Use this guide to discover how Cyolo can help you achieve NIS2 compliance in preparation for the October 2024 deadline.
Introduction to NIS2
The NIS2 Directive is a piece of legislation that aims to enhance the cyber resilience of critical infrastructure in the European Union (EU) by establishing a minimum set of cybersecurity requirements that all EU Member States must impose on their respective in-scope entities. NIS2 replaces and builds upon its predecessor, the original NIS Directive, with an expanded scope and additional requirements developed in response to increases in the frequency and impact of cyberattacks against EU critical infrastructure in recent years.
This document details Cyolo’s support for NIS2 compliance and offers related guidance for security and risk practitioners in the EU and beyond.
Key NIS2 Compliance Requirements
The minimum requirements for NIS2 compliance for in-scope essential and important entities are as follows:
Cybersecurity risk management measures: Entities must implement 10 key measures to manage and mitigate cyber risks posed to any networks, systems, and/or other digital or physical assets involved in delivering essential or important services in the EU.
These measures include:
Policies on risk analysis and information system security.
Incident handling (prevention, detection, and response to incidents).
Crisis management and business continuity, such as backup and recovery management.
Supply chain security for relationships between each entity and its suppliers or service providers.
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosures.
Policies and procedures to assess the effectiveness of cybersecurity risk management.
Basic cyber hygiene practices and cybersecurity training.
Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
Human resources security, access control policies, and asset management.
The use of multi-factor authentication or continuous authentication solutions, secured voice,
video, and text communications, and secured emergency communication systems.
NIS2 Timeline
16 January 2023: NIS2 entered into force
17 October 2024: Deadline for member states to transpose NIS2 into national law
17 April 2025: Deadline for member states to identify and register in-scope essential and important entities
Overview of Cyolo PRO
Cyolo PRO (Privileged Remote Operations) is an advanced, infrastructure-agnostic secure access solution built to mitigate the risks of remote access to mission-critical assets. Cyolo PRO’s decentralized architecture provides exceptional flexibility and can seamlessly adapt to all environments (cloud-connected, cloud-averse, and offline) without change management.
Common challenges Cyolo PRO solves include:
Ensuring rapid, secure, and safe support and maintenance for the factory floor and OT environments
Safely connecting third parties to OT environments with no agents or end-user downloads required
Adding multi-factor authentication (MFA) to legacy systems that do not natively support modern identity authentication
Securing all access points to mission-critical assets, whether remote or on-premises Implementing segmentation, supervision, session recording, and other requirements of industry and regional compliance mandates
Cyolo PRO/NIS2 Alignment
Cyolo PRO addresses NIS2 compliance requirements with the following functions and features:
NIS2 Risk Management Measure | Cyolo PRO Capabilities | Control Type |
Policies on risk analysis and information system security | Granular control policies provide user, session, application, and device information to help validate compliance. | SUPPORTS |
Incident handling (prevention, detection, and response to incidents) | Features like zero-trust access, MFA to all systems, and session monitoring and recording reduce the likelihood of a security incident. If suspicious activity is detected, access can be restricted or terminated in real-time. Seamless integration with SOAR, SIEM, XDR, and other tools for additional incident response capabilities. | PROVIDES |
Crisis management and business continuity, such as backup and recovery management | Unique decentralized architecture is built from self-replicating components, ensuring business continuity and uptime and enabling data recovery even from a single component. | PROVIDES |
Supply chain security for relationships between each entity and its suppliers or service providers. | Zero-trust architecture shields applications and assets from direct connectivity. Application-level access prohibits lateral movement and limits the damage a potential attacker could cause. Oversight controls like supervised access and session recording ensure security for the full duration of the connection. The solution’s agentless deployment model is ideal for securing third-party access. | SUPPORTS |
Policies and procedures to assess the effectiveness of cybersecurity risk management | In-platform analytics demonstrate the effectiveness of cybersecurity and risk management policies. | SUPPORTS |
Policies and procedures regarding the use of cryptography and, where appropriate, encryption | TLS connection ensures full end-to-end encryption from user to application.
All data, secrets, and encryption keys remain inside the customer’s trusted boundaries and are never stored or decrypted in the Cyolo cloud. | SUPPORTS |
Human resources security, access control policies, and asset management | Robust and granular access controls include MFA, password vault, device posture checks, end-to-endencryption, continuous authorization, and identity federation. | SUPPORTS |
The use of multi-factor authentication or continuous authentication solutions, secured voice, video,
and text communications, and secured emergency communication systems | MFA extends all user accounts (service, shared, individual, etc.) in all environments (cloud-connected, cloud-averse, offline). MFA capabilities can be added to legacy systems with no upgrades or change management needed. | PROVIDES |
Control Type Description
Provides: Provides information you provide directly to auditor or feeds data into an artifact.
Validates: Can be used to prove whether another control(s) is present and/or working.
Supports: Feeds info into another system or processes which serve the requirements.
About Cyolo
Cyolo, the access company for the digital enterprise, takes a holistic approach to cybersecurity that aligns closely with the ethos of the NIS2 Directive. The adaptable, infrastructure-agnostic Cyolo solution is purpose-built to secure, monitor and audit privileged remote connections to critical infrastructure and OT systems.
With Cyolo, organizations like yours can proactively implement the steps highlighted here with no operational disruptions and no changes needed to your existing infrastructure. Schedule a demo and begin your path to NIS2 compliance today.
