NIS2

NIS2 is the updated EU cybersecurity directive that replaced the original Network and Information Security Directive. It broadens the scope of regulated sectors to include energy, transport, health, digital infrastructure, public administration, ICT service management, and others. Organizations classified as essential or important entities under the directive must implement risk management measures and report significant cybersecurity incidents.

The directive requires multi-factor authentication or continuous authentication for access to critical systems, supply chain security assessments, incident handling procedures, and business continuity planning. It also introduces personal accountability for management bodies, who must approve cybersecurity risk management measures and can be held liable for non-compliance.

Member states transpose the directive into national law, so specific requirements may vary. Penalties for non-compliance can reach a percentage of annual turnover.

For CIAM, NIS2 is relevant when customer-facing systems are part of critical infrastructure. The directive’s authentication and access control requirements directly shape how the identity platform must be configured and monitored.

Sources

• Directive (EU) 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj