The impact of NIS2 on digital identities: a comprehensive analysis

Contents

• Which sectors are covered by the NIS2 Directive?
• What changes will NIS2 bring?
• What is the impact of NIS2 on digital identities?
• There is a big difference between internal and external identities
• Managing internal and external identities
• Secure and efficient management = easier NIS2 compliance
• How does iD Veritas help?

The NIS2 Directive will apply in the Netherlands from the end of 2024 and is the second version of the NIS Directive, which was the European Union’s first cybersecurity directive. To remove ambiguities and broaden its scope, the revised directive covers a wider range of sectors and provides guidance for consistent implementation across EU member states.

The NIS2 Directive applies to organisations that are considered ‘essential’ or ‘important’ in all EU member states, and its main purpose is to protect both European organisations and citizens.

The NIS2 Directive introduces a standardised set of cybersecurity requirements across all EU member states, highlights best practices, imposes strict incident reporting obligations, and introduces enforcement and sanctioning measures. It also requires the establishment of a European programme for cooperation and vulnerability sharing.

The NIS2 Directive makes organisations responsible for:

• carrying out comprehensive cybersecurity risk assessments;
• implementing technical and organisational security measures;
• managing risk effectively; and
• supporting cybersecurity through training and risk management initiatives.

It is important to note that the NIS2 guidance does not explicitly prescribe specific technological changes. Instead, it outlines concepts and best practices to improve an organisation’s security posture.

Which sectors are covered by the NIS2 Directive?

The NIS2 Directive applies to organisations classified as medium or large according to EU standards (i.e. organisations that have more than 50 employees and/or generate more than €10 million in revenue per year). However, these criteria do not apply to organisations that:

• are designated as critical infrastructure;
• provide public services (e.g. electronic communications networks);
• provide a service the disruption of which could affect public safety, security, health or cause systemic risks; and
• are the sole providers of a service to a government;

Organisations, companies and suppliers required to comply with the NIS2 Directive are divided into two categories: essential and important. This is an important distinction in the NIS2 Directive, as there are different requirements for each category, depending on the products and services provided to EU Member States and the impact of an incident on their supply. Some of the sectors identified as essential entities (EE) under the NIS2 Directive are:

• Aerospace
• Banking and financial market infrastructure
• Digital infrastructure
• Drinking water supply
• Energy
• Healthcare
• ICT (information and communication technology) service management
• Managed service providers
• Public sector (central and regional level)
• Transport
• Wastewater management

Some of the sectors identified as important entities (IE) under the NIS2 Directive are:

• Digital service providers (e.g. search engines, social networking platforms)
• Food manufacturers, processors and distributors
• Medical device manufacturers
• Postal and courier services
• Chemical producers, processors and distributors
• Research
• Waste management

What changes will NIS2 bring?

In addition to a wider and more detailed scope (see above), NIS2 will bring the following changes/upgrades (compared to the original NIS):

1. NIS2 security requirements
   NIS2 provides a framework for enhanced security requirements. The ability to tailor compliance with these requirements has been removed – too much flexibility in the original NIS led to vulnerabilities. Under NIS2, this is a thing of the past. It clearly sets out the rules that everyone must follow.
   
   It requires the following areas to be addressed:
   • Risk assessment and management
   • Cybersecurity training
   • Security policy
   • Crisis management
   • Supply chain security
   • Vulnerability and incident handling and reporting
   • Data encryption
     
     
2. Improved enforcement
   A more comprehensive list of enforcement measures for NIS2 is also part of the new Directive. It prescribes fines and penalties, with binding instructions on when and how they should be applied. There should be no grey areas that potentially leave room for interpretation.
   
   
3. Stricter incident reporting
   Incident reporting is now mandatory. The exact procedures are set out in NIS2, including the content and timing of these reports. Under NIS2, all scope for deviation has been removed.
   
   All cases of cybersecurity breaches must now be reported, regardless of whether the attack affected the company’s operations. This will enable authorities to better monitor and respond to potential threats.
   
   Under the new incident response plan, the Directive proposes a two-step approach. An initial report must be submitted within 24 hours of the occurrence of the cybersecurity problem, and a more detailed follow-up report is expected within one month.
   
   Each member state must also set up a national Computer Security Incident Response Team.
   
