NIS2

Prepare your organization with Securden Unified PAM

Prepare your organization with Securden Unified PAM

What’s new in NIS2?

The improved version of the Networks & Information Systems Regulations (NIS), also known as NIS2, is the latest regulation for data protection that is primarily for organizations that work with the European Union (EU).

These converged set of controls help manage sensitive data comprehensively and are key to mitigate cyberattacks, allowing organizations that support critical infrastructure in the EU to immediately recover from incidents/breaches and operate with full efficiency.

NIS2 Objectives

The NIS2 proposal sets itself three primary objectives for harmonised sanctions across the EU:

  1. To increase greatly, the level of cyber-resilience of businesses operating in the EU across all relevant sectors with a common set of rules for all public and private entities which fulfill important economic functions for society.
  2. Maintaining consistency in resilience across the internal market by aligning the scope for all sectors previously defined, and new ones. The security and incident reporting objectives have also been made stringent.
  3. Improving the level of joint situational awareness and collective capability to prepare and respond. This was done by establishing an EU-CyCLONe to support coordinated management of EU wide cybersecurity incidents and for regular exchange of information.

Download The NIS2 Directive WhitepaperDownload this page as a whitepaper (PDF) to learn what the NIS2 directive requires, how organizations can prepare, and how leveraging Securden Unified PAM can help address key security controls.

Download Whitepaper

Introduction/Overview

The NIS 2 Directive (EU-wide legislative act: Directive (EU) 2022/2555) was released with the aim to achieve a higher level of cybersecurity for Networks and Information Systems (NIS) across entities that work with European member states. The guidelines released in the NIS 2 directive are to be adopted by member states within specific timelines, as mentioned.

Adoption Timelines

  • By 17 July 2024 and every 18 months thereafter, EU-CyCLONe shall submit to the European Parliament and to the Council a report assessing its work.
  • By 17th of October 2024: Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
  • By 18th of October 2024: They shall apply those necessary measures and the NIS 1* Directive (Directive (EU) 2016/1148) shall be repealed.

What has changed with NIS2?

The NIS 2 directive came from a proposal to revise the NIS directive which was successfully adopted by the European Commission.

It came as a response to growing threats posed with digitization and from the surge of cyberattacks. The main objectives were to streamline reporting obligations, introduce supervisory measures that were more stringent and make enforcement requirements stricter.

Key changes in the directive

The main differences between NIS and the newer NIS2 Directive are summarized:

  • NIS 2 eliminates the classification and distinction between operators of essential services (OES) and providers of digital services (DSP). Instead, the NIS 2 provides different rules for "essential entities" and "important entities". DSPs have not disappeared from the list of target companies but have been redistributed among the list of essential and important entities.
  • New sectors that were previously not in focus have been included in the NIS2 directive. These sectors are considered critical to the economy and public (e.g. postal & courier services, wastewater management, food, etc.
  • Security requirements for supply chains and suppliers have been included and made stringent.
  • The establishment of a European Cyber Crises Liaison Organization Network (EU-CyCLONe)
  • Greater coordination is established in the disclosure of new vulnerabilities discovered throughout the Union and stricter supervisory measures for national authorities, stricter enforcement requirements and aims to harmonize sanctioning regimes across Member States.

NIS2 modernizes the existing (NIS) framework to keep up with the evolving cyberthreat landscape and increased digital adoption. With new sectors, it aims to improve the resilience of entities.

Who does the NIS2 directive apply to?

NIS 2 applies to any organization providing critical services in an EU member country, NIS 2 must be incorporated into the national laws of each EU member by 2024 October. These organizations are obligated to take appropriate measures as defined by the directive to manage and mitigate cyber risks and minimize the impact of incidents.

Classification of Critical Entities

Critical entities are classified as below, if your organization falls under a critical category as defined below, NIS2 directives apply to you.

Essential entities - Generally large organizations in highly critical sectors

"Essential" entities were previously defined in the NIS, but some sectors were additionally added in NIS2:

  • Energy (electricity, oil and gas, covering production, storage and transmission activities - hydrogen as added by NIS 2)
  • Drinking water
  • Wastewater (collection, disposal or treatment of municipal wastewater, domestic wastewater or industrial wastewater)
  • Transportation (air, rail, water, road)
  • Banking
  • Financial markets
  • Digital infrastructure (Internet nodes; DNS service providers; TLD name registries; cloud computing service providers; data center service providers; content delivery networks; trust service providers; providers of public electronic communication networks and public electronic communication services)
  • ICT service management (managed service providers and managed security service providers)
  • Governments (central, as well as regional, the latter only risk-based, but excluding defense or national security and law enforcement, as well as the judiciary, parliaments, and central banks)
  • Healthcare (hospitals but under NIS now also includes reference laboratories, manufacturers of medical devices or pharmaceutical preparations and others)
  • Space

Important entities - Mid-sized and large organizations as specified by NIS2

  • Postal and courier services
  • Waste management and management
  • Accounting firms
  • Digital providers (online marketplaces, online search engines and social networking platforms)
  • Research organizations (excluding education)
  • Production and distribution of chemicals
  • Wholesale and industrial food production and processing
  • Manufacturing of Medical devices
  • Electrical equipment
  • Motor vehicles, trailers and semi-trailers.
  • Machinery and equipment

Medium and large companies from these sectors within the EU must now comply with NIS2. Smaller organizations could be included if they carry out critical functions.

While there is no difference in requirements between both these entities, essential entities will have to comply with supervision requirements from the introduction of NIS2, while important entities will be subject to ex-post supervision, meaning that action will be taken if authorities receive evidence of non-compliance.

Supporting Entities: EU-CyCLONe and CSIRT

As part of the NIS2 initiative, certain entities have been established to help with cooperation.

The EU-CyCLONe

As part of this initiative, the European cyber crisis liaison organization network (EU-CyCLONe) was established. The EU-CyCLONe supports the coordinated management of large-scale cybersecurity incidents to ensure the regular exchange of information among member states, union institutions, bodies, offices and agencies.

NIS Cooperation Group and CSIRT Responsibilities

The NIS Cooperation Group functions according to the European Commission and follows its own rules of procedure. On the operational side, the NIS Cooperation Group is supported by the work of the network of Computer Security Incident Response Teams (CSIRTs), dedicated to sharing information about risks and ongoing threats, and cooperating on specific cybersecurity incidents. The NIS Cooperation Group provides strategic guidance for the activities of the CSIRTs network.

These entities ensure that organizations meet the objectives of NIS2.

The Main Objectives of NIS2

The primary objectives of NIS2 can be divided into three categories,

  • Responsibilities of member states
  • Information exchange and cooperation with the govt
  • Risk management and security measures to be taken by companies

This whitepaper/handbook will focus on the security measures that organizations are required to take and how a PAM solution can help comply with a number of NIS2 requirements.

Repercussions of not meeting obligations

A minimum set of administrative sanctions has been established in case organizations do not follow the obligations set in the NIS2 directive.

Administrative fines:
For essential entities: Administrative fines of up to 10,000,000 euros or at least 2% of the total annual global turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher.
For important entities: administrative fines of up to €7,000,000 or at least 1.4% of the total annual global turnover in the previous fiscal year of the company to which the key entity belongs, whichever is higher.

Reporting Obligations

All important and essential entities must notify about incidents that are ‘severe’. Local government, authorities, and CSIRT support and information sharing across entities are one of the main areas of regulation.

An incident shall be considered to be significant if:

  • It causes or may cause severe operational disruption of the services or financial loss for the entity concerned.
  • It affects or may affect other natural or legal persons by causing considerable material or non-material damage.

Precise provisions are introduced on reporting incidents, the report content and timing. Reporting must now be done within 24 hours of the discovery of the incident – Instead of 72 hours previously);

C-Level Management Now Accountable

To reduce the pressure that falls on the IT team personnel to maintain security across the organization, new measures have been introduced to hold C-level management responsible. NIS2 holds top level managers personally liable if gross negligence is proven after a cyber incident. The measures to be taken include:

  • Ordering public announcement of compliance violations.
  • Identifying person(s) responsible for any violation and give a public statement.
  • Banning (temporarily) the identified individual from having a management role when violations are repeated.

How your business can prepare

While preparing for NIS2 can be tasking for large and small organizations alike, a step-by-step approach with proper roadmaps and planning can help with satisfying security requirements.

Review existing security controls

Go over the current security posture of your organization, assess risks based on your infrastructure, access controls and sensitive assets/data. Review incident detection and response management capabilities and define local/regional (EU)/global responsibilities.

Fill in any security gaps

Identify solutions that can help fill your IT security gaps, especially when it comes to data security. Look for solutions that can address security gaps, increase efficiency and operate at a reasonable cost. The solution must also be able to scale with growth in your organization.

Addressing NIS2 directives with Securden Unified PAM

Privileged Access Management (PAM) solutions help to address directive requirements in the segments of Access Control, Basic Cyber (Password) Hygiene, Zero Trust Policies, Supply Chain Security, Cryptography, and Encryption Tools.

A mapping of NIS2 requirements to global security standards has been released by ENISA. We have mapped major security controls that can be satisfied by Securden Unified PAM.

Incident Reporting

NIS Directory Paragraph 23 – Incident Reporting

Requirement Summary

Entities must ensure that there are measures in place to notify risks about significant incidents.

Comprehensive details about incidents would be required for submitting to the authorities via reports.

How Unified PAM helps

Securden Unified PAM acts as the central repository for all devices in the organization as well as their accounts. All access to these sensitive resources is carried out through it.

Major cybersecurity incidents occur due to credential leakage or through gaining access to these sensitive resources.

With all privileged activities being routed securely through Unified PAM, comprehensive auditing and notification capabilities help notify the administrator and other concerned authorities if any incident takes place.

NIS Directory Paragraph 102 - Incident Timelines

Requirement Summary

When entities become aware of a significant incident, they should submit an early warning without undue delay and in any event within 24 hours.

That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident.

A final report within one month of their handling of the significant incident.

How Unified PAM helps

Comprehensive reports, audit trials and recordings of all privileged sessions provide documentation for incidents and cyber-attacks.

Endpoint privilege security helps notify incidents related to Windows security events.

Reports can be generated periodically depicting all critical activity. These reports will be readily available to notify authorities within required timelines.

Cyber Hygiene

NIS Directory Paragraph 49 - Maintain Cyber Hygiene for Infrastructure

Requirement Summary

Entities must maintain cyber hygiene and protect all business and end-user data.

Cyber hygiene policies comprising a common baseline set of practices, including software and hardware updates, password changes, the management of new installs, the limitation of administrator-level access accounts, and the backing-up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or cyber threats.

How Unified PAM helps

Unified PAM helps set a baseline standard by helping define policies for password length, strength, frequency of rotation and more.

Access controls ensure that users can only gain access to the passwords and accounts shared to them through PAM.

With the PEDM module, all administrative accounts can be eliminated to prevent privilege escalation. For new installations, software updates, admin access, and access to applications comprehensive control policies can be defined.

NIS Directory Paragraph 89 - Cyber Hygiene for Users.

Requirement Summary

Good cyber hygiene practices must be in place for users such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management.

How Unified PAM helps

MFA and SSO help authenticate users and maintain zero-trust when accessing privileged resources through PAM.

Dark web monitoring and password analysis capabilities inform users if they have weak/breached passwords in use and prompts them to generate a strong password and use that instead.

Just in time access ensures that users can only have time-restricted windowed access to resources and supports zero-trust principles.

Network Security

NIS Directory Paragraph 43 – Proactive Network Scanning

Requirement Summary

Entities must have proactive network scanning capabilities to gather the information systems used for their services.

How Unified PAM helps

Unified PAM helps scan distributed networks and identify all privileged systems and accounts within them.

NIS Directory Paragraph 53 - Protect Connected Networks in the Utility Sector

Requirement Summary

Protect the utility sector against threats and mitigate attacks in interconnected networks.

How Unified PAM helps

Unified PAM mitigates attacks by managing sensitive credentials (to prevent credential phishing), isolating privileged sessions, enabling just-in-time access to resources and enforcing Zero standing privileges.

Endpoint privilege management capabilities ensure that the local admin account cannot be exploited to launch cyberattacks and escalate across the network.

Ransomware defense, risk management and supply chain security

NIS Directory Paragraph 54 - Address Ransomware Attacks

Requirement Summary

Defend infrastructure against ransomware attacks and different attack patterns.

How Unified PAM helps

Securden Unified PAM has endpoint privilege management capabilities that help defend against ransomware by eliminating the local admin rights on all endpoints in the infrastructure. Access to applications is granted based on control policies and admin approval.

PAM controls for remote sessions ensure that privileged sessions can only be launched by authorized users and all activity is monitored, recorded and audited comprehensively.

NIS Directory Paragraph 77 - Risk assessments and risk management

Requirement Summary

Risk management measures must be put in place to ensure the security of the network and information systems. Risk assessments must be carried out and appropriate measures must be taken.

How Unified PAM helps

A major driver for cyberattacks is weak passwords, or passwords that have been leaked in previous data breaches.

Unified PAM scans your network and identifies all privileged passwords – which are then analyzed and given a risk score.

These weak passwords can be replaced by generating strong passwords.

Additionally, all credentials that have been leaked in the dark web can be identified and changed.

NIS Directory Paragraph 85 - Protect the supply chain against vulnerabilities.

Requirement Summary

Entities should assess and consider the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers.

How Unified PAM helps

Password and credential management form the core of Unified PAM and reduce the risk of supply chain attacks with the use of strong credentials across the environment that are constantly rotated.

Through API capabilities, hardcoded passwords can be eliminated, and application passwords can be fetched securely.

Encryption

NIS Directory Paragraph 98 - Encryption and Datacentric security for Public Electronic Communications.

Requirement Summary

The use of encryption technologies, in particular end-to-end encryption as well as datacentric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted.

How Unified PAM helps

Unified PAM encrypts all sensitive data like privileged credentials end-to-end, while in rest, as well as in transit.

Access control policies can ensure users only have access to the resources they need.

Endpoint privilege management helps with just in time elevation of privileges.

How Securden Unified PAM helps comply with NIS2

Securden Unified PAM has the capabilities to secure all sensitive data and protect access to resources used by critical entities. Regulations and mandates as per the NIS2 directive can be met through comprehensive access controls, customizable reports and auditing mechanisms, privilege management of endpoint systems and management of privileged remote sessions.

Important and essential entities can leverage these capabilities whether they operate on-prem, on cloud or have a hybrid distributed environment.

Request Personalized Demo

Explore how Unified PAM features help safeguard your IT infrastructure by controlling privileged access and enforcing least privilege controls.

Enter a proper email address.
Securden Help Assistant

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly