The EU’s second Network and Information Security Directive (NIS2) aims to improve cybersecurity resilience across European Union organizations. The EU cyber legislation seeks to standardize cybersecurity risk management and incident reporting in response to increasingly clever cyber-attacks on organizations in critical sectors.
IS Decisions solutions, UserLock and FileAudit, help in-scope organizations comply with NIS2 requirements thanks to effective access security, auditing, and reporting that touch each of the 10 NIS2 requirements.
What is the NIS2 Directive?
The NIS2 Directive represents a substantial evolution in EU cybersecurity legislation, significantly expanding on the NIS1 Directive published in 2016. This updated framework seeks to push more EU organizations in critical sectors to implement cybersecurity best practices.
Key changes in the NIS2 update include:
- Broader scope: NIS2 expands the scope of compliance to more industry sectors and digital service providers.
- Clear size thresholds: Unlike NIS1, NIS2 introduces a clear size threshold rule. This change brings medium- and large-sized companies in select sectors within the directive's scope, ensuring more comprehensive coverage of critical infrastructure.
- Significant penalties for non-compliance: The NIS2 Directive introduces more stringent enforcement measures. Entities found non-compliant could face administrative fines of up to 10 million euros or 2% of the company's annual global revenue, whichever is higher. This is a big increase in potential penalties compared to NIS1.
- More management accountability: NIS2 places more responsibility on upper management. If a company fails to comply with the directive, individuals at the C-level can personally be held liable for gross negligence. This change aims to ensure cybersecurity is prioritized at the highest levels of the organization.
- New entity classifications: NIS2 revises the classification of organizations, introducing "essential" and "important" entities instead of the previous "operators of essential services" (OES) and "digital service providers" (DSP) categories used in NIS1. This reclassification reflects a more nuanced approach to assessing how critical an organization is to the EU's economy and society.
- Greater focus on supply chain security: NIS2 emphasizes securing the entire supply chain, recognizing the interconnected nature of and evolving threats to modern digital ecosystems.
- Streamlined incident reporting: The directive aims to lessen complexity and introduce more precise provisions on the incident reporting processes, addressing some of the challenges faced under NIS1.
For organizations with on-premise or hybrid Active Directory security setups, these changes require a thorough review and potential overhaul of existing security practices.
The directive's increased focus on strong identity access management (IAM) makes Active Directory a critical compliance point. Implementing robust MFA and access control measures to meet NIS2 Directive requirements demands careful attention from IT leaders charged with compliance.
Who needs to comply with NIS2?
NIS2 covers entities across critical sectors that are vital for Europe's economy and society and that rely heavily on Information and Communication Technologies (ICTs).
These sectors include:
- Energy (e.g., electricity providers, oil and gas companies)
- Transport (including air, rail, water, and road transport operators)
- Water (such as drinking water suppliers and distributors)
- Banking (including credit institutions)
- Financial market infrastructures (like stock exchanges)
- Healthcare (hospitals and other healthcare providers)
- Digital infrastructure (internet exchange points, DNS service providers)
NIS2 compliance deadline: When does NIS2 come into effect?
The EU formally adopted NIS2 in 2022, and EU member states had until October 17, 2024 to transpose NIS2 requirements into national law. Organizations that fall under the scope of NIS2 must comply with the requirements by the time the directive becomes enforceable in their respective countries. In-scope organizations must assess their compliance posture and implement security measures to meet the new requirements before their country’s enforcement deadline.
In France, for example, the National Cybersecurity Agency (ANSSI) has put together information on NIS2 compliance in France.
What are the consequences of non-compliance?
There are teeth behind NIS2 compliance requirements. Penalties for non-compliance may include fines of up to 10 million euros, business suspension, and possibly even jail time for management found in violation. Each member state will establish penalties based on the severity of the breach or failure to comply with specific requirements.
In addition to NIS2 penalties, organizations may face reputational damage, loss of customer trust, and increased scrutiny from regulatory bodies.
How IS Decisions supports NIS2 compliance
Article 21, section 2 outlines 10 minimum security measures aimed at “protecting network and information systems and the physical environment of those systems from incidents.”
Below, we outline how IS Decisions solutions help organizations meet these 10 key requirements.
NIS2 Baseline Security Measures
Policies on risk analysis and information system security
Control access policies centrally and monitor activity to assess and mitigate security risks.
Incident handling
Set up real-time alerts on suspicious access activity and quickly identify and respond to incidents. Audit and report on detailed logs of system and data access and activity, ensuring efficient forensic investigation and incident response.
Business continuity, such as backup management and disaster recovery, and crisis management
Monitor user access to systems and files thanks to detailed user access and activity logs to ensure data integrity and enable effective crisis management.
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
Control access for third-party entities, ensuring only authorized users access specific systems and resources.
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Audit user access to on-premise and cloud services, files, and folders to enable secure system development and maintenance.
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Generate reports on all user access events and file access events to better assess and verify the effectiveness of cybersecurity measures, providing visibility for risk assessment.
Basic cyber hygiene practices and cybersecurity training
Implement role-based and contextual access control measures to ensure users adhere to security policies, supporting broader cyber hygiene initiatives.
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Enforce encryption of data in transit by controlling access and securing user sessions.
Human resources security, access control policies, and asset management
Manage employee and contractor access with access control policies based on factors like role, time of access (working hours), location, and session type.
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
Deploy multi-factor authentication (MFA) across all users, verifying on-premise Active Directory identities with a second factor to better ensure secure access.
Demonstrate real-time visibility on user access to systems and sensitive data
In Article 21, section 2(a), NIS2 requires policies on risk analysis and information system security. Both UserLock and FileAudit help you demonstrate that you have such policies in place.
UserLock helps you identify and analyze potential access security risks in three main ways:
- Real-time visibility across all Active Directory identity access (or access attempts)
- Risk-detection and monitoring of all access to network and SaaS resources
- Auditing and reporting to show you have implemented risk analysis and IT security policies.
Let’s start with the first point: real-time visibility. Before you can do any risk analysis or assessment, you need visibility on relevant data. UserLock delivers real-time visibility across all access (and attempted access) to your systems.
UserLock audits and saves all user session activities on protected machines (machines where the UserLock agent is deployed) in the UserLock database. UserLock reports are drawn from this database.
UserLock also allows for real-time monitoring of all access events, so you can immediately respond to risky behavior.
UserLock also allows you to audit all attempted and successful access to your systems, with filterable and searchable reports from a single dashboard. You can schedule custom or predefined reports, and even send them directly from the console.
This visibility alongside comprehensive auditing and reporting helps you prove that only authorized users get access to your system.
FileAudit complements this with visibility on file access events across Windows file servers and cloud storage. Together, UserLock and FileAudit deliver visibility and monitoring of user access to systems, files, and folders.
Prove you can detect and react to risks
NIS2 also underlines the importance of strong crisis management and incident handling. UserLock and FileAudit both allow administrators to set up alerts on suspicious activity, so you can quickly identify and respond to incidents.
Alert on and react to suspicious user access to the network
UserLock can apply customized login restrictions, including limits to the number of unsuccessful login attempts allowed. Any logon attempts that don’t satisfy these conditions are automatically blocked.
UserLock’s real-time monitoring includes a risk indicator, “User status” that shows three levels: high risk, risk, unprotected, protected, or new user. By default, UserLock will consider a user high risk and block the account after 5 denied logons in less than 30 minutes. Administrators can adjust these settings according to organizational security policy.
UserLock also allows you to audit and report on detailed logs of all Active Directory identity access, which helps you more easily detect and react to threats, and perform IT forensics faster.
Alert on and react to suspicious file or folder access events
FileAudit allows administrators to set up alerts on the copy, deletion or movement of bulk files. Once you’ve set up these alerts, you can run PowerShell scripts (your own, or FileAudit’s predefined scripts) to automate responses if certain alerts are triggered.
The most common scenario here is preventing a ransomware attack. FileAudit allows you to first set up alerts on mass read, write, and delete events. You can then run a PowerShell script that detects when there are consecutive mass read, write, and delete events, and automatically log out the user responsible for these events, effectively stopping a ransomware attack before it starts.
Demonstrate secure auditing of user access events
In addition to visibility and threat detection, UserLock and FileAudit each offer a centralized, searchable dashboard that serves as a single source of truth for auditing on user access.
Audit user access to Active Directory and cloud resources
UserLock monitors, records and reports on every user connection event and logon attempt to a Windows domain network.
With UserLock’s comprehensive event logs, administrators can audit user access events, making users accountable for any activity and demonstrating strong access security policies.
Audit user access to files and folders
FileAudit’s centralized audit logs also ensure you can quickly identify who did what, when, and from where to files across your Windows file servers and cloud storage.
FileAudit’s audit logs track user access across Windows file folders, servers, and cloud storage.
Support reporting requirements
Both UserLock and FileAudit support reporting requirements on user access events to help meet NIS2 reporting requirements. Both solutions allow you to schedule reports, and even automate emails from the dashboard to send reports to fulfil incident reporting requirements.
Report on user access to systems and resources
With UserLock, administrators can create custom reports or choose from report templates currently available in the UserLock dashboard. These reports can be pre-programmed to send automatically from the UserLock dashboard to specified recipients, such as the CIO or ASD.
Administrators can also record and report on all privileged access, account, and group management events. The administrator actions report also allows organizations to quickly view and report on all administrator account actions.
Report on user access to files and folders
FileAudit gives you full reporting on who accessed (or attempted to access) a file, what they did, when they did it, and from where.
Control under what circumstances authorized users can access your network
UserLock also allows IT administrators to set granular, contextual access restrictions based on factors like IP address, time, machine, session type, or geolocation.
Geolocation restriction settings:
Time and working hour restrictions:
UserLock also allows admins to limit the number of concurrent sessions allowed.
Implement and report on MFA
UserLock makes it easy to verify the identity of all Active Directory accounts, whether privileged or non-privileged, and secure access to your network with multifactor authentication (MFA) on Windows logon, RDP and VPN connections.
With UserLock, you can authenticate your Active Directory user accounts’ access to your organization’s sensitive and non-sensitive data stored in cloud apps. UserLock combines MFA and single sign-on (SSO) to authenticate your Active Directory users’ access to online services and applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox, and other SAML-based cloud apps.
Administrators can choose how and when to require MFA.
There are two edit modes available for modifying the MFA settings. Make sure to read the documentation for the use case for each type of session to ensure users will receive an MFA prompt.
- All session types at once: By selecting this option, you can apply the same policy for all session types protected by UserLock.
- By session type: Select this option to apply different MFA policies for each session type.
You can also apply MFA by connection type.
For each session type, you can choose how often to prompt your users with MFA.
MFA for privileged and unprivileged users
NIS2 requires MFA across both unprivileged and privileged users of network systems, such as Active Directory.
UserLock’s straightforward, effective MFA verifies identity across all Active Directory accounts, whether privileged or non-privileged. This allows your organization to properly apply the principle of least privilege, which is key to lowering security risk as well as a cornerstone of zero trust architecture.
MFA reporting
UserLock’s MFA event reports provide a complete log of all events related to which users are prompted for MFA upon logon, including details on whether or not MFA was completed successfully or not.
With UserLock, administrators monitor and report on all multi-factor events from Internet or non-Internet-facing servers and workstations. Administrators can set up alerts for certain event types, such as MFA denials, or MFA prompts outside of working hours, so they can quickly detect potential threats.