How to be compliant with the new NIS Directive?

The aim of this blog is to describe at a high level what is NIS2, who is affected and to investigate some of the steps required to be compliant with the new and upgraded NIS directive.

What is NIS2?

Directive (EU) 2016/1148 or given its more memorable name of “The Network and Information Security Directive(NIS)” was the first piece of EU-Wide legislation of Cybersecurity. The aim as described in its directive “was to build common capabilities across all member states to mitigate threats to network and information systems used to provide essential services in key sectors.”

A laudable goal and an essential one given that Cyber-attacks are the fastest-growing form of crime worldwide. A quick search in your favourite search engine can lead to nights of troubled sleep with reports on the scale, cost and sophistication.

The first directive was released in 2016 and the threat landscape has increased considerably since then. Unsurprisingly technology has changed, such as the introduction of 5G, and cloud adoption. The change of work patterns with Coronavirus meant that sectors and services have become more interconnected and provide a greater range of connectability.

This meant that the directive needed updating and the new directive has been imaginatively titled “NIS2”.

What is different about NIS2?

The essential difference is that the EU seek to harmonise requirements across all EU member states.
Previously member states interpreted the rules slightly differently. This meant that organisations involved in cross-border activities faced different and possibly overlapping regulatory requirements.

NIS2 has sought to harmonise the requirements by setting out minimum rules for regulations and establishing a clear and stronger minimum cybersecurity measures that must be implemented. NIS2 is causing more involvement, obligations and supervision across the EU.
Though not strictly part of the EU, the UK government has decided to enforce the regulations also.

A key message of NIS2 is that this is a minimum set of criteria and that member states can add regulations.
For example, Germany has passed KRITIS-Dachgesetz into law to regulate the physical protection of critical infrastructures. This is seen as complementing the existing regulation.

Who must comply?

There are two criteria for this.

Firstly, it is the size of organisation. According to Article 2 any public or private entity that is or exceeds the criteria for a medium-sized enterprise. A medium-sized enterprise is defined as an “enterprise which employs between 50 and 250 persons and which has an annual turnover between €10 million and €50 million, and/or an annual balance sheet total not exceeding €43 million.”
Simply speaking if your organisation has at least 50 employees, has a turnover of at least €10 million or an annual balance of €43 million, then you must comply.

The second criteria, and is independent of the organisation size is if the organisation belongs to one of these two sets of services as defined. The first is in Annex 1 and covers Highly critical Sectors

Highly Critical Sector
1. Energy
2. Transport
3. Banking
4. Financial Market Infrastructure
5. Health
6. Drinking Water
7. Waste Water
8. Digital Infrastructure
9. ICT service management (B2B)
10. Public Administration
11. Space

The second, as defined in Annex 2, is a list of other critical sectors

Other Critical Sectors
1. Postal and courier services
2. Waste management
3. Manufacture, production and distribution of chemicals
4. Production, processing and distribution of food
5. Manufacturing
6. Digital providers
7. Research

Please note the annexes do call out subsectors of each of the sectors above, but the list is comprehensive and would seem to cover most organisations in that sector.

What must I do to be compliant?

The regulations do state that the measures should be based on “All Hazards” and include things like fire, floods etc. However, from a technical perspective the narrative is a little vague and can be left open to interpretation.
This is from the directive itself

“Taking into account the «state-of-the-art» and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”

Basically, they are saying it depends. It depends on the organisation’s size, how likely they are to be attacked and the impact an attack will have. It could be argued that size and impact are quantifiable but exposure to risk – that’s more difficult.

The concern here is that the vagueness means that it is open to interpretation. If the unfortunate event were to happen an auditor may have a different interpretation. That interpretation can result in a €10million or 2% of turnover fine for High Critical Sectors or €7million and 1.4% for other critical sectors. There is a safe option here and it’s not too difficult or expensive when you consider what is being asked to be compliant.

What technologies do I need?

Thankfully this time the directive has been a little more specific in what is required as a minimum:

«(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.»

Looking at this closely the ask is

• Manual Policies
• Education
• Backup management and disaster recovery
• Network and Information security
• Human resources security
• Access Control policies
• Asset management
• MFA
• Secure Communications

A lot of vendors from different technologies will say they are essential, but what is required can essentially be reduced to.

• Manual Policies
• Education
• Backup and recovery
• Access Management / MFA
• Asset Management
• Secure Communications

You are probably wondering why not Network and Information security or human resources security. Well, they are covered with Access Management and MFA. At the simplest level what is required is to protect users and secure access to data. That is the primary function of an Access Management solution. Protecting HR, well that is just protecting the HR application and ensuring only HR personnel have access. Network security is similar, protect entry points with strong authentication.

It is not the purpose of this article to cover every technology and what is required by them, but this article will highlight a couple of important areas.

Education

This may seem strange coming from a technology vendor, but education is the most important area.
It’s an old adage that hacker’s login not break in. Credentials are often compromised by users clicking on a link they shouldn’t , or by visiting a suspect website loaded with malware.

Also with any new technology there is a certain amount of a change in process. Ensure users follow good habits and understand the risks. It is often a failing of IT professionals to assume all users are IT experts and everyone in an organisation understands the risks already. This is never the case, how many people do you know who go “I hate computers”, “I can never get this <insert appropriate piece of technology> to work properly”. Those people have jobs in a company somewhere.

Ensure adequate and regular education is given to all your users.

Manual Policies

A lot of the regulation calls for a set of policies. These are manual policies and don’t require any technology. Most standard cyber security policies will suffice. However, most organisations will forget that policies need to be regularly reviewed.

Many people in an organisation (quite often CISOs) will say “done NIS2 compliance”, “got backups”, “done MFA” and simply dismiss everything as being done. Often there isn’t a review of how effective the implementation of the technology is. Ask questions like “Are users using it properly?”. “Does it meet my current needs?”.

When the answer is no, it’s often not the case of the technology being wrong or insufficient. It’s a case all situations, users, applications, end points have not been considered. IT is a living breathing organism, and it changes. An implementation or configuration often is out of date very quickly. Hence why backups, MFA etc are never done.

The advice here is to continuously review the policies and technology to ensure that all security gaps are covered and that they meet the needs now, not the needs of several years ago.

An up to date set of policies will be usable and maintain the highest level of security.

Access Management and MFA

Highlighted above Access Management is arguably the leading technology required to be NIS 2 compliant. Strong authentication is fundamental in ensuring a user is who they say they are, not an imposter. What is strong authentication? It is simply a means of using a more secure form of authentication than just username and password. Most commonly this is username, password and an additional verification step such as entering a pin number contained on a phone, accepting a request on a registered device. There are many forms but this buyer’s guide will show the various options.

Access Management takes the strong authentication a step further and limits what data or devices people can access.  These access policies are essential, it ensures people can only access what they need to access. Using this technology helps cover network security, supply chain, human resources security and information security.

Who should MFA be applied to?

If you have read and understood the NIS guidelines it would be easy to say that only appropriate people would need to be covered. Only a certain subset such as, administrators, HR people etc.

This is where there is often a problem and much like education most organisations make a false assumption. It is often assumed that only remote users, administrators, or people who need privileged access need to be protected. Generally, most implementations cover around 50% of the user base.

In fact, the percentage is often lower when you consider that most organisations don’t cover their supply chain vendors.

This means half of the user base are left with just username and password. This means that half the users are at risk, even a small one.

That approach can fall into the trap of being open to interpretation as to if it’s acceptable. It is then in the hands of auditor to say if it is compliant.

What is the best practice?

It is always recommended that all users should be protected by strong authentication. It has to be accepted that users are not all equal and do have different needs. This MFA Best Practice guide gives a good breakdown as to the different options. Often the push back is cost as to not covering all users. MFA is considerably cheaper than a €10million or 2% of turnover fine. Is it worth the risk?

Not all users will need the same second factor authentication. For example, in sensitive environments not all users will have access to a mobile phone. In hazardous environments facial recognition or fingerprints are simply not an option. Even travelling people may not be guaranteed an internet signal.
The best practice is to understand the different needs of all the users and find the correct methods suitable for each and use a range of authentication options.

Summary

In summary NIS2 is an improvement on the original NIS requirement and is likely to cover most mid and large organisations.
The regulations are vague as to how much you need to do. However very simply a good cyber security practice should be adopted.
Education and a good set of policies are essential. The technology requirements are not extensive, but MFA and Access Management is a mandatory component of the solution.  Ensure all users are covered. It avoids the uncomfortable discussion with an auditor about whether a solution is sufficient, but it does ensure that risk is kept to a minimum.
Finally, never rest, never assume what you have done is enough. Continuously review your education, policies, and technology. Ensure that it works for your situation now, not how it was a couple of years ago. After all the cyber criminals are continuously adapting.

Category: Industry News, Industry Research

2FA / Compliance / Government / MFA / Technology

Chris Martin, Head of Solution Architecture

With over 20 years’ expertise in the IAM space, Chris’ extensive background includes Enterprise SSO, PAM, IDaaS and Identity Governance that enables him to bring a holistic approach to enterprise IAM. Within SecurEnvoy, Chris works alongside the sales and technical teams to help define, develop and execute the company’s IAM strategy.