The European Union is now one of several governing bodies that are enforcing stricter cyber security standards to protect critical infrastructure, with the introduction of the updated NIS2 network and information security directive at the end of 2022.
(https://industrialcyber.co/wp-content/uploads/2022/11/2022.11.11-EU-Parliament-approves-NIS2-directive-helps-increase-cybersecurity-levels-in-long-run-across-the-region.jpg)
In November, the European Parliament and EU member states officially endorsed NIS2, which must now be incorporated into regulations in each of the 27 countries, with local variations.
In this new environment, identity protection will be more critical than ever.
Organizations affected by NIS2's increased parameters cannot afford to wait; they should prepare themselves or at least get informed. Unlike a traditional perimeter-based security approach, a zero-trust architecture provides security for remote employees and mobile users while defending both on-premises and cloud-based IT and OT systems, as well as providing protection against internal and external threats.
Identity security serves as a constant point of cybersecurity control beyond the perimeter and is a critical aspect of zero trust. It restricts access to only those machines or people who require it, and provides only the minimum necessary permissions. This necessitates tracking user behavior to identify whether an identity has been compromised and continuous authentication to authenticate a user's entire session, not just a single multifactor authentication request.
NIS2 applies to organizations that offer vital services to the economy and society, including financial markets, banking, healthcare, transportation, drinking water supply, sewage disposal, energy supply, and digital infrastructure. Companies with at least 50 employees and an annual revenue of at least €10 million are subject to the regulation.
It's still unclear what businesses must do to comply with NIS2. However, establishing a suitable cybersecurity/information security strategy is required if your company will be subject to the NIS2 mandate. A standard such as ISO/IEC 27001 can provide a systematic understanding of this. It may also be necessary for smaller IT service providers looking after bigger businesses' networks to demonstrate ISO/IEC 27001 compliance. NIS2 will not apply to many SMBs that do not provide critical services, however.
The European Union Council has aligned the new directive with industry regulations, such as those governing digital operational sustainability for the financial sector and the sustainability of critical facilities. This is to ensure that NIS2 adheres to legal clarity and consistency with these acts.
The official publication of the Directive will be released in the upcoming days, and it becomes effective twenty days after its publication.