The October 17, 2024 deadline for European Union (EU) Member States to implement the NIS2 Directive into their respective national legislations is fast approaching. We first highlighted NIS2 and the new requirements in a blog post back in March 2023, and now that the deadline is looming, all businesses across the EU must closely monitor developments and prepare for the enhanced cybersecurity requirements that are forthcoming.
The Network and Information Security (NIS) Directive was introduced in 2016 as a legal framework for cybersecurity standards across the EU. Although the intention was admirable and set a clear direction, it did not impact the landscape as intended. The NIS2 Directive entered into force in January 2023, and is an attempt to address the shortcomings by updating and expanding both the requirements and scope.
NIS2 introduces new security requirements and supervisory measures, and covers more entities from a wider range of sectors, and their supply chain partners.
Be prepared – NIS2 introduces stricter penalties and requirements
Failure to comply with NIS2 can result in substantial penalties, underscoring the urgency of the matter, with a careful distinction between essential and important entities. Visit the page here for full details on what the penalties and violations include.
The first NIS Directive required operators of essential services and digital service providers to adopt technical and organisational measures appropriate and proportionate to risk. This means taking into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards. Unfortunately, this broad range and non-specificity resulted in significant gaps in how Member States laid out and enforced their requirements.
To strengthen overall cybersecurity throughout the EU, NIS2 now includes a framework for incident reporting requirements, supervisory and enforcement activities (e.g. audits, meaning you need the tools to demonstrate your cyber hygiene and have the ability to know and report incidents) by Member States. It also requires minimum technical, operational and organisational obligations across both organisations and their supply chains, with respect to:
- The use of multi-factor authentication (MFA)
- Cryptography & encryption policies
- Risk analysis and information security policies
- Incident handling
- Business continuity planning
- Supply chain security
- Network and information system security
- Policies and procedures to assess security measures
- Cyber hygiene practices (e.g. Zero Trust) and cybersecurity training
- Access control policies
How Yubico helps address authentication challenges to meet the NIS2 Directive
The YubiKey provides the most secure authentication method using the FIDO2 (device-bound passkey) and PIV protocols, and supports legacy MFA protocols to ensure all systems are protected. Many NIS2 essential or important entities rely on legacy production equipment, shared workstations and mobile-restricted environments.
The YubiKey is the ideal tool for complex critical infrastructure organisations, providing the flexibility to navigate between devices and across hundreds of products, services and applications, including leading identity and access management (IAM) platforms, privileged access management (PAM) solutions and cloud services, with secrets never shared between services, as access rights can be allocated on a domain basis. The YubiKey doesn’t require additional hardware, software, external power, batteries or network connection. Secure authentication is simple: plug the YubiKey into a USB port and touch the button, or tap for NFC.
Besides helping to address MFA concerns, Yubico also offers the YubiHSM 2 – a purpose-built HSM to enable compliance, store and generate cryptographic keys, safeguard secrets and perform cryptographic operations. YubiHSM satisfies NIS2 encryption requirements for your organisation and supply chain partners, since NIS2 requires supply chain controls and protection of your databases. The world’s smallest Hardware Security Module (HSM), with support for common interfaces such as PKCS11 and Microsoft CNG, the YubiHSM 2 is ideal for the following:
No matter what stage your organization is in, Yubico is here to help you prepare for the impending NIS2 deadline. For any questions on how to get started implementing YubiKeys today, contact our team.
For more information on the NIS2 Directive and what it means for your organization, visit our initial blog post and new Ebook: Prepare for NIS2 Compliance with the YubiKey.