The NIS2 Directive, a new piece of EU-wide legislation aimed at improving the region’s cybersecurity, entered into force on 16 January 2023. It introduces new stringent supervisory measures, obliges more entities and sectors to participate, strengthens incident reporting requirements, and generally highlights better practices than the NIS Directive that preceded it. Member states now have until 17 October 2024 to transpose its measures into national law – which will ultimately affect a large number of enterprises operating or carrying out activities within the EU. Many are left wondering how this impacts their interests – here, we’ll discuss the important concepts from the Directive and the possible implications.
As an important note before diving in, the EU is not alone. For example, as a follow-up to the federal zero trust architecture strategy and executive order announced by the U.S. government in 2022, earlier this month, they announced a National Cybersecurity Strategy which aims to shift responsibility of cybersecurity burden from individuals to “organizations that are most capable and best-positioned to reduce risks for all of us.”
Much like its predecessor, NIS2 does not explicitly specify any technological changes that must be enacted, but rather outlines high-level concepts and ideas directed towards improving security posture. The aim is to promote enhanced cybersecurity measures internally, but also when collaborating between enterprises and across borders within the EU.
The important points brought forth by NIS2 include:
- A significant extension to the number of sectors covered, including telecoms, manufacturing, waste management, social media platforms and the public administration (a more comprehensive list can be found on the NIS2 fact sheet)
- The creation of a common cyber crisis management structure (referred to as the Cyber Crisis Liaison Organisation Network or CyCLONe) to improve joint situational awareness, promote collaboration and reduce coordination overhead
- Member states must ensure that essential service operators and digital service providers implement appropriate risk management measures, including regular risk assessments, and monitor their networks and information systems for security incidents
- An increase in the level of harmonization regarding reporting obligations. For example, affected enterprises have 24 hours from when they first become aware of an incident to submit an initial report, followed by a final report no later than one month later
- An encouragement of member states to examine and strengthen their overall “cyber resilience”, specifically calling out supply chain, vulnerability management, the use of cryptography and better cyber hygiene
- Failure to comply with elements of the NIS2 Directive (once mandated locally by member states) could mean fines of up to €10 million or 2% of an entity’s total turnover worldwide
Now, because the circumstances and technical readiness of each member state or enterprise will vary greatly, it is impossible to outline a ‘one size fits all’ approach to meet the directive. Therefore, the responsibility to discover, implement and enforce the necessary changes will require a unified effort not only within each individual enterprise, but ultimately involve both local and federal governments – and potentially oversight from the European Union Agency for Cybersecurity (ENISA).
But even if the scope of change in order to satisfy the NIS2 obligations is technologically vague, there should be no denying that two fundamental practices will underpin any notion of enhanced cyber resilience.
What measures can be taken to meet NIS2 requirements?
The first and most crucial step is to implement multi-factor authentication (MFA) to secure all accounts, in lieu of passwords. Given the sophistication of modern day cyberattacks and the cyber arsenal available at an attacker’s fingertips, the reliance on passwords as a reliable form of defense must end.
Moreover, not all MFA is created equal. While the use of SMS One-Time Password (OTP) or an authenticator app is certainly better than just the traditional password, they are not phishing-resistant and cannot even be considered strong forms of MFA.
The second fundamental practice necessary to achieve a more robust cybersecurity stance is to protect critical data and use encryption wherever possible. By encrypting databases, communications, documents, servers and critical infrastructure, even if an attacker manages to penetrate a system or network, it is much more unlikely they will be able to obtain anything easily exploitable or even of value, without the private key to decipher the data they manage to exfiltrate.
How can these measures be integrated into both new and existing infrastructure?
Yubico provides a range of options for enterprises looking to enhance their cyber resilience. The YubiKey, a hardware security token that supports both PIV and FIDO2, can augment or even replace a password-based authentication flow with a strong phishing-resistant one. There are also many YubiKey options and form factors to suit the full spectrum of enterprises from very large to very small. This includes CSPN and FIPS certified variants – such as the YuiKey 5 FIPS Series or 5 CPSN Series – for those looking for a government recognised device, or the YubiKey 5C NFC which offers FIDO2 and PIV support with both USB-C and NFC capabilities for compatibility with a wide range of devices.
For enterprise encryption needs, the YubiHSM is a useful toolbox for storing and generating private keys and other cryptographic material securely. It arrives at a fraction of the cost of a traditional HSM, is packaged into a diminutive form factor the size of a fingernail, and supports common interfaces such as PKCS11 and Microsoft CNG.
Although the NIS2 Directive may appear imposing and difficult to implement, the truth of the matter is that the basics to security are straightforward, and any investment towards cyber resilience is one which is extremely worthwhile to prevent potential future disaster. Yubico can help any enterprise willing to embrace the challenges of cybersecurity, well beyond just the need to satisfy NIS2.
For more information on the YubiKey, YubiKey CSPN, YubiKey FIPS, YubiHSM 2 or YubiHSM 2 FIPS lineup, please visit the Yubico site. Products are available for purchase on the Yubico store, through Yubico’s dedicated sales team, or from any Yubico-approved channel partners and resellers.