Key Cybersecurity Requirements for NIS2: Certificate Management & PKI

Cybersecurity is now a top priority for every individual and organization. And as digitalization continues to increase, so does the threat of cyberattacks – which makes compliance with security regulations more crucial than ever.

Against this backdrop, organizations must start preparing for NIS2, an updated framework from the European Union designed to further enhance the security and resilience of critical infrastructure. 

To help security teams with NIS2 compliance, Keyfactor recently led a webinar focused on strengthening cybersecurity through robust certificate management and public key infrastructure (PKI). Specifically, we discussed the expanded definition of critical infrastructure under the NIS2 Directive and the key cybersecurity requirements for compliance, how PKI and digital certificates are critical to establishing trust and secure communications, and the role of certificate management and PKI security in enabling compliance and strengthened defense against cyber threats.

Read on for a recap of our discussion, or click here to watch the entire webinar.

We’re experiencing more cyber incidents than ever, and the types of threats continue to evolve. This landscape requires organizations of all kinds to be ready to manage risks efficiently and share information about potential incidents to ensure a proper response.

The NIS2 directive addresses this evolving landscape, and with the September 2024 deadline for implementation by EU member states fast approaching, organizations must start planning and budgeting to adapt their security practices accordingly. Here’s an overview of what you need to know to get started:

In the nearly seven years since NIS1 came into effect, global events like COVID, supply chain disruptions, and geopolitical changes highlighted vulnerabilities in security that have led to an increasing number of incidents. Additionally, there was a wide divergence in how EU member states implemented NIS1, which caused confusion, especially due to a lack of clarity on the necessary thresholds for compliance.

NIS2 aims to remedy these challenges. Specifically, NIS2 has already had more collaboration across member states, it includes more sectors to expand coverage to approximately 20x more organizations than NIS1, and it takes a stick-and-carrot approach to enforcement similar to GDPR by introducing more punitive measures for non-compliance.

NIS2 affects all entities that provide essential or important services to the European economy and society, including companies and suppliers. Sectors covered by NIS2 include “Important Entities” and “Essential Entities.” Essential entities are those like healthcare, energy, and transportation organizations for whom a disruption of services could have serious consequences on society or the economy. Important entities include manufacturing organizations, postal services, waste management, and digital providers like search engines, social networks, and online marketplaces.

While NIS2 covers both types of sectors, the compliance requirements differ for each. For instance, Essential Entities must conduct audits on a more regular basis than Important Entities. But even smaller companies are not necessarily excluded, as member states can update certain requirements under their purview, such as requiring more audits from any vendors delivering governmental services.

NIS2 recognizes the value of open-source cybersecurity tools and standards, especially when it comes to minimizing costs for small and medium-sized enterprises. That said, the directive does require organizations using these open-source solutions to apply them in a sustainable way. 

For example, Recital 52 states: “Open-source cybersecurity tools and applications can contribute to a higher degree of openness and can have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders.”

NIS2 is one of many directives, standards, and regulations used worldwide and often used in combination with others. The exact standards that apply to each company depend on vertical and geography, among other factors, but it’s important to be aware of each of these global requirements. In general, we are moving into a time when companies must have a greater awareness and better implementation of cybersecurity and risk management policies.

It’s important to start planning and budgeting for NIS2 now, as complying with the new directive could require as much as a 10-20% increase in budget depending on sector, geography, and compliance with other standards, including NIS1.

So what exactly does compliance entail? At the highest level, companies need “to take appropriate and proportional, technical, operational measures.” This speaks to the fact that an incident impacting certain organizations could have an avalanche effect, creating large disruptions to other companies or society more generally. As a result, organizations – especially those considered essential entities – must prepare their security measures with these downstream impacts in mind. 

To start, organizations must take two critical steps:

• Self-assessment: A self-assessment is important for any type of security compliance. This assessment should review potential risks and response measures, that way team members can take steps to proactively mitigate risks and ensure appropriate response protocols are in place. Taking these steps helps better prepare teams, reduce risk, and ensure business continuity when an incident does occur.
• Reporting: The reporting requirement in NIS2 is much stricter than the reporting requirement in NIS1, requiring organizations to have a live status of compliance at all times. This requires a deep understanding of incident reporting and business continuity practices as well as high visibility throughout the organization, meaning a simple spreadsheet won’t suffice. Additionally, it’s important to note that the C-suite and board have direct responsibility for this reporting, which makes training on protocols equally as critical.

Overall, preparing for NIS2 compliance presents an excellent opportunity to update any legacy technologies, as fragile infrastructures likely won’t provide the necessary level of business continuity. In many cases, organizations may find that outsourcing certain support will deliver more expertise and oversight than they can provide in-house.

PKI and certificate management become especially important for organizations to get right when it comes to NIS2 compliance. That’s because the new directive requires organizations to introduce zero trust principles (e.g., through multi-factor authentication), regular software updates, network segmentation, identity and access management, code signing, and more – all of which rely on PKI and need proper certificate management to get right.

Importantly, organizations need to invest in the proper infrastructure proactively rather than waiting until an issue occurs. This infrastructure needs to be resilient and scalable to provide the necessary level of business continuity. It also needs to provide a high level of visibility and agility to understand the full landscape of identities and issue new certificates as needed.

Organizations should start with three key focus areas:

• Take an inventory: Take an inventory of all services and identities to ensure everything is identified and that they are all compliant. Take measures to increase visibility and compliance as needed.
  

• Review services: Make sure that services don’t get overloaded. Often, organizations use the same infrastructure for two different purposes (e.g., external and internal needs), but this doesn’t hold up well in the long term and it creates more opportunities for risks.
  

• Introduce certificate lifecycle automation: Proper certificate lifecycle automation can help avoid outages, therefore providing business continuity. Certificate lifecycle automation allows teams to maintain visibility into certificates once they’re issued and easily replace them as needed, whether that’s because they’re expiring or are no longer trusted.

NIS2 enforcement is around the corner and now is the time to take action. The new directive improves and expands upon NIS1, so even organizations that are already compliant with the original will need to make updates.

Complying with NIS2 is not something organizations should take lightly, and finding the right partners to help along the way can make all the difference when it comes to reducing risks and avoiding penalties.

For a deeper look at what’s involved, watch our full webinar featuring Keyfactor’s cybersecurity experts here.