EU Cybersecurity: Implementation of the New NIS2 Directive

EU - European Union

With the introduction of the updated NIS2 network and information security directive at the end of 2022, the European Union is now one of an increasing number of government bodies enforcing more stringent cybersecurity standards to safeguard vital infrastructure. In November, the European Parliament and EU member states formally endorsed NIS2. It must now be implemented into regulations in each of the 27 nations, with local variations. Identity protection will be more crucial than ever in this new situation.

Today’s cybersecurity relies on the ability to constantly monitor, validate, and safeguard identities in order to stop breaches. Because all identities, whether they are human or machine-based, are inherently untrusted and need to be confirmed and approved independent of network or location, the NIS2 advice is built on zero trust principles.

Organizations that are affected by NIS2’s enlarged parameters cannot wait any longer. They should prepare themselves to be ready or at least get informed about it.

In contrast to a typical perimeter-based security approach, a zero trust architecture offers security for mobile users and remote employees while protecting both on-premises and cloud-based IT and OT systems. It also offers protection against both internal and external threats.

Identity security serves as a constant point of cybersecurity control outside of the perimeter and is a crucial component of zero trust. It limits access to the machines or people who need it and only offers the bare minimum of permissions. This entails tracking user behavior to ascertain whether an identity has been compromised and continuous authentication to authenticate a user’s whole session, not just a single multifactor authentication request.

ISO/IEC 27001

Organizations that offer crucial services to the economy and society are all affected by NIS2. Financial markets, banking, healthcare, transportation, drinking water supply, sewage disposal, energy supply, and digital infrastructure make up the list of eight sectors in total. Companies having more than 50 workers and a yearly revenue of at least 10 million euros are subject to the regulation. The NIS2 cybersecurity regulation applies to the entire chain.

It’s still unclear though exactly what businesses must do to comply with NIS2. However, it is obvious that you need to establish a suitable cybersecurity/information security strategy if your firm will soon be subject to the NIS2 mandate. A systematic understanding of this is provided by a standard like ISO/IEC 27001. It would also be necessary for smaller IT service providers (MSPs) looking after the network for bigger enterprises to show proof of compliance with ISO/IEC 27001. That said, NIS2 won’t matter to many SMB companies, unless you’re delivering crucial services.