What is NIS2 Directive?

The NIS2 (Network and Information Security) Directive is a regulatory framework established by the European Union (EU) to enhance the cybersecurity of critical infrastructure and digital service providers. In January 2023, the European Union member states formally enacted a revision of the 2016 NIS Directive to create the NIS2 framework. The directive requires all EU member states to incorporate it into their national laws by October 2024 and failing to do so can attract expensive fines. Compliance with the NIS2 Directive builds on the requirements of the original directive, aiming to protect critical infrastructure and organizations within the EU from cyber threats and strengthen the overall security posture.

Sectors covered by the NIS2 directive:

The NIS2 directive covers two main groups of entities:

1. Essential Entities: Includes organizations maintaining vital societal functions, such as health, safety, security and economic or social well-being. A security incident within these entities can lead to widespread consequences, requiring these entities to adhere to higher cybersecurity standards and strict regulatory oversight.
2. Important Entities: Includes organizations that play a significant role in the larger economic and social construct but are deemed less critical than essential entities. Their cybersecurity requirements are less stringent compared to essential identities.

As per the directive, all essential identities should be proactively supervised, while the important ones are to be monitored only after a non-compliance incident has been reported. Here’s a breakdown of the sectors where the NIS2 Directive is applicable:

Essential Entities	Important Entities
Energy Transport Financial institutions Market infrastructure Healthcare Drinking water Wastewater Digital infrastructure and providers Public administration Space activities	Digital providers Postal and courier services Waste management Manufacturing, production, and distribution of chemicals Production, processing, and distribution of food Research Manufacturing

Challenges in implementing the NIS2 directive

Some of the most pressing challenges organizations can possibly encounter in pursuit of being NIS2 compliant are:

1. Complexity of requirements: NIS2 compliance requirements are often exhaustive and multi-faceted, making it difficult for organizations to get it right.
2. Shortage of skilled professionals: Emerging new threats reveal underlying skill gaps in 71% of organizations, as they strive to onboard niche talents to satisfy diverse compliance requirements.^[1]
3. Hefty non-compliance penalties: Failing to comply with NIS2 legislation can set back essential entities up to €10 million or 2% of their annual global revenue and up to €7 million or 1.4% of their annual global revenue for important entities. These figures can be even greater in some EU member states if they decide to raise these maximum amounts when enacting the directive into their local framework.

Building a NIS2 compliance strategy with identity security

As growing digital adoption eases workforce access to critical resources, risks stemming from it increase exponentially as any identity could now become privileged. This necessitated organizations to protect every identity with the right levels of privileged control to:

Prevent unauthorized access to sensitive enterprise data.
Enable security teams to monitor user activities to improve incident response.
Streamline audit and compliance processes.

These security outcomes also overlap with the fundamental requirements of NIS2, making identity security an indispensable tool for elevating cyber security and compliance for businesses within the boundaries of the European Union.

The following table outlines NIS2 requirements alongside strategies businesses can adopt to effectively satisfy all regulatory requirements.

NIS2 Risk Management Requirements	Steps to Attain NIS2 Compliance
Incident handling and business continuity, such as backup management, disaster recovery (DR) and crisis management.	Collaborate with a security vendor that has ‘First-call’ partnerships with leading incident response firms and various DR architectures for access continuity in the event of a security incident.
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.	Secure third-party access by enabling passwordless, VPN-less authentication with session isolation and protection across all web-based and legacy applications.
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.	Provide security teams with the tools to capture controls effectively and assess the volume of onboarded accounts.
Basic cyber hygiene practices and cybersecurity training.	Secure privileged access by: Centrally vaulting credentials and enabling policy control for them to be used by humans, endpoints, services/machines. Implementing least privilege framework and segregation of duties (SOD) across endpoints, data centers and multi-cloud environments. Using session isolation or protection for web applications, on-prem compute, elastic infrastructure, cloud workloads and services.
Policies and procedures regarding the use of cryptography and where appropriate, encryption.	Check with the security vendor to ensure that data stored within the platform is encrypted at rest and in-transit.
Human resources security, access control policies and asset management.	Increase operational efficiency and prevent risks stemming from human errors by: Automating joiners, movers and leavers workflow and eliminating over-privileged orphaned accounts. Leveraging role-based access provisioning to ensure users only have access to the resources they need.
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.	Use platform-wide adaptive multi-factor authentication for dynamic monitoring of user logins based on real-time threat intelligence.

Identity security best practices for NIS2 compliance

The NIS2 compliance framework involves a wide range of security and compliance practices aimed at improving cyber resilience in the European Union. However, security leaders cannot afford to have dedicated solutions for each requirement amidst soaring vendor sprawl where 94% of security professionals are reportedly working with more than ten vendors for various identity-related cybersecurity initiatives^[2].

This heightens the need for an integrated identity security platform that balances cybersecurity and compliance without affecting user experience. Here’s a rundown of the key areas to focus on for attaining NIS2 compliance for your business.

Secure software supply chain: Preventing supply chain attacks is one of the most important reasons for regulatory bodies in the EU to implement the NIS2 directive. Using a platform that supports passwordless authentication for third parties and and session isolation protection is central to securing the widely-targeted software supply chain.
Compatibility with the least privilege framework: Implementing the principles of least privilege (PoLP) for all identities and enabling just-in-time (JIT) access is the first step to curbing unauthorized access to high-risk enterprise resources. Using a platform that supports the least privilege framework can greatly aid in complying with the NIS2 directive.
Security-first workforce access: The NIS2 directive requires organizations to ensure only authorized users are granted access to the resources they need. This can be achieved by layering traditional identity and access management (IAM) solutions like single sign-On (SSO), adaptive MFA and session monitoring for faster incident response and preventing data exfiltration.
Privilege controls for all identities: Securing privileged access wherever it exists—credentials to critical resources— can significantly improve compliance readiness. While traditional methods of credential vaulting, rotation and session isolation continue to be effective, extending them to all identities at a time when anyone can become privileged can further strengthen your security posture.
Scalable endpoint security strategy: Preventing crippling originating from poorly protected endpoints is one of the main reasons for implementing NIS2. Choosing a security solution with built-in endpoint security that offers end-to-end protection for all identities as they access various enterprise resources can help streamline compliance.

Learn more about the NIS2 directive:

^[1] Security Magazine, “How to fix the growing cybersecurity skills gap,” April 2024.
^[2]CyberArk, “Identity Security Threat Landscape Report 2024,” May 2024.