NIS2 FAQs

Verify whether the company is referenced in Articles 2 and 3 or falls within the directives’ designated sectors outlined in Annex I or II. For instance, determine if the company qualifies as a trust service provider (Article 2), an electricity provider (Annex I), or engaged in the manufacturing of medical devices (Annex II). Conduct a gap analysis in alignment with Article 21 of the NIS2 directive. Assess if the minimum requirements, such as Multi-Factor Authentication (MFA), have been implemented. Additionally, ascertain if the company holds ISO27001 certification and has established a Security Operations Center (SOC).

While using SMS One-Time Password (OTP) is certainly better than just the traditional password, it is not very user-friendly. Implementing it, for example, in the Windows login method, can be challenging. Moreover, SMS OTPs are not phishing-resistant. The consensus is that an SMS-based solution cannot be considered a robust form of Multi-Factor Authentication (MFA). Also read (in French): The French supervisor authority explicitly does not recommend SMS-based OTPs.

NIS2 offers a significant advantage by establishing minimum requirements applicable across countries. This allows international companies to formulate a cohesive ‘European’ cybersecurity model without getting bogged down in local nuances. It’s crucial to note that the directive applies to ‘entities,’ defined as natural or legal persons recognized under national law. Therefore, subsidiaries within a larger company may be deemed important entities, necessitating individual assessments. Each legal entity at every organizational level must determine its significance, enabling the implementation of cybersecurity measures, potentially at a European level.      

While differences may exist, they are not expected to be as pronounced as in NIS1. The minimum cybersecurity requirements are immutable, and the directive’s scope is already well-defined.

We see a common thread in these cybersecurity directives and regulations — prioritize your security. Without delving into the specifics of each legislation, we believe it’s imperative for every company to assess its cybersecurity measures and address current cyber risks actively. Similar to how you expect a key for the doors of your home, every top manager should anticipate securing their IT systems, and every consumer should expect security for their devices, such as a smartwatch. Operating a business without proper cybersecurity measures will likely become illegal within the EU in the coming years.

Nexus only offers professional services and expertise connected to our products and services, including assistance with implementation and configuration. In addition, Nexus has an extensive partner network in each region and we would be happy to provide recommendations for regional partners, please reach out to us to know more. Explore our partner network here.

The Swedish Civil Contingencies Agency (MSB – Myndigheten för samhällsskydd och beredskap) provides valuable information on NIS2. A special investigator (‘särskild utredare’) appointed by the Swedish government is tasked with proposing the necessary adaptations within Swedish law required for the implementation of NIS2. The special investigator is expected to submit the report to the government no later than February 23, 2024.

The national supervisory authorities for cybersecurity in Germany, France, and Sweden are as follows:

• Germany, BSI (Federal Office for Information Security)
• France, ANSSI (Agence nationale de la sécurité des systèmes d’information)
• Sweden, PTS (The Swedish Post and Telecom Authority)

For further reading on this topic, you may explore the official websites of these agencies and relevant cybersecurity legislation in each country.

Certain articles of a directive that grant specific rights to individuals can be directly applicable in the relevant country, even if that country has not implemented the directive in time. For example, if a directive establishes minimum vacation entitlements and the country does not implement this directive in time, individuals can directly claim these entitlements from the directive. As a result, the directive itself is never directly applicable, but some of its specific provisions for individual protection are. This is not really relevant in the case of NIS2, as the directive primarily creates obligations for companies. In practice, we should, therefore, consider the entry into force of the implementing law in this matter.

The German NIS2 implementation law requires in Article 30(2)-4 that cybersecurity measures must include at least “supply chain security, including security-related aspects of the relationships between individual entities and their immediate suppliers or service providers.” The NIS2 Directive is identical in this regard. Further specifications can be found in the explanatory part of the implementation law (page 148): “Measures to secure the supply chain include, for example, contractual agreements with suppliers and service providers on risk management measures, handling of cybersecurity incidents, patch management, as well as consideration of recommendations from the Federal Office with regard to their products and services. This may also require suppliers and service providers to adhere to fundamental principles such as Security by Design or Security by Default. When considering appropriate measures according to paragraph 4, number 4, the establishment must take into account the specific vulnerabilities of each immediate provider and service provider, as well as the overall quality of products and cybersecurity practices of their providers and service providers, including the security of their development processes. Establishments must consider the results of coordinated risk assessments of critical supply chains conducted in accordance with Article 22(1) of the NIS2 Directive when considering appropriate measures pursuant to sentence 1.” In this context, we also expect certifications and compliance with supervisory authority standards to play an important role. Therefore, established and EU-recognized quality seals (such as Common Criteria certifications, BSI certifications, or seals from other national institutions, such as the French ANSSI) are a sensible step. However, such certifications are not necessarily suitable or proportionate for all software components. Another/alternative measure is to require and describe software development processes according to “state of the art” standards. This includes, for example, automated testing, static code analysis, SBOM, transparent vulnerability management, and automated build and deployment processes.

Here, the principle applies that companies affected by NIS2 must ensure security within their supply chain. According to Article 30(2)-4 of the German NIS2 implementation law, cybersecurity measures must encompass at least “supply chain security, including security-related aspects of the relationships between individual entities and their immediate suppliers or service providers” (see also further details in the previous response regarding requirements for software suppliers). Therefore, companies affected by NIS2 must ensure that their respective suppliers take measures to ensure the security and NIS2 compliance of the affected company. This may include, among other things, encrypted communication, implementing MFA on shared systems, and basic measures for cyber hygiene and risk management. Furthermore, it is essential to consider that there may also be (stricter) industry-specific requirements that need to be implemented, such as TISAX in the automotive sector or DORA in the banking environment.

NIS2 is not restricted to specific environments, so if the respective OT system belongs to the NIS2-affected entity, the requirements apply here as well (e.g., network security, Cyber Hygiene, and “state-of-the-art” security are good examples). But in the OT area, the upcoming CRA regulation should also be considered.

Yes and no. For specific aspects of the law, for instance, the application to public administrations or the exact definition of the sectors, there will for sure be differences. For the definition of the cybersecurity measures, no. We have to keep in mind that many cybersecurity measures will be decided directly by the EU Commission. Other measures will be implemented by national supervisory authorities, but they are in very close contact and all aligned on the objective of defining common cybersecurity measures

Yes, we have an online checklist to verify whether your company falls within the scope of NIS2 and complies with its requirements. Access it from here.

The core components Nexus Certificate Manager and the OCSP Responder in version 8.0 are CC EAL4+ certified. For more information, please visit: https://doc.nexusgroup.com/pub/common-criteria-certification-for-certificate-mana https://doc.nexusgroup.com/pub/common-criteria-certification-for-nexus-ocsp-respo

Nexus has been developing and distributing its own software product, the Nexus Certificate Manager, for more than 25 years. We offer this product both as an on-premise software solution (which can be operated on Microsoft Windows Servers or Linux) and as a SaaS solution, “Nexus GO PKI.” We offer an EAL4+ certified, high-performance, highly secure, flexible, and powerful solution “made in the EU” that, in many scenarios, not only offers greater functionality but also proves to be more cost-effective (considering TCO) compared to Microsoft ADCS.