Skip to Main Content

Pillars of the NIS2 Directive: Recommended risk management measures 

Authored by Sebastien Lelarge, Sales Engineer

The EU’s NIS2 came into effect in December 2022, with member states given until October 2024 to adopt the new regulation.  

But what does this really mean? 

It means that businesses must prioritize compliance to safeguard against cyber threats.  

The original NIS Regulations apply to organizations providing essential services and digital service providers. Cyber risks have increased due to the reliance on digital services and complex supply chains. The updated NIS2 directive should be integrated into business models and risk management strategies. 

But companies eligible for NIS2 can easily be lost with how to approach compliance to this new regulation. The directive as it exists today already lists 10 major pillars to address cyber risk. In a Navigate 2023 session in London, I discussed how identity security is a significant component on the path to NIS2 compliance, what needs to be covered in the NIS2 pillars, and shared the main measures that can be taken to address them, starting now. 

Identity security helps to address 50% of the NIS2 pillars 
For starters, in its article 21, the directive introduces 10 recommended areas (pillars) which organizations must focus on to address cybersecurity risks. Identity security massively contributes to compliance with five of these areas which are:  

  • Policies on risk analysis and information system security 
  • Supply chain security 
  • Policies and procedures to assess effectiveness of cybersecurity risk management measures 
  • Basic cyber hygiene practices and cybersecurity training 
  • HR Security, access control policies and asset management 

Identity security plays a critical role at various levels of a company’s cybersecurity strategy 
For example, the information system security policy must include rules relating to identities, such as the usage of named accounts versus generic accounts, the control of privileged accounts, the enforcement of of least privilege or zero trust, or the proactive identification of people with risky access who represent a threat to the company. The segregation of duties (aka SOD) also plays a key role in controlling and preventing business risks. All these elements are addressed by identity security. 

It is also necessary to measure the effectiveness of these rules in terms of risk reduction. In particular, identity security provides visibility into the reality of IT accesses, as well as the tools to detect and correct deviations from policies. 

Identity security has a stronger focus in the new NIS directive  
Although it is not specifically mentioned in the directive, identity security is the non-disputable foundation of NIS2. Companies can achieve NIS2 compliance only by proving that they are in control of IT Access for all identities. We saw huge efforts made in a response to the previous version of NIS with most companies implementing access management solutions including MFA features. However, now, it’s time to have a wider approach that puts the focus on identity. 

Securing the supply chain is critical  
Another important aspect of NIS2 is supply chain security. Companies are increasingly targeted indirectly through attacks on non-employee identities such as suppliers, vendors, partners, contractors and more. As recent history has shown, a successful attack on a supplier can lead to the company itself being compromised, and in some cases, not able to operate. This type of attack on the supply chain is 40% more frequent than malware or ransomware attacks and must be taken very seriously. It is crucial to govern and secure all identities including the identities of service providers, suppliers, consultants or partners, and ensure that they have only access to the right resources at the right time. 

Visibility into the identity security posture is essential to drive appropriate remediation actions 
SailPoint Identity Security Cloud provides near real-time visibility into user access. This makes it possible to produce advanced identity security posture indicators on accounts without owners, shared accounts, accounts not disabled, accounts with high privileges, unused rights and accumulations of access rights that are toxic for the company’s business. These indicators can pinpoint high-risk situations and prioritize remediation actions. On top of that, by leveraging AI we can provide additional insights and specific suggestions for remediation. As a result, response times are greatly improved, and the overall level of security is greater. Knowing the reality of accesses means making better IT security decisions. 

Ready to learn more? Check out these additional resources: