In January 2023, the European Union’s updated Network and Information Security Directive, more commonly known as NIS2, came into force. This means that EU Member States will have until October 2024 to put this new law into their national legislation, writes Steve Bradford, Senior Vice President EMEA, at the identity security product company SailPoint.
The original NIS Regulations were introduced into national law in 2018. These apply to organisations that provide ‘essential services’ (think: healthcare, energy, and transportation) as well as digital service providers (for example, online marketplaces and search engines). The regulations place requirements on those organisations to ensure appropriate security measures to help manage cybersecurity risks, and they impose certain reporting obligations in the case of security incidents.
Yet it is incontrovertible that there is an increased reliance of the economy and wider society on digital services, and this is driving ransomware attacks globally. We also live in a more connected world – ever more linked and complicated supply chains are leading to higher levels of cyber risk. In fact, 90pc of companies polled in the latest IDSA survey reported at least one identity-related breach in the last 12 months, a 6pc increase from last year’s report.
So, how does NIS2 fit into this evolving cyber landscape, and what does it mean for businesses?
Comprehensive cybersecurity
Organisations and businesses need to integrate cyber resilience into their business models and risk management strategies – and this is where the updated NIS2 directive comes in. NIS2 targets all public and private entities operating in the EU that are critical to the economy and society – this also includes UK companies with operations in the EU. Sectors such as healthcare, energy, transport, digital infrastructure, financial market infrastructures, the food sector, social networking services platforms, cloud computing services, data centres, and more will fall under the NIS2 directive.
The NIS2 directive strives to deliver a broad, comprehensive, and holistic improvement of cybersecurity across the EU. Whilst much of the onus lies on governments (for example, Computer Security Incident Response Teams [CSIRT] will be needed in each country and cross-border cooperation between those bodies for information sharing and where incidents require it), there is still a great deal for businesses to be aware of and prepare for.
All organisations in EU member states should familiarise themselves with the requirements of the directive and begin shaping their cybersecurity strategy over the next 18 months to ensure they are both compliant and secure when the updated directive comes into force.
Organisations will need to put policies and procedures in place for risk analysis, information system security, assessing the effectiveness of cybersecurity risk management measures, and more. Some examples of this include: companies need to ensure access is disabled when employees or contractors stop working for it, and they should also refrain from using ‘generic’ accounts (for example, accounts that are not tied to a named individual). Moreover, granting access to sensitive applications and/or data should be subject to approval and risk analysis to prevent toxic situations that could lead to fraud or data leakage.
Coordinated risk management
NIS2 will require senior management to approve the cybersecurity risk-management measures taken and oversee their implementation. And take heed! Under NIS2, senior management can be held liable for any infringements.
The new legislation will be far-reaching according to a new IDC report, “Identity governance will be a key to NIS2 compliance.” It will impact training, with the NIS2 directive stipulating the need for cybersecurity training and awareness for all employees, as well as for the broader ecosystem. Supply chain security will also be impacted. Recent cyber-attacks on payroll services provider Zellis and outsourcing group Capita – which have both affected multiple organisations – highlight the importance of protecting third parties. The NIS2 directive will mandate coordinated risk assessments of critical supply chains that cover critical ICT services, CIT systems, or ICT products.
Addressing risks through identity security
Organisations often struggle to assess the efficacy of their cybersecurity measures or identify vulnerabilities that remain despite those measures. Many organisations struggle to ensure access is promptly rescinded for employees that change roles or leave the company.
Managing all these risks must be addressed through a proactive and policy-driven approach. The European Commission recommends that essential and important entities adopt zero-trust principles and identity and access management. Least-privilege access that is implicit through zero trust approaches can be fundamental to managing that access for partners and contractors. European organisations have until October 2024 to conduct NIS2 gap assessments and implement strategies to address the outcomes of those assessments.
Let the implementation of the EU’s General Data Protection Regulation (GDPR) serve as a warning that European regulators are more than ready to penalise businesses that have been dragging their heels when to comes to managing data security, privacy, and cyber risk. The punishments may come in the form of regulatory penalties. Add this to the costs of operational downtime, reputational damage, customer loss, and system restoration that follow any breach, and it becomes quite clear all that is at stake for businesses.
European organisations face an ever-growing burden of management for identities and access, for human and non-human accounts and identities, and for employees, partners, contractors, and customers. The capabilities of legacy identity security solutions are inadequate to address the volume and velocity of identity-related tasks that most organisations must now address. However, modern identity security solutions, driven by AI and machine learning, are changing the game. These enable organisations to automate identity processes and build contextual insights to improve the detection of suspicious behaviour and trigger quicker and more impactful responses.
These benefits will be crucial as devices, bots, and all manner of other non-human identities proliferate at a much faster rate than manual capabilities can handle. Proactive and automated identity and access management should be a pillar of every organisation’s cybersecurity risk management strategy, and preparation should start today.
