The NIS2 Directive is Here. What Happens Next?

The Network and Information Security (NIS2) Directive’s deadline of October 17th has officially passed. Yet despite this deadline – and the strict penalties in place for non-compliance – nearly 66% of businesses operating in Europe have likely not implemented the necessary compliance controls (Veeam Software). Additionally, the majority of EU member states have yet to officially codify NIS2 standards into their national laws.

So with two-thirds of organizations technically non-compliant, and the majority of nations technically not mandating the directive, what comes next for NIS2?

While the exact outcomes may still be unclear, organizations should continue to prioritize addressing NIS2 security obligations – and even accelerate the pace of existing compliance initiatives to avoid the devastating cyberattacks that the NIS2 standards are designed to protect against. Luckily, there are solutions that can help organizations streamline their NIS2 compliance processes, while simultaneously improving engineering productivity and hardening critical infrastructure against the growing threat of identity based attacks.

NIS2 introduces strict penalties for non-compliance

Now that the official October 2024 deadline has arrived, non-compliance penalties may be enforced. These penalties range from non-monetary remedies, administrative fines, and even criminal sanctions for management.

Non-monetary penalties: The Directive gives member state authorities the ability to enforce consequences including legally-binding instructions, forced notifications to the non-compliant entities’ customers, and more – threatening long-term reputational damage and other business impacts.

Administrative fines: For “Essential” entities – including companies in transport, finance, energy, water, health, and more – administrative fines may be up to 10 million euros or 2% of the company’s annual revenue, depending on which is higher. For “Important” entities, these fines start at up to 7 million euros or 1.4% of annual revenue, also depending on which is higher.

Criminal sanctions: NIS2 dictates national authorities may hold organizational management personally liable if gross negligence is proven after a security incident, force the publication of compliance violations (including publicly identifying responsible parties), and more.

Maintain compliance focus to minimize penalty risks

These penalties, when enforced, pose an existential threat to firms still progressing towards NIS2 compliance. Despite lingering uncertainty into enforcement, a lack of guidance from authorities, and the pending status of NIS2 laws within member states, it is still recommended that organizations continue their focus on meeting the cybersecurity obligations the Directive outlines.

Article 21 of the legislation mandates that organization's manage their cyber risk by using appropriate and proportionate technical and organizational measures. These cybersecurity measures include:

• Access control and asset management
• Multi-factor authentication (MFA) and continuous authentication
• Use of cryptography and encryption
• Comprehensive risk analysis and security policies
• Incident handling procedures
• Business continuity and crisis management planning
• Supply chain security
• Secure system development and vulnerability management
• Cyber hygiene and employee training

How Teleport can help address NIS2 requirements

Key compliance requirements of the NIS2 Directive focus on implementing secure access controls, robust incident response, risk management, and auditing capabilities.

Teleport’s comprehensive suite of secure infrastructure access solutions align directly with these requirements, and can help organizations meet compliance objectives now and in the future – and without impacting engineer or security team productivity.

Least-privilege access, identity authentication, and credential elimination

The NIS2 Directive emphasizes the need for secure access control mechanisms to protect network and information systems, with a particular attention dedicated towards minimizing unauthorized access.

Teleport eliminates the need for credentials and standing privileges with identity-based access, reducing the risks of compromise. Cryptographic-based, ephemeral credentials eliminate static passwords, SSH keys, and long-lived tokens – which are frequently targeted by cyberattacks.

Policy management and incident intervention

The NIS2 Directive requires organizations to implement comprehensive cybersecurity policies and have the ability to intervene swiftly during cybersecurity incidents.

Teleport helps organizations develop, monitor, and enforce access policies across their entire infrastructure, ensuring compliance and rapid response to emerging threats.

Monitoring and response to weak access patterns

Effective identity management is critical to the NIS2 Directive’s requirements for secure access to sensitive systems. Teleport provides robust monitoring and real-time response capabilities to ensure the integrity of user access.

Comprehensive reporting and monitoring logs

The NIS2 Directive places heavy emphasis on incident reporting and maintaining comprehensive logs of access and system changes.

Teleport’s platform automatically logs every access request, session, and action, providing an auditable trail that meets the reporting requirements under NIS2.

Learn more about Teleport for NIS2 Compliance

Explore our latest white paper on NIS2 Compliance with Teleport to gain a deeper understanding of the NIS2 Directive’s cybersecurity measures, how to brace for future compliance deadlines, and how to use Teleport secure infrastructure access platform to gain the security controls critical for proving compliance.

Read the white paper