The challenges of the NIS 2 directive in the world of B2B SaaS

The rapid growth of SaaS solutions in recent years has transformed the way people work and access software, providing greater flexibility and accessibility.
However, this growth has also created a number of issues related to data security and the security of computer systems.

It is in this context that the NIS 2 (Network and Information Systems) directive was born, bringing significant changes for companies operating in the field of B2B SaaS.

The NIS 2 directive succeeds the first version, adopted in 2016, and aims to guarantee a high level of security of the European Union's networks and information systems.

This directive was published in December 2022 in the official journal of the European Union as Directive (EU) 2022/2555.

Here's the full name if you want to read it in your spare time: "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (text with EEA relevance)".

The aim of the NIS 2 directive is to meet the needs of an ever-changing digital age, where data protection and resilience against cyberthreats have become major concerns.

Security is no longer the poor relation of SaaS software publishers, and they must be proactive in implementing security measures.

Let’s take a look at the different impacts of this new regulation.

1. Entities concerned

The main objective of the NIS 2 directive is to strengthen cybersecurity within the European Union.

Security is no longer the poor relation of SaaS software publishers, and they must be proactive in implementing security measures.

The NIS 1 directive used the terms essential service operators (ESO) and digital service providers (DSP).

These terms are now obsolete and it is now only a question of essential entities and important entities.

This distinction mainly serves to adapt to the level of obligation imposed on the different entities.

Around 600 different types of entities will be affected, including administrations of all sizes and companies ranging from SMEs to CAC40 groups.

New sectors are also affected by this new directive: wastewater, space, public administration, postal and shipping services, waste management, chemistry, food, manufacturing, research, digital providers (including marketplaces, search engines and social networks).

The NIS 1 directive only targeted the following sectors: energy, transport, banking, financial market infrastructures, health sector, supply and distribution of drinking water, digital infrastructures.

In total, the scope increases from 7 to 18 sectors.

As a result, all online platforms, cloud computing services and SaaS software providers are affected.

Here is a diagram summarizing the entities concerned:

2. Strengthening security obligations

The directive imposes enhanced security obligations on essential and important entities. These entities are now required to implement security measures proportionate to their specific risks, thereby strengthening the protection of essential services and digital data.

Strengthening these obligations aims to increase the overall resilience of digital infrastructure in the face of growing threats.

In the same way as for the GDPR, entities will be subject to an accountability obligation, by documenting their compliance with NIS 2.

The directive draws up a list of measures to be taken by all entities concerned:

• The use of multi-factor authentication or continuous authentication solutions
• Information systems security policy (PSSI)
• Incident management
• Plans dedicated to business continuity (PCA), recovery (PRA), backup and crisis management
• Have crypto-related policies and procedures
• Assess your cyber risk
• Have access control policies and asset management on an HR level
• The use of secure communication tools and emergency communication systems in a crisis
  

Furthermore, the NIS 2 directive establishes a security requirement for the contractual supply chain of essential and important entities. Entities covered by the NIS 2 directive will be required to establish contractual frameworks defining aspects related to cybersecurity with their direct suppliers and service providers.

3. Authentication security, a crucial issue in the NIS 2 directive

The importance of authentication security under the NIS 2 directive is a major and central topic for companies and organizations operating in the European Union. At the heart of the measures in this directive is the security of authentication processes, essential to prevent unauthorized access and protect sensitive information. Authentication is one of the entry points often used in cyber attacks to penetrate organizations and plan massive attacks weeks or even months in advance.

For businesses, integrating NIS 2 requirements into their authentication processes involves several key steps. These include evaluating existing systems, identifying security gaps, implementing compliant authentication solutions, and continuously adapting to evolving cyber attacks.

In Article 21 “Cybersecurity risk management measures,” it is indicated in point j): the use of multi-factor authentication solutions or continuous authentication, secure voice, video and text communications and secure emergency communications systems within the entity, as required.

In the first part of this paragraph, we highlight “multi-factor authentication solutions.” This is one of the most recommended authentication methods, because it requires the user to provide at least two proofs of identity from different categories (something the user knows, has or is) before accessing an account or system. MFA can compile multiple lines of verification with two or more factors; what I know (password, pin code), what I have (mobile phone, smart cards, etc.) and who I am (biometrics). We have written a comprehensive article on the subject: What is multi-factor authentication and how does it work?

We then talk about continuous authentication which goes further by verifying the identity of the user on a regular basis throughout their session, thus increasing security by quickly detecting and reacting to any suspicious activity.

For secure voice, video and text communications: Essential organizations and businesses will need to ensure that all forms of communication (voice, video and text) are secure to prevent interceptions and information leaks. This involves the use of encryption technologies and security of communication channels.

And finally regarding secure emergency communications systems within the entity: It will be crucial to have secure and reliable emergency communications systems in place to enable rapid response in the event of a cybersecurity incident. These systems must ensure that critical communications are not compromised and remain accessible even in adverse conditions.

4. Notification of Security Incidents

One of the major changes introduced by NIS 2 is the implementation of stricter rules for reporting security incidents.
Essential and important entities are now required to notify the relevant authorities of any significant incident within 24 hours of detection of the incident, followed by an initial assessment within 72 hours, and finally a full report within 30 days.
This measure aims to ensure a rapid and coordinated response to security incidents, thereby minimizing potential impacts on essential digital services.

Thus, the entities concerned must communicate if an incident has had a significant impact on the networks and information systems of an entity (or the users of the entity's services), causing considerable material, bodily or moral damage.

5. Strengthened Cooperation and Coordination

Cooperation and coordination between Member States of the European Union are at the heart of NIS 2. This directive actively encourages businesses, competent authorities and stakeholders to work closely together. Strengthened cooperation allows us to share crucial information on threats, develop best practices and strengthen collective resilience in the face of cyberthreats. By promoting this collaboration, the NIS 2 directive aims to create a more robust and better protected digital ecosystem.

6. Sanctions

The NIS 2 directive gives national authorities (ANSSI in France) reinforced supervisory powers.
In the event of non-compliance with the directive, heavy and dissuasive sanctions may apply: fines can go up to 10 million euros or 2% of turnover for essential entities, and 7 million euros or 1.4% of turnover for large entities. Fines may also be imposed if violations of the NIS 2 directive persist.

Conclusion

The NIS 2 directive represents a significant step forward in protecting Digital Europe and highlights the crucial importance of authentication security in protecting critical infrastructure and digital services in the EU by broadening its scope, enforcement, and by strengthening security obligations, imposing stricter incident reporting rules and encouraging close cooperation, the European Union is showing its commitment to strengthen cybersecurity.

Businesses operating in the digital domain now have a responsibility to understand and comply with these guidelines to ensure the security and reliability of digital services in an ever-changing landscape. They will have to prioritize improving their authentication systems, by adopting innovative solutions and committing to a proactive cybersecurity approach.

By focusing on authentication security, organizations and businesses can not only meet the regulatory requirements of NIS 2, but also build resilience against cyberthreats, ensuring data protection and business continuity.

To discuss authentication issues related to the NIS 2 directive for your SaaS application with our teams, you can book the slot of your choice by clicking here: Meet Cryptr

And don’t forget to follow us on our social networks: LinkedIn, YouTube, X, Instagram.