The latest version of the EU’s NIS regulation is significantly tougher and more wide-ranging, says Dr. Heiko Klarl of iC Consult. All organizations need to make compliance a priority, including a clear focus on identity and access management.
The clock is ticking. The European Union’s updated Network and Information Systems directive (NIS2) became law on 16 January, with EU member states required to implement the new legislation by October 2024. That puts significant pressure on business leaders and executives such as chief information security officers (CISOs) to plan for compliance.
With the original NIS legislation having been in place since 2016, some organizations may be tempted to take a relaxed view about NIS2; they may feel very comfortable with how the legislation works. However, that would be a mistake – there are five key reasons why all organizations need to make it a clear priority to prepare for NIS2 right now, whether or not they are used operating within the existing legislation:
1. Personal Liability
One big change in NIS2 compared to the original NIS is that regulators will have powers to hold individual executives personally liable for failures and breaches. Penalties will potentially include temporary bans on individuals’ ability to act as a manager. NIS2 suggests this personal liability will extend to members of “management bodies”; in practice, these individuals will be defined by the member states’ interpretation of the law, but are likely to include board members and other leading executives.
Moreover, even where practitioners such as CISOs are not personally liable, they can expect to be asked demanding questions by executives concerned about being held accountable. Identity and access management (IAM) will be a key part of the conversation – they will expect to see robust access controls and user authentication measures, for example. iC Consult is already working with its partner ForgeRock to ensure organizations are fully compliant in these areas.
2. Corporate Penalties
Organizations that fall foul of NIS2 can expect to face significant penalties. The new directive sets out substantial fines for wrongdoing: organizations defined as “essential entities” can be fined up to €10m or 2% of their global turnover (whichever is higher); for those defined as “important entities”, the potential penalties are up to €7m or 1.4% of global turnover.
Note that these are the minimum penalties required by the EU – individual member states may set much higher fines. And while not every transgression will incur the maximum penalty, regulators are likely to take a tough line on basic IAM failures.
3. Extended Reach
The new legislation hugely expands the scope of the NIS regulation. Whole new sectors not previously caught by the legislation, from chemicals manufacturers to food processors and social network providers will now have to comply. Organizations in scope are split into essential entities – typically those in key infrastructure sectors – and important entities – a range of other organizations. But importantly, both types of entities must meet very similar regulatory requirements, including on IAM. Essentially entities will face tougher enforcement and oversight obligations.
As a result, businesses across these sectors will need to thoroughly review and, likely, enhance their cybersecurity and risk management strategies. Furthermore, this extended reach underscores the government’s commitment to ensure robust cybersecurity across all significant industries, highlighting the critical nature of securing operational and informational technology networks in our increasingly digital world.
4. Increased Requirements
Even those organizations previously caught by NIS cannot afford to relax. NIS2 imposes a raft of new requirements and responsibilities with which they will need to comply. These include a new duty to implement baseline security measures to address specific risks. IAM measures will be core here; for example, organizations will be expected to introduce safeguards such as multi-factor authentication and role-based access controls across consumer and workforce access journeys.
5. Tougher Supply Chain Rules
NIS2 introduces a range of new measures that will require in-scope organizations to ensure the security of their supply chains, including third-party suppliers and contractors. As a result, even organizations not covered by the legislation will need to understand how it affects them – and be ready to field inquiries and demands from their customers.
The Race to NIS2 Compliance: Amplifying IAM Systems in Response to Rising Cyber Attacks
The bottom line is that every organization now needs to push NIS2 compliance to the top of their agenda. A practical first step is to undertake a thorough assessment of your existing systems and processes in order to identify potential gaps in your capability, including a particular focus on IAM.
Areas including access control, authentication, monitoring, access auditing and incident response will all be important. Then, with a clear idea of where your potential vulnerabilities lie, you can develop and implement a plan for closing the gaps, with third-party assistance if required. The ForgeRock 2023 Identity Breach Report found that in Germany alone, there were over 62.9 million breaches exposing user credentials in 2022. iC Consult and ForgeRock
work closely with clients to develop clear roadmaps for transitioning to a stronger and state-of-the-art IAM solution.
Finally, it’s important to recognize that while new legislation imposes a regulatory deadline for improving security and resilience, the more pressing imperative is the mounting threat level. The growing number of attacks on key organizations and the potential for disaster in sensitive areas such as energy, utilities and financial services is a clear and present danger. The ForgeRock 2023 Identity Breach report recently found that organizations have seen a
233% increase in breaches exposing user credentials vs. 2021.
From an IAM perspective, it is vital that this area is not a weak link in the chain. Even organizations with the most robust cybersecurity protections in place risk being seriously compromised if attackers are able to take control by seizing the identity and access privileges of an insider.
