlines key measures that sectors and digital infrastructure organizations across the EU need to implement, including the use of multi-factor authentication (MFA), access control policies and asset management, basic cyber hygiene and training, among other measures.
NIS2 doesn’t define how to meet those measures. Instead, it refers to other standards like ISO, CIS, NIST, or IEC, along with zero trust tenets, as guidelines that organizations should follow to achieve compliance.
Those standards prioritize identity security—for instance, the ISO27002 information security, cybersecurity and privacy protection standard provides useful guidance on advancing access control, identity management, secure authentication, and other capabilities that align with NIS2. NIS2 also recommends NIST’s seven tenants of zero trust, which also emphasize identity security controls.
By following those two approaches, affected organizations will have a thorough methodology to achieve NIS2 compliance and defend themselves from the most frequent and damaging cyberattacks.
There’s an old saying that organisations should never waste a good crisis, and that’s the case with NIS2, which compels organisations to evaluate all aspects of their security protocols and focus on the zero trust tenants and relevant standards that apply to their business. In doing, organisations shouldn’t approach NIS2 as a check-the-box exercise: if they’re taking the time to evaluate their cybersecurity posture, then they should invest in the capabilities that defend against the most frequent and highest-impacts.
In most cases, that tends to be identity. The 2023 Verizon Data Breach Investigations Report found that the “three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities.” Moreover, the use of stolen credentials “became the most popular entry point for breaches” over the last year; the report found that 49% of all data breaches involved credentials.
It’s not just that identity is the domain that’s compromised in most attacks—it’s also that identity-related attacks tend to cost organizations the most. IBM’s Cost of a Data Breach Report 2023 found that the most frequent initial attack vector was phishing; it was also one of the most expensive, costing organizations an average of $4.76 million.
While all security domains are important, identity, especially in the hybrid work environment, plays a key role in securing your organization. Organisations should appoint an identity-focused security partner to conduct a NIS2 assessment and recommend the best mix of automated identity intelligence, authentication, access management, and governance and lifecycle solutions to allow you to protect all the resources, identities, and environments set out by the NIS2 directive.
Organisations will find that a unified identity platform will be the simplest way to ensure a full and comprehensive end-to-end review and a set of solutions that can be established to exceed all NIS2 requirements and scale to meet future needs as business and security requirements evolve.
To find out more, contact RSA to start your NIS2 identity security assessment.