The NIS2 Directive of the European Union aims to increase level of cybersecurity in crucial sectors of industry and government. The directive introduces cybersecurity requirements that are expected to be applied consistently across the EU. The directive touches on many areas of cybersecurity, including identity governance and administration.
Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, known as the NIS2 Directive for short, mandates sound cybersecurity practices for crucial organizations, such as public administration, energy, finance, healthcare, infrastructure, and many others. Affected organizations are expected to establish risk management practices, implement business continuity measures, and report cybersecurity incidents. It is a part of the broader cybersecurity initiative of the European Union.
NIS2 is not groundbreaking regulation per se, it is rather an evolution. It is a successor to the NIS Directive enacted in 2016. “NIS” stands for “Network and Information Systems”, which was the focus of the original NIS Directive. NIS2 goes beyond that, expecting the implementation of a comprehensive set of practices and measures for a risk-based approach to cybersecurity. NIS2 expects a systematic, consistent, and proportionate cybersecurity program based on industry best practices and international standards. NIS2 is a far-reaching directive, affecting many sectors. Sanctions are substantial, including corporate accountability with personal responsibility of the management. Unlike the original NIS directive which was applied inconsistently across the Union, NIS2 is expected to affect many organizations in all EU member states. The legislative effects mandated by NIS2 must be applied by October 2024.
Being a legislative act, NIS2 is not very specific when it comes to technical details. The only “technical” description in the normative part of the directive is article 21, which lists 10 points mentioning cybersecurity measures to implement. It is not much to work with. However, the directive repeatedly refers to best practices and international standards. The ISO/IEC 27000 series is explicitly mentioned in Recital 79, which is quite a natural choice. NIS2 is a directive, therefore it has to be transposed to national law. National transpositions are expected to fill in more details, adhering to international standards as suggested by the directive. Overall, the NIS2 Directive dictates what to implement, while the standards provide guidance on how to implement it.
Even though the normative part of the NIS2 Directive is technologically vague, there are some interesting details in the recitals. Recital 51 encourages the use of innovative technologies, including AI. Recital 52 endorses the use of open source technologies. Even more interestingly, recital 89 explicitly mentions identity and access management (IAM).
It is not very common for a specific technology to be mentioned in a legislative act. This is likely to be further emphasized in national transpositions of the NIS2 Directive, as we can see in the Czech transposition, which is already available. Indeed, identity governance and administration (IGA) is going to play a crucial part in NIS2 compliance. This can be illustrated with ISO 27001 compliance, in which IGA takes part in approximately 57 out of 93 controls defined in the standard. It is very unlikely that any medium-sized or large organization could be NIS2 compliant without an IGA platform in place.
There is no cybersecurity without identity management. This has been clear to all the identity professionals for a very long time. However, IGA has grown to be much more than identity management. The identity governance part of IGA is focused on the policies and methods that have a direct impact on all the layers of cybersecurity management. An IGA platform can implement access control policies, identify policy violations, conduct regular reviews, maintain data ownership, manage information assets, support information classification, and even provide risk management information. An IGA can easily implement methods that were unreachable just a couple of years ago. It makes compliance feasible even for organizations with smaller cybersecurity teams, as it provides substantial automation. Automation built into an IGA platform can replace hundreds of spreadsheets that require the meticulous work of several experts and many business managers to maintain.
Identity governance systems are built to support cybersecurity – not just on a technical level, but also on a business level. Cybersecurity automation at policy and organizational levels is crucial for compliance, and that is the functionality an IGA platform can provide. IGA makes compliance feasible and sustainable for a broad range of organizations affected by legislation such as the NIS2 Directive.