Network & Information Security Directive (NIS2) Compliance report

A Network & Information Security Directive (NIS2) Compliance report is a document that outlines an organization's adherence to the latest NIS2 regulations, ensuring the security and resilience of network and information systems across the European Union.

Summary

The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive, which came into force in 2023. This update modernized the existing legal framework to address increased digitization and the evolving cybersecurity threat landscape. By expanding the scope of cybersecurity rules to new sectors and entities, it improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole.

The NIS2 Directive provides legal measures to enhance the overall level of cybersecurity in the EU by ensuring:
  • Member States' preparedness, requiring them to be appropriately equipped, for example, with a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority.
  • Cooperation among all Member States, establishing a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.
  • A culture of security across sectors vital for the economy and society, relying heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.

Key objectives

  • Enhance the overall cybersecurity standards within the EU.
  • Strengthen the resilience and incident response abilities of both public and private organizations.
  • Foster improved collaboration and information sharing among EU member states.
  • Standardize cybersecurity requirements across various sectors and critical infrastructures.

Implications for organizations

Organizations in sectors covered by NIS2 must comply with the directive's cybersecurity requirements. This includes implementing risk management measures, incident reporting procedures, and supply chain security measures.

AppScan and NIS2

Article 21 of the NIS2 Directive outlines the following cybersecurity requirements:

Member States must ensure that essential entities implement appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of network and information systems used for their operations or services and to prevent or minimize the impact of incidents on their service recipients and other services.

These measures should consider the state-of-the-art, relevant European and international standards, and the cost of implementation. They must ensure a level of security appropriate to the risks posed. When assessing the proportionality of these measures, factors such as the entity’s risk exposure, size, likelihood of incidents, and the severity of potential impacts—including societal and economic impacts—must be taken into account.

The measures should follow an all-hazards approach to protect network and information systems and their physical environments from incidents, and must include at least the following:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity, including backup management, disaster recovery, and crisis management
  • Supply chain security, including security-related aspects of relationships with direct suppliers or service providers
  • Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • Human resources security, access control policies, and asset management
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate

This AppScan report will utilize the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 as the recommended international comprehensive security framework, as advised by the NIS2 Directive, to identify any potential non-compliance issues related to web application security.

For more information on the NIS2 Directive, visit: NIS2 Directive

For more information on securing web applications, visit: HCL Software - AppScan

Table 1. Sections and descriptions
Sections Description
AC-2(2) Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].
AC-4 Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
AC-6 Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
AC-7.a Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period].
AC-10 Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
AC-12 Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
AC-17 Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.
CM-7 Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
IA-2 Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
IA-4(1) Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.
IA-5 Manage system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b. Establishing initial authenticator content for any authenticators issued by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e. Changing default authenticators prior to first use; f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur; g. Protecting authenticator content from unauthorized disclosure and modification; h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i. Changing authenticators for group or role accounts when membership to those accounts changes.
RA-5 Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SC-5 [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
SC-8 Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.
SC-13 - a Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].
SC-23 Protect the authenticity of communications sessions.
SI-3.A Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
SI-3.B Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
SI-10 Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].
SI-11.A Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.