   
4. Enhanced cooperation
   The NIS2 Directive recognises the importance of coordination and communication between EU member states – after all, the aim is to protect the European Union in relative unity against breaches.
   
   Not only will each member state have a national cybersecurity authority, but the European Cyber Crisis Liaison Organisation Network will also be established to manage EU-wide incidents. This will create a form of cooperation between all EU member states where data protection will be a joint effort.
   
   

What is the impact of NIS2 on digital identities?

Digital identities play a critical role in modern business operations, enabling organisations to work seamlessly both internally and externally with partners, suppliers, external partners and customers. With the implementation of NIS2, it becomes even more important to have demonstrable control over access to the digital identities with whom your organisation works. This is because the robustness of your information security solution depends on the degree of control you have over the data and access of the digital identities within your organisation.

So what is different?

GDPR laws and regulations are very clear about what identity information may or may not be recorded and processed. This is very different for internal and external identities, which can make complying with these important laws and regulations a serious challenge.

The lifecycle of an external identity can also differ considerably from that of an internal identity. An employee usually starts on the first working day of the month, and when someone leaves, it is often at the end of the month.

That is not the case with external identities. They often have to work on an ad hoc basis or start on the 15^th day of the month, for example. Nor is it always clear whether an external identity still works for an organisation, as there is usually no standard offboarding process.

In practice, this often means that the necessary access to the IT environment is not provided at the right time, and that access is not revoked in a timely manner, if at all. This leads to many inefficiencies in the form of urgent calls, messages or emails, but more dangerously, unnecessary security risks.

Managing internal and external identities

Like internal identities, external identities also need access to (parts of) the organisation’s IT environment in order to perform their role or task properly. Even if it is just a badge to enter the building or the right room. Their digital identity data is the basis on which access to the IT environment is arranged via your organisation’s Identity and Access Management solution.

It is therefore very important that the identity data of all identities is carefully recorded and managed on an ongoing basis. Employee identities are likely to be recorded in the HR system, which is designed specifically for the employee lifecycle. For external identities, we see that in practice they are often also recorded in the HR system. But is this smart, efficient and secure?

This means that with iD Veritas, your organisation will be better able to comply with the NIS2 Directive, because with iD Veritas you: 

• can perform a comprehensive cybersecurity risk assessment for external identities more easily;
• can implement technical and organisational security measures for external identities;
• can manage third-party access risks very effectively; and
• well-positioned to support cybersecurity with insight and initiatives for risk management.

How does iD Veritas help?

iD Veritas enables you to carry out the onboarding and offboarding processes for external identities in a secure, efficient and controlled way. As a result, you are in firm control of the entire lifecycle. You do achieve this in 5 steps:

1. All external identities in iD Veritas
   Manually enter external identities into iD Veritas, upload a CSV overview or connect iD Veritas to your supplier’s database (via an API). This creates one central source of clean data of your organisation’s external identities.
   
   
2. The lifecycle of external identities
   External identities join your organisation; their role or function may change over time and at a certain point, their contract ends. iD Veritas lets you manage and automate the complete lifecycle (also known as the Joiner-Mover-Leaver process) of your external identities.
   
   
3. What does this look like in practice?
   iD Veritas automatically sends your IAM solution a notice when the end date of an external identity’s contract approaches, so the IAM solution can withdraw the corresponding access and rights. Safe and controlled!
   
   
4. Connecting to an IAM solution
   iD Veritas can be connected to any Identity and Access Management solution on the market. iD Veritas uses open standards (such as an API) to send and receive information to and from your IAM solution. Your IAM partner can handle this connection between iD Veritas and your IAM solution. If you do not have an IAM partner, then The Identity Managers are here to help you.
   
   
5. Outsourcing the work to your suppliers or service partners
   You have the option of outsourcing the management of external identity data to your resourcing partners. For example, you can outsource administrative tasks such as the entry, modification and deletion of external identities. All your organisation has to do after that is validate the information that was entered. Easy and efficient!
   

Maintain control and insight

Thanks to the security-by-design architecture and privacy-by-default functionality for the absolute separation of data, you can safely manage the identity data of your external identities. Standard functionalities such as a recertification process not only put you firmly in control but enable you to demonstrate it as well. This makes it a lot easier to comply with laws and regulations such as the NIS2.

If you would like to know more, please contact us to schedule a meeting with one of our experts.