NIS2, passwords, and MFA: Everything you need to know 

The NIS2 Directive is an important piece of legislation for anyone working in cybersecurity across the European Union. An evolution of the original Network and Information Systems (NIS) Directive, NIS2 expands its reach and tightens its requirements, reflecting the increasing sophistication and frequency of cyber threats. We’ll take a look at what NIS2 means for your cybersecurity practices, with a focus on password security and MFA. 

What is NIS2? 

The NIS2 Directive is a regulatory framework within the European Union designed to enhance the overall level of cybersecurity across member states. The directive includes provisions for significant incident reporting, information sharing, and cooperation among national authorities. It also sets out a range of administrative fines for non-compliance, aiming to ensure that both public and private sector organizations take their cybersecurity obligations seriously. The goal of NIS2 is to provide a high common level of cybersecurity across the European Union, protecting essential services and the digital economy from the growing threat of cyber-attacks. 

password audit
Run a free Specops Password Audit to check if your Active Directory password policy is in compliance

What’s the difference between NIS and NIS2? 

The original NIS Directive was the first piece of EU-wide legislation on cybersecurity, in 2016. NIS2 aims to address the limitations and gaps identified in the original directive by expanding its scope to cover more sectors and types of entities, enforcing stricter security measures, and enhancing the management of cybersecurity risks. The key driver behind strengthening the directive is a far more menacing cyber threat landscape. Less than ten years ago in 2016, attacks like ransomware were rarer and significantly less costly for companies. To put it into context, global cybercrime damages were estimated at $3 trillion in 2015 but are estimated to reach $10.5 trillion by 2025

The three main changes between NIS and NIS2 are as follows: 

  • NIS2 extends its scope to new economic sectors that play important roles in modern digital ecosystems 
  • It removes implementation inconsistencies by clarifying the security, incident reporting, and enforcement requirements that apply to all organizations 
  • It establishes planning, crisis management, and increased collaboration between member states in the event of large-scale cybersecurity incidents  

When did NIS2 come into force? 

The NIS2 Directive was officially adopted by the European Parliament and the Council in November 2022. Member states are required to transpose the directive into national law within 21 months from its entry into force, which is typically 20 days after its publication in the Official Journal of the European Union. This timeline suggests that the directive will likely have come into full effect across the EU by mid-2024. In other words, organizations need to be ready imminently. 

How do the regulations impact password security?  

The NIS2 Directive, with its focus on strengthening cybersecurity across the EU, implicitly emphasizes the importance of robust password security as part of an organization’s cybersecurity measures. While the directive may not specify detailed requirements solely about password security, it mandates that entities adopt appropriate and proportionate technical and organizational measures to manage risks to network and information systems security.  

This includes practices related to securing access control, which directly involves password management. Here’s what the emphasis on password security under the NIS2 Directive generally entails:  

  • Strong password policies: Organizations are expected to implement strong password policies that mandate the use of complex and hard-to-guess passwords. This should include guidelines on password length, complexity, and expiration periods. Tools such as Specops Password Policy can be used to both enforce strong policies and check for known compromised passwords in a user-friendly way. 
  • User education and training: Part of managing cybersecurity risk involves training users on the importance of strong passwords and secure authentication practices. This includes educating them about the risks of password reuse across multiple sites and the benefits of password managers. For example, encouraging passphrases to help end users create longer, more secure passwords. 
  • Auditing and compliance checks: Regular audits and compliance checks can help ensure that password policies are adhered to and organizations are aligned with the security objectives of the NIS2 Directive. Interested in giving your Active Directory a health check? Specops Passwords Auditor runs a read-only scan of you Active Directory and gives an exportable report detailing your password-related vulnerabilities – download your free tool here.  
  • Securing password resets: Password resets are one of the most commons reasons end users contact your service desk. Specops uReset offers a way for end users to reset their own passwords, while staying secure and compliant with NIS2 recommendations. uReset allows users to verify their identity via a range of flexible MFA options, including: Duo Security, Google Authenticator, Microsoft Authenticator, Okta, PingID, Symantec VIP, and Yubikey. Multiple authentication options guarantee users will complete the password-reset task, even if an identity provider is unavailable.  
  • Multi-factor authentication (MFA): MFA plays a significant role in the directive. It provides an additional layer of security for threat actors to breach after a password has been compromised. MFA is an important topic in the context of NIS2 and it’s worth exploring in more detail.  

What does NIS2 say about MFA? 

The NIS2 Directive highlights MFA as a fundamental security measure that organizations should implement to enhance their cybersecurity capabilities. MFA is crucial for building a layered defense against threats including phishing and social engineering attacks, which are common methods for stealing user credentials. This is key for supporting the NIS2 Directive’s aim to ensure that organizations operating in critical sectors have robust defenses against unauthorized access, thereby safeguarding important data and systems that are essential for the functioning of society and the economy.  

MFA adoption supports compliance with the NIS2 Directive’s push for following state-of-the-art security practices, but is widely recognized as a best practice among other cybersecurity regulations and guidelines too. Organizations subject to the NIS2 Directive should strongly consider integrating MFA into their cybersecurity frameworks if they haven’t already done so. This not only aids in compliance but also significantly bolsters their security posture against increasingly sophisticated cyber threats. 

Of course, it’s also important to keep in that MFA isn’t infallible and there several ways it can be breached. Not all MFA systems are the same, either. Some prioritize convenience for the end user but might not be the most secure depending on the types of threat your organization faces. This is why Specops uReset has a ‘star system’ that lets organizations choose which MFA factors need to use end users to build up a sufficient score. 

Specops uReset has a ‘star system’ that lets organizations choose which MFA factors need to use end users to build up a sufficient score
Specops uReset MFA service weighting 

Need more help navigating NIS2 and bringing your password security in line with its recommendations? Speak to a Specops expert today.  

(Last updated on November 5, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog