NIS2 Guide

9.3: Review of cryptographic measures

The relevant entities shall review and, where appropriate, update their policy and procedures at planned intervals, taking into account the state of the art in cryptography.

Related tasks

No items found.

9.1: Cryptography policy and procedures

For the purpose of Article 21(2), point (h) of Directive (EU) 2022/2555, the relevant entities shall establish, implement and apply a policy and procedures related to cryptography, with a view to ensuring adequate and effective use of cryptography to protect the confidentiality, authenticity and integrity of data in line with the relevant entities’ asset classification and the results of the risk assessment carried out pursuant to point 2.1.

Related tasks

Verifying achieved protection level from used cryptographic procedures

Critical

High

Normal

Low

Encryption

General, risk-based encryption policy

Critical

High

Normal

Low

Encryption

Considering encryption and cryptographic key management in risk management procedures

Critical

High

Normal

Low

Encryption

11.1: Access control policy

1. For the purpose of Article 21(2), point (i) of Directive (EU) 2022/2555, the relevant entities shall establish, document and implement logical and physical access control policies for the access to their network and information systems, based on business requirements as well as network and information system security requirements.

2. The policies referred to in point 11.1.1. shall:

address access by persons, including staff, visitors, and external entities such as suppliers and service providers;
address access by network and information systems;
ensure that access is only granted to users that have been adequately authenticated.

3. The relevant entities shall review and, where appropriate, update the policies at planned intervals and when significant incidents or significant changes to operations or risks occur.

Related tasks

Control of physical and logical access

Critical

High

Normal

Low

Defining and documenting access roles

Critical

High

Normal

Low

Creating and maintaining an access control policy

Critical

High

Normal

Low

11.5: Identification

1. The relevant entities shall manage the full life cycle of identities of network and information systems and their users.

2. For that purpose, the relevant entities shall:

set up unique identities for network and information systems and their users;
link the identity of users to a single person;
ensure oversight of identities of network and information systems;
apply logging to the management of identities.

3. The relevant entities shall only permit identities assigned to multiple persons, such as shared identities, where they are necessary for business or operational reasons and are subject to an explicit approval process and documentation. The relevant entities shall take identities assigned to multiple persons into account in the cybersecurity risk management framework referred to in point 2.1.

4. The relevant entities shall regularly review the identities for network and information systems and their users and, if no longer needed, deactivate them without delay.

Related tasks

Management of device and system identities

Critical

High

Normal

Low

Management of identification and access methods

Critical

High

Normal

Low

Avoiding and documenting shared user accounts

Critical

High

Normal

Low

Using unique user names

Critical

High

Normal

Low

Authentication of identities and binding to user data

Critical

High

Normal

Low

11.7: Multi-factor authentication

1. The relevant entities shall ensure that users are authenticated by multiple authentication factors or continuous authentication mechanisms for accessing the relevant entities’ network and information systems, where appropriate, in accordance with the classification of the asset to be accessed.

2. The relevant entities shall ensure that the strength of authentication is appropriate for the classification of the asset to be accessed.

Related tasks

No items found.

11.6: Authentication

1. The relevant entities shall implement secure authentication procedures and technologies based on access restrictions and the policy on access control.

2. For that purpose, the relevant entities shall:

ensure the strength of authentication is appropriate to the classification of the asset to be accessed;
control the allocation to users and management of secret authentication information by a process that ensures the confidentiality of the information, including advising personnel on appropriate handling of authentication information;
require the change of authentication credentials initially, at predefined intervals and upon suspicion that the credentials were compromised;
require the reset of authentication credentials and the blocking of users after a predefined number of unsuccessful log-in attempts;
terminate inactive sessions after a predefined period of inactivity; and
require separate credentials to access privileged access or administrative accounts.

3. The relevant entities shall to the extent feasible use state-of-the-art authentication methods, in accordance with the associated assessed risk and the classification of the asset to be accessed, and unique authentication information.

