May 18, 2023
In 2016, the European Commission instituted the first European Union (EU) cybersecurity initiative, the Directive on Security of Network and Information Systems 2016/1148 (NIS Directive). Although the NIS Directive enhanced the EU’s cyber resilience, Member States implemented it differently, leading to fragmented requirements, supervision, and enforcement. In 2020, the Commission reviewed the NIS Directive and decided to update it. As a result, the EU Parliament passed Directive 2022/2555 (NIS2), repealing the original NIS Directive and amending Regulation No 910/2014.
The regulatory framework of NIS2 has to be passed into national law by Member States by October 17, 2024. Therefore, organizations should allocate enough time to evaluate solutions and design security strategies and architectures accordingly. As Member States adopt NIS2 implementing acts, organizations should understand where mobile device security fits into their broader compliance requirements.
What is the NIS2 Directive and its Objective?
NIS2 formalizes the requirements that Member States need to have in their cybersecurity laws.
Building on this foundation, NIS2 standardizes the requirements that member state implementing acts must have, responding to the digital interconnectedness and interdependence that digital transformation creates. Taking an “all-hazards” approach, Article 21 sets out basic network, information system, and physical environment security measures that shall include at least:
Policies on risk analysis and information system security
Incident handling
Supply chain security
Policies and procedures to assess the effectiveness of cybersecurity risk management measures
Policies and procedures regarding the use of cryptography and encryption
Incident Reporting Obligations
To minimize an incident’s impact across interconnected geographic and supply chain technologies, Article 23 establishes strict notification requirements. Covered entities will have to provide the national Computer Security Incident Response Team (CSIRT) or other competent authority about significant incidents, requiring organizations to provide detailed notifications within 72 hours that include:
Potential unlawful or malicious acts or cross-border impact
An initial assessment, including severity, impact, and known indicators of compromise
Significant incidents are defined as:
Causing or capable of causing severe operational service disruption or financial loss for the involved entity
Affecting or capable of affecting a natural or legal person by causing considerable material or non-material damages
NIS2 supersedes the General Data Protection Regulation (GDPR) notification requirements. Additionally, opponents are stating that reporting obligations with such short timeframes will have adverse effects on the overall cybersecurity posture as it is often impossible to gain a clear understanding of the threat situation within less than 72 hours.
Where does NIS2 Discