IS Decisions logo

Achieve NIS2 Directive Compliance

The EU’s second Network and Information Security Directive (NIS2) aims to improve cybersecurity resilience across European Union organizations.

The EU’s second Network and Information Security Directive (NIS2) aims to improve cybersecurity resilience across European Union organizations. The EU cyber legislation seeks to standardize cybersecurity risk management and incident reporting in response to increasingly clever cyber-attacks on organizations in critical sectors.

IS Decisions solutions, UserLock and FileAudit, help in-scope organizations comply with NIS2 requirements thanks to effective access security, auditing, and reporting that touch each of the 10 NIS2 requirements.

What is the NIS2 Directive?

The NIS2 Directive represents a substantial evolution in EU cybersecurity legislation, significantly expanding on the NIS1 Directive published in 2016. This updated framework seeks to push more EU organizations in critical sectors to implement cybersecurity best practices.

Key changes in the NIS2 update include:

  • Broader scope: NIS2 expands the scope of compliance to more industry sectors and digital service providers.

  • Clear size thresholds: Unlike NIS1, NIS2 introduces a clear size threshold rule. This change brings medium- and large-sized companies in select sectors within the directive's scope, ensuring more comprehensive coverage of critical infrastructure.

  • Significant penalties for non-compliance: The NIS2 Directive introduces more stringent enforcement measures. Entities found non-compliant could face administrative fines of up to 10 million euros or 2% of the company's annual global revenue, whichever is higher. This is a big increase in potential penalties compared to NIS1.

  • More management accountability: NIS2 places more responsibility on upper management. If a company fails to comply with the directive, individuals at the C-level can personally be held liable for gross negligence. This change aims to ensure cybersecurity is prioritized at the highest levels of the organization.

  • New entity classifications: NIS2 revises the classification of organizations, introducing "essential" and "important" entities instead of the previous "operators of essential services" (OES) and "digital service providers" (DSP) categories used in NIS1. This reclassification reflects a more nuanced approach to assessing how critical an organization is to the EU's economy and society.

  • Greater focus on supply chain security: NIS2 emphasizes securing the entire supply chain, recognizing the interconnected nature of and evolving threats to modern digital ecosystems.

  • Streamlined incident reporting: The directive aims to lessen complexity and introduce more precise provisions on the incident reporting processes, addressing some of the challenges faced under NIS1.

For organizations with on-premise or hybrid Active Directory security setups, these changes require a thorough review and potential overhaul of existing security practices.

The directive's increased focus on strong identity access management (IAM) makes Active Directory a critical compliance point. Implementing robust MFA and access control measures to meet NIS2 Directive requirements demands careful attention from IT leaders charged with compliance.

Who needs to comply with NIS2?

NIS2 covers entities across critical sectors that are vital for Europe's economy and society and that rely heavily on Information and Communication Technologies (ICTs).

These sectors include:

  • Energy (e.g., electricity providers, oil and gas companies)

  • Transport (including air, rail, water, and road transport operators)

  • Water (such as drinking water suppliers and distributors)

  • Banking (including credit institutions)

  • Financial market infrastructures (like stock exchanges)

  • Healthcare (hospitals and other healthcare providers)

  • Digital infrastructure (internet exchange points, DNS service providers)

NIS2 compliance deadline: When does NIS2 come into effect?

The EU formally adopted NIS2 in 2022, and EU member states had until October 17, 2024 to transpose NIS2 requirements into national law. Organizations that fall under the scope of NIS2 must comply with the requirements by the time the directive becomes enforceable in their respective countries. In-scope organizations must assess their compliance posture and implement security measures to meet the new requirements before their country’s enforcement deadline.

In France, for example, the National Cybersecurity Agency (ANSSI) has put together information on NIS2 compliance in France.

What are the consequences of non-compliance?

There are teeth behind NIS2 compliance requirements. Penalties for non-compliance may include fines of up to 10 million euros, business suspension, and possibly even jail time for management found in violation. Each member state will establish penalties based on the severity of the breach or failure to comply with specific requirements.

In addition to NIS2 penalties, organizations may face reputational damage, loss of customer trust, and increased scrutiny from regulatory bodies.

How IS Decisions supports NIS2 compliance

Article 21, section 2 outlines 10 minimum security measures aimed at “protecting network and information systems and the physical environment of those systems from incidents.”

Below, we outline how IS Decisions solutions help organizations meet these 10 key requirements.

Mesures de sécurité de base du NIS2

Solution IS Decisions

Fonctionnalité

Politiques en matière d'analyse des risques et de sécurité des systèmes d'information

UserLock

Contrôlez les politiques d'accès de manière centralisée et surveillez l'activité pour évaluer et atténuer les risques de sécurité.

