NIS2 Directive: What it is and what you should do to satisfy the new EU cybersecurity legislation

The NIS2 Directive, a new piece of EU-wide legislation aimed at improving the region’s cybersecurity, entered into force on 16 January 2023. It introduces new stringent supervisory measures, obliges more entities and sectors to participate, strengthens incident reporting requirements, and generally highlights better practices than the NIS Directive that preceded it. Member states now have until 17 October 2024 to transpose its measures into national law – which will ultimately affect a large number of enterprises operating or carrying out activities within the EU. Many are left wondering how this impacts their interests – here, we’ll discuss the important concepts from the Directive and the possible implications.

As an important note before diving in, the EU is not alone. For example, as a follow-up to the federal zero trust architecture strategy and executive order announced by the U.S. government in 2022, earlier this month, they announced a National Cybersecurity Strategy which aims to shift responsibility of cybersecurity burden from individuals to “organizations that are most capable and best-positioned to reduce risks for all of us.”

Much like its predecessor, NIS2 does not explicitly specify any technological changes that must be enacted, but rather outlines high-level concepts and ideas directed towards improving security posture. The aim is to promote enhanced cybersecurity measures internally, but also when collaborating between enterprises and across borders within the EU. 

The important points brought forth by NIS2 include:

  • A significant extension to the number of sectors covered, including telecoms, manufacturing, waste management, social media platforms and the public administration (a more comprehensive list can be found on the NIS2 fact sheet)
  • The creation of a common cyber crisis management structure (referred to as the Cyber Crisis Liaison Organisation Network or CyCLONe) to improve joint situational awareness, promote collaboration and reduce coordination overhead
  • Member states must ensure that essential service operators and digital service providers implement appropriate risk management measures, including regular risk assessments, and monitor their networks and information systems for security incidents
  • An increase in the level of harmonization regarding reporting obligations. For example, affected enterprises have 24 hours from when they first become aware of an incident to submit an initial report, followed by a final report no later than one month later
  • An encouragement of member states to examine and strengthen their overall “cyber resilience”, specifically calling out supply chain, vulnerability management, the use of cryptography and better cyber hygiene
  • Failure to comply with elements of the NIS2 Directive (once mandated locally by member states) could mean fines of up to €10 million or 2% of an entity’s total turnover worldwide

Now, because the circumstances and technical readiness of each member state or enterprise will vary greatly, it is impossible to outline a ‘one size fits all’ approach to meet the directive. Therefore, the responsibility to discover, implement and enforce the necessary changes will require a unified effort not only within each individual enterprise, but ultimately involve both local and federal governments – and potentially oversight from the European Union Agency for Cybersecurity (ENISA). 

But even if the scope of change in order to satisfy the NIS2 obligations is technologically vague, there should be no denying that two fundamental practices will underpin any notion of enhanced cyber resilience.

What measures can be taken to meet NIS2 requirements?

The first and most crucial step is to implement multi-factor authentication (MFA) to secure all accounts, in lieu of passwords. Given the sophistication of modern day cyberattacks and the cyber arsenal available at an attacker’s fingertips, the reliance on passwords as a reliable form of defense must end.

Moreover, not all MFA is created equal. While the use of SMS One-Time Password (OTP) or an authenticator app is certainly better than just the traditional password, they are not phishing-resistant and cannot even be considered strong forms of MFA. 

The second fundamental practice necessary to achieve a more robust cybersecurity stance is to protect critical data and use encryption wherever possible. By encrypting databases, communications, documents, servers and critical infrastructure, even if an attacker manages to penetrate a system or network, it is much more unlikely they will be able to obtain anything easily exploitable or even of value, without the private key to decipher the data they manage to exfiltrate.

How can these measures be integrated into both new and existing infrastructure?

Yubico provides a range of options for enterprises looking to enhance their cyber resilience. The YubiKey, a hardware security token that supports both PIV and FIDO2, can augment or even replace a password-based authentication flow with a strong phishing-resistant one. There are also many YubiKey options and form factors to suit the full spectrum of enterprises from very large to very small. This includes CSPN and FIPS certified variants – such as the YuiKey 5 FIPS Series or 5 CPSN Series –  for those looking for a government recognised device, or the YubiKey 5C NFC which offers FIDO2 and PIV support with both USB-C and NFC capabilities for compatibility with a wide range of devices. 

For enterprise encryption needs, the YubiHSM is a useful toolbox for storing and generating private keys and other cryptographic material securely. It arrives at a fraction of the cost of a traditional HSM, is packaged into a diminutive form factor the size of a fingernail, and supports common interfaces such as PKCS11 and Microsoft CNG.

Although the NIS2 Directive may appear imposing and difficult to implement, the truth of the matter is that the basics to security are straightforward, and any investment towards cyber resilience is one which is extremely worthwhile to prevent potential future disaster. Yubico can help any enterprise willing to embrace the challenges of cybersecurity, well beyond just the need to satisfy NIS2.

———

For more information on the YubiKey, YubiKey CSPN, YubiKey FIPS, YubiHSM 2 or YubiHSM 2 FIPS lineup, please visit the Yubico site. Products are available for purchase on the Yubico store, through Yubico’s dedicated sales team, or from any Yubico-approved channel partners and resellers.

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreYubiKey