tenfold IAM

NIS2 COMPLIANT ACCESS GOVERNANCE

Excerpt from the tenfold whitepaper "NIS2: Access Governance Requirements":

NIS2 regulates organizations in important sectors that are critical to maintaining public life, public health and public order. Entities are covered by NIS2 if they operate in one or more of these sectors and exceed the size cap for number of employees or total annual revenue. NIS2 distinguishes between two categories: essential and important entities.

Who Does NIS2 Apply to?

WHAT ARE THE SECURITY REQUIREMENTS OF NIS2?

NIS2 requires regulated entities to “take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of their network and information systems […] and to prevent or minimize the impact of incidents on recipients of their services”. The directive also specifies that risk management measures must be based on an all-hazards approach

(covering both digital and physical threats) and take into account the state-of-the-art and relevant European and international standards. NIS2 also specifies a number of topics that the risk management must address:

Risk analysis for IT systems
Incident handling
Business continuity (crisis management, backups & recovery)
Supply chain security
Secure acquisition, development and maintenance of IT systems
Assessing the effectiveness of risk management measures
Security awareness and staff training
Cryptography and encryption
Access control and human resources security
Multi-factor or continuous authentication

NIS2-COMPLIANT ACCESS GOVERNANCE

NIS2 aims to establish comprehensive cybersecurity measures in essential public and economic sectors. Experts believe the security requirements for regulated entities will be similar in size and scope to ISO 27001 and comparable standards. This view is supported by the draft implementing act targeting IT services (which are regulated at the EU level): Most requirements listed in this act and its annex map closely to existing ISO 27001 controls, giving organizations that have completed ISO certification a leg up in their preparation for NIS2. Organizations that have not completed certifications like ISO 27001, the CIS Controls or NIST CSF before will find that they need to quickly address a wide range of topics: Everything from malware protection to firewalls, network security, staff training, backups and recovery, crisis management and even your relationship to suppliers and service providers. This kind of comprehensive security cannot be achieved with one single product. It requires organizational

commitment, effective policy, educated users and, yes: the right mix of dedicated technologies.

tenfold's whitepaper provides you with valuable information about the NIS2 requirements for access management in organizations. What requirements does the directive set and how can they be met quickly, securely and effectively with tenfold?