Gestion des incidents

UserLock

FileAudit

Définissez des alertes en temps réel en cas d'activité d'accès suspecte, identifiez rapidement les incidents et répondez-y.

Auditez et établissez des rapports sur les journaux détaillés d'accès et d'activité du système et des données, afin de garantir l'efficacité des enquêtes judiciaires et des interventions en cas d'incident.


La continuité des activités, telle que la gestion des sauvegardes et la reprise après sinistre, et la gestion de crise


UserLock

FileAudit

Surveillez l'accès des utilisateurs aux systèmes et aux fichiers grâce à des journaux détaillés des accès et des activités des utilisateurs, afin de garantir l'intégrité des données et de permettre une gestion efficace des crises.

La sécurité de la chaîne d'approvisionnement, y compris les aspects liés à la sécurité des relations entre chaque entité et ses fournisseurs directs ou ses prestataires de services

UserLock

Contrôlez l'accès des entités tierces, en veillant à ce que seuls les utilisateurs autorisés accèdent à des systèmes et ressources spécifiques.

Sécurité dans l'acquisition, le développement et la maintenance des réseaux et des systèmes d'information, y compris le traitement et la divulgation des vulnérabilités

FileAudit

Auditez l'accès des utilisateurs aux services, fichiers et dossiers sur site et dans le cloud pour permettre un développement et une maintenance sécurisés du système.

Politiques et procédures visant à évaluer l'efficacité des mesures de gestion des risques liés à la cybersécurité

UserLock

FileAudit

Générez des rapports sur tous les événements d'accès des utilisateurs et des fichiers pour mieux évaluer et vérifier l'efficacité des mesures de cybersécurité, offrant ainsi une visibilité pour l'évaluation des risques.

Pratiques de base en matière d'hygiène cybernétique et formation à la cybersécurité

UserLock

Mettez en œuvre des mesures de contrôle d'accès basées sur les rôles et le contexte pour s'assurer que les utilisateurs respectent les politiques de sécurité, en soutenant des initiatives plus larges de cyber-hygiène.

Politiques et procédures relatives à l'utilisation de la cryptographie et, le cas échéant, du chiffrement

UserLock

Renforcez le cryptage des données en transit en contrôlant l'accès et en sécurisant les sessions des utilisateurs.

Sécurité des ressources humaines, politiques de contrôle d'accès et gestion des actifs

UserLock

Gérez l'accès des employés et des sous-traitants à l'aide de politiques de contrôle d'accès basées sur des facteurs tels que le rôle, le temps d'accès (heures de travail), le lieu et le type de session.

L'utilisation de solutions d'authentification multifacteur ou d'authentification continue, de communications vocales, vidéo et textuelles sécurisées et de systèmes de communication d'urgence sécurisés au sein de l'entité, le cas échéant.

UserLock

Déployez l'authentification multifacteur (MFA) pour tous les utilisateurs, en vérifiant les identités Active Directory sur site avec un deuxième facteur pour mieux garantir la sécurité de l'accès.

Demonstrate real-time visibility on user access to systems and sensitive data

In Article 21, section 2(a), NIS2 requires policies on risk analysis and information system security. Both UserLock and FileAudit help you demonstrate that you have such policies in place.

UserLock helps you identify and analyze potential access security risks in three main ways:

  • Real-time visibility across all Active Directory identity access (or access attempts)

  • Risk-detection and monitoring of all access to network and SaaS resources

  • Auditing and reporting to show you have implemented risk analysis and IT security policies.

Let’s start with the first point: real-time visibility. Before you can do any risk analysis or assessment, you need visibility on relevant data. UserLock delivers real-time visibility across all access (and attempted access) to your systems.

UserLock web app

UserLock audits and saves all user session activities on protected machines (machines where the UserLock agent is deployed) in the UserLock database. UserLock reports are drawn from this database.

Store events database

UserLock also allows for real-time monitoring of all access events, so you can immediately respond to risky behavior.

UserLock also allows you to audit all attempted and successful access to your systems, with filterable and searchable reports from a single dashboard. You can schedule custom or predefined reports, and even send them directly from the console.

This visibility alongside comprehensive auditing and reporting helps you prove that only authorized users get access to your system.

FileAudit complements this with visibility on file access events across Windows file servers and cloud storage. Together, UserLock and FileAudit deliver visibility and monitoring of user access to systems, files, and folders.

Prove you can detect and react to risks

NIS2 also underlines the importance of strong crisis management and incident handling. UserLock and FileAudit both allow administrators to set up alerts on suspicious activity, so you can quickly identify and respond to incidents.

Alert on and react to suspicious user access to the network

UserLock can apply customized login restrictions, including limits to the number of unsuccessful login attempts allowed. Any logon attempts that don’t satisfy these conditions are automatically blocked.

UserLock’s real-time monitoring includes a risk indicator, “User status” that shows three levels: high risk, risk, unprotected, protected, or new user. By default, UserLock will consider a user high risk and block the account after 5 denied logons in less than 30 minutes. Administrators can adjust these settings according to organizational security policy.

User status risk indicator

UserLock also allows you to audit and report on detailed logs of all Active Directory identity access, which helps you more easily detect and react to threats, and perform IT forensics faster.

Alert on and react to suspicious file or folder access events

FileAudit allows administrators to set up alerts on the copy, deletion or movement of bulk files. Once you’ve set up these alerts, you can run PowerShell scripts (your own, or FileAudit’s predefined scripts) to automate responses if certain alerts are triggered.

The most common scenario here is preventing a ransomware attack. FileAudit allows you to first set up alerts on mass read, write, and delete events. You can then run a PowerShell script that detects when there are consecutive mass read, write, and delete events, and automatically log out the user responsible for these events, effectively stopping a ransomware attack before it starts.

Demonstrate secure auditing of user access events

In addition to visibility and threat detection, UserLock and FileAudit each offer a centralized, searchable dashboard that serves as a single source of truth for auditing on user access.

Audit user access to Active Directory and cloud resources

UserLock monitors, records and reports on every user connection event and logon attempt to a Windows domain network.

Report event timeline

With UserLock’s comprehensive event logs, administrators can audit user access events, making users accountable for any activity and demonstrating strong access security policies.

Audit user access to files and folders

FileAudit’s centralized audit logs also ensure you can quickly identify who did what, when, and from where to files across your Windows file servers and cloud storage.

FileAudit’s audit logs track user access across Windows file folders, servers, and cloud storage.

fileaudit activity file

Support reporting requirements

Both UserLock and FileAudit support reporting requirements on user access events to help meet NIS2 reporting requirements. Both solutions allow you to schedule reports, and even automate emails from the dashboard to send reports to fulfil incident reporting requirements.

Report on user access to systems and resources

With UserLock, administrators can create custom reports or choose from report templates currently available in the UserLock dashboard. These reports can be pre-programmed to send automatically from the UserLock dashboard to specified recipients, such as the CIO or ASD.

Administrators can also record and report on all privileged access, account, and group management events. The administrator actions report also allows organizations to quickly view and report on all administrator account actions.

Report on user access to files and folders

FileAudit gives you full reporting on who accessed (or attempted to access) a file, what they did, when they did it, and from where.

access reporting

Control under what circumstances authorized users can access your network

UserLock also allows IT administrators to set granular, contextual access restrictions based on factors like IP address, time, machine, session type, or geolocation.

Geolocation restriction settings:

Geolocation restrictions

Time and working hour restrictions:

Hour restrictions maximum locked time

UserLock also allows admins to limit the number of concurrent sessions allowed.

Concurrent session limits

Implement and report on MFA

UserLock makes it easy to verify the identity of all Active Directory accounts, whether privileged or non-privileged, and secure access to your network with multifactor authentication (MFA) on Windows logon, RDP and VPN connections.

With UserLock, you can authenticate your Active Directory user accounts’ access to your organization’s sensitive and non-sensitive data stored in cloud apps. UserLock combines MFA and single sign-on (SSO) to authenticate your Active Directory users’ access to online services and applications such as Microsoft 365, Google Workspace, Salesforce, Dropbox, and other SAML-based cloud apps.

Administrators can choose how and when to require MFA.

There are two edit modes available for modifying the MFA settings. Make sure to read the documentation for the use case for each type of session to ensure users will receive an MFA prompt.

  • All session types at once: By selecting this option, you can apply the same policy for all session types protected by UserLock.

  • By session type: Select this option to apply different MFA policies for each session type.

MFA enabled session type

You can also apply MFA by connection type.

MFA connection types

For each session type, you can choose how often to prompt your users with MFA.

MFA frequency

MFA for privileged and unprivileged users

NIS2 requires MFA across both unprivileged and privileged users of network systems, such as Active Directory.

UserLock’s straightforward, effective MFA verifies identity across all Active Directory accounts, whether privileged or non-privileged. This allows your organization to properly apply the principle of least privilege, which is key to lowering security risk as well as a cornerstone of zero trust architecture.

MFA reporting

UserLock’s MFA event reports provide a complete log of all events related to which users are prompted for MFA upon logon, including details on whether or not MFA was completed successfully or not.

With UserLock, administrators monitor and report on all multi-factor events from Internet or non-Internet-facing servers and workstations. Administrators can set up alerts for certain event types, such as MFA denials, or MFA prompts outside of working hours, so they can quickly detect potential threats.