4. The relevant entities shall review the authentication procedures and technologies at planned intervals.

Related tasks

Centralizing network authentication, authorization, and auditing (AAA)

Critical

High

Normal

Low

Network security

Defining and documenting accepted authentication methods

Critical

High

Normal

Low

Use of dedicated admin accounts in critical data systems

Critical

High

Normal

Low

Enabling multi-factor authentication for all users

Critical

High

Normal

Low

Personnel guidelines for safe data system and authentication info usage

Critical

High

Normal

Low

Data system management

Maintaining chosen theme-specific policy documents

Critical

High

Normal

Low

11.2: Management of access rights

1. The relevant entities shall provide, modify, remove and document access rights to network and information systems in accordance with the access control policy referred to in point 11.1.

2. The relevant entities shall:

assign and revoke access rights based on the principles of need-to-know, least privilege and separation of duties;
ensure that access rights are modified accordingly upon termination or change of employment;
ensure that access to network and information systems is authorised by the relevant persons;
ensure that access rights appropriately address third-party access, such as visitors, suppliers and service providers, in particular by limiting access rights in scope and in duration;
maintain a register of access rights granted;
apply logging to the management of access rights.

3. The relevant entities shall review access rights at planned intervals and shall modify them based on organisational changes. The relevant entities shall document the results of the review including the necessary changes of access rights.

Related tasks

No items found.

11.4: Administration systems

1. The relevant entities shall restrict and control the use of system administration systems in accordance with the access control policy referred to in point 11.1.

2. For that purpose, the relevant entities shall:

only use system administration systems for system administration purposes, and not for any other operations;
separate logically such systems from application software not used for system administrative purposes,
protect access to system administration systems through authentication and encryption.

Related tasks

No items found.

11.3: Privileged accounts and system administration accounts

1. The relevant entities shall maintain policies for management of privileged accounts and system administration accounts as part of the access control policy referred to in point 11.1.

2. The policies referred to in point 11.3.1 shall:

establish strong identification, authentication such as multi-factor authentication, and authorisation procedures for privileged accounts and system administration accounts;
set up specific accounts to be used for system administration operations exclusively, such as installation, configuration, management or maintenance;
individualise and restrict system administration privileges to the highest extent possible,
provide that system administration accounts are only used to connect to system administration systems.

3. The relevant entities shall review access rights of privileged accounts and system administration accounts at planned intervals and be modified based on organisational changes, and shall document the results of the review, including the necessary changes of access rights.

Related tasks

Regular reviews of the account administration policy

Critical

High

Normal

Low

Periodic review of access rights

Critical

High

Normal

Low

Assigning roles related to access management and managing privileged access

Critical

High

Normal

Low

Regular reviewing of data system access rights

Critical

High

Normal

Low

Using multi-factor authentication for admins

Critical

High

Normal

Low

Use of dedicated admin accounts in critical data systems

Critical

High

Normal

Low

Rules and formal management process for admin rights

Critical

High

Normal

Low

10.1: Human resources security

1. For the purpose of Article 21(2), point (i) of Directive (EU) 2022/2555, the relevant entities shall ensure that their employees and direct suppliers and service providers, wherever applicable, understand and commit to their security responsibilities, as appropriate for the offered services and the job and in line with the relevant entities’ policy on the security of network and information systems.

2. The requirement referred to in point 10.1.1 shall include the following:

mechanisms to ensure that all employees, direct suppliers and service providers, wherever applicable, understand and follow the standard cyber hygiene practices that the relevant entities apply pursuant to point 8.1;
mechanisms to ensure that all users with administrative or privileged access are aware of and act in accordance with their roles, responsibilities and authorities;
mechanisms to ensure that members of management bodies understand and act in accordance with their role, responsibilities and authorities regarding network and information system security;
mechanisms for hiring personnel qualified for the respective roles, such as reference checks, vetting procedures, validation of certifications, or written tests.

3. The relevant entities shall review the assignment of personnel to specific roles as referred to in point 1.2, as well as their commitment of human resources in that regard, at planned intervals and at least annually. They shall update the assignment where necessary.

Related tasks

Ensuring supply chain security

Critical

High

Normal

Low

Supplier security

Defining security roles and responsibilities

Critical

High

Normal

Low

Disciplinary process for security breaches

Critical

High

Normal

Low

Maintaining confidentiality agreements

Critical

High

Normal

Low

Defining cyber security responsibilities and tasks in employment contracts

Critical

High

Normal

Low

Changes in employment relationships

Screenings and background checks before recruitment

Critical

High

Normal

Low

Staff guidance and training procedure in cyber security

Critical

High

Normal

Low

Cyber security training

General security guidelines for staff

Critical

High

Normal

Low

Security guidelines

Reminding personnel about their cyber security responsibilities

Critical

High

Normal

Low

Cyber security training

10.4: Disciplinary process

1. The relevant entities shall establish, communicate and maintain a disciplinary process for handling violations of network and information system security policies. The process shall take into consideration relevant legal, statutory, contractual and business requirements.

2. The relevant entities shall review and, where appropriate, update the disciplinary process at planned intervals, and when necessary due to legal changes or significant changes to operations or risks.

Related tasks

Disciplinary process for non-conformance

Critical

High

Normal

Low

Disciplinary process for security breaches

Critical

High

Normal

Low

Maintaining chosen theme-specific policy documents

Critical

High

Normal

Low

10.3: Termination or change of employment procedures

1. The relevant entities shall ensure that network and information system security responsibilities and duties that remain valid after termination or change of employment of their employees are contractually defined and enforced.

2. For the purpose of point 10.3.1, the relevant entities shall include in the individual’s terms and conditions of employment, contract or agreement the responsibilities and duties that are still valid after termination of employment or contract, such as confidentiality clauses.

Related tasks

No items found.

Changes in employment relationships

10.2: Verification of background

1. The relevant entities shall ensure to the extent feasible verification of the background of their employees, and where applicable of direct suppliers and service providers in accordance with point 5.1.4, if necessary for their role, responsibilities and authorisations.

2. For the purpose of point 10.2.1, the relevant entities shall:

put in place criteria, which set out which roles, responsibilities and authorities shall only be exercised by persons whose background has been verified;
ensure that verification referred to in point 10.2.1 is performed on these persons before they start exercising these roles, responsibilities and authorities, which shall take into consideration the applicable laws, regulations, and ethics in proportion to the business requirements, the asset classification as referred to in point 12.1 and the network and information systems to be accessed, and the perceived risks.

3. The relevant entities shall review and, where appropriate, update the policy at planned intervals and update it where necessary.

Related tasks

Policy for personnel background checks

Critical

High

Normal

Low

Screenings and background checks before recruitment

Critical

High

Normal

Low

Changes in employment relationships

Implementation and documentation of management reviews

Critical

High

Normal

Low

Security roles, responsibilities, and objectives derived from the organization's goals

Critical

High

Normal

Low

2.1.4: Review of risk assessments and treatment plans

The relevant entities shall review and, where appropriate, update the risk assessment results and the risk treatment plan at planned intervals and at least annually, and when significant changes to operations or risks or significant incidents occur.

Related tasks

Regular review of the cyber security risk documentation

Critical

High

Normal

Low

Documentation of risk assessment

Critical

High

Normal

Low

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Risk management

2.3: Independent review of information and network security

1. The relevant entities shall review independently their approach to managing network and information system security and its implementation including people, processes and technologies.

2. The relevant entities shall develop and maintain processes to conduct independent reviews which shall be carried out by individuals with appropriate audit competence. Where the independent review is conducted by staff members of the relevant entity, the persons conducting the reviews shall not be in the line of authority of the personnel of the area under review. If the size of the relevant entities does not allow such separation of line of authority, the relevant entities shall put in place alternative measures to guarantee the impartiality of the reviews.

3. The results of the independent reviews, including the results from the compliance monitoring pursuant to point 2.2 and the monitoring and measurement pursuant to point 7, shall be reported to the management bodies. Corrective actions shall be taken or residual risk accepted according to the relevant entities’ risk acceptance criteria.

4. The independent reviews shall take place at planned intervals and when significant incidents or significant changes to operations or risks occur.

Related tasks

No items found.