The The NIS2 Directive , new EU-wide legislation to improve member states' cybersecurity, entered into force on January 16, 2023. It introduces strict new control measures, requires more companies and sectors to participate, strengthens incident reporting requirements, and generally points to better practices than the previous NIS Directive. Member states now have until October 17, 2024, to transpose these measures into national law. This will ultimately affect a large number of companies operating within the EU. Many are wondering how this affects their interests – to this end, we will discuss the key concepts from the directive and the potential implications.
An important note before reading: This does not only affect the EU. Following the announcement of the 2022 Zero Trust Architecture strategy and the corresponding Implementing Regulation Earlier this month, a national cybersecurity strategy announced . It aims to shift responsibility for cybersecurity from individuals to "organizations that are most capable and best positioned to reduce the risks for us all."
Similar to its predecessor, NIS2 does not explicitly describe all the technological changes that need to be made, but rather overarching concepts and ideas for improving the security situation. The goal is to promote improved cybersecurity measures internally, but also in cooperation between companies and in cross-border collaborations within the EU.
Key points of NIS2 include:
- A significant expansion of the number of sectors covered, including telecommunications, manufacturing, waste management, social media platforms and public administration (see the NIS2 factsheet for a more comprehensive list).
- The creation of a common structure for cyber crisis management (as a Cyber Crisis Liaison Organization Network or CyCLONe to improve common situational awareness, promote cooperation and reduce coordination effort
- Member States must ensure that essential service operators and digital service providers implement appropriate risk management measures, including regular risk assessments, and monitor their networks and information systems for security incidents.
- A greater degree of standardization in reporting requirements. For example, affected companies have 24 hours from the moment they first learn of an incident to submit an initial report. The final report is due no later than one month later.
- Encouraging Member States to review and strengthen their overall cyber resilience, particularly in the area of supply chains; additionally, the use of encryption and improved cyber hygiene are recommended.
- Failure to comply with any element of the NIS2 Directive (once it is implemented by Member States at national level) may result in fines of up to €10 million or 2% of a company's total global turnover.
Given the sometimes very different circumstances and technical requirements across Member States and companies, it is simply not possible to develop a one-size-fits-all approach to compliance with the Directive. Therefore, the responsibility for identifying, implementing, and enforcing the necessary changes will require not only a collaborative effort within each company, but will ultimately involve local and national governments—and potentially oversight by the European Union Agency for Cybersecurity ( ENISA ).
However, even if the scope of the changes to meet the NIS2 obligations is vague in technological terms, there is no question that two fundamental practices will underlie any concept of enhanced cyber resilience.
What measures can be taken to meet the NIS2 requirements?
The first and most important step is to Multi-factor authentication Implementing Multifactor Authentication ( MFA ) instead of passwords to secure all accounts. Given the sophistication of modern cyberattacks and the cyber arsenal at attackers' disposal, passwords alone can no longer be relied upon as reliable protection.
Furthermore, not all types of MFA are the same. While using an SMS one-time password (OTP) or an authenticator app is certainly better than traditional passwords, neither method is Phishing-resistant and cannot even be considered strong forms of MFA.
The second fundamental practice necessary to ensure greater cybersecurity is the protection of critical data and, wherever possible, the use of Encryption . By encrypting databases, messages, documents, servers, and critical infrastructure, even if an attacker succeeds in penetrating a system or network, it is much less likely that they can easily obtain relevant or even critical data unless they have the private key to decrypt the data they have exfiltrated.
How can these measures be integrated into both new and existing infrastructures?
Yubico offers a range of options for companies looking to improve their cyber resilience. YubiKey is a hardware security token that can be used PIV as well as FIDO2 is supported. It can complement or even replace a password-based authentication flow with strong, phishing-resistant authentication. There are also many YubiKey options and form factors suitable for organizations of all sizes. These include CSPN- and FIPS-certified variants—such as the YubiKey 5 FIPS Series or the 5 CPSN series – for those looking for a government-approved device – or the YubiKey 5C NFC , which offers FIDO2 and PIV support with USB-C and NFC capabilities to ensure compatibility with a wide range of devices.
For corporate encryption requirements, the YubiHSM A useful toolbox for securely storing and generating private keys and other cryptographic material. It's available at a fraction of the cost of a traditional HSM, has a tiny form factor the size of a fingernail, and supports common interfaces such as PKCS11 and Microsoft CNG.
While the NIS2 directive may initially seem complicated and difficult to implement, the fundamentals of security are simple, and any investment in cyber resilience is extremely worthwhile to prevent potential future disasters. Yubico can help any organization ready to address cybersecurity challenges far beyond simply complying with NIS2.
Source: yubico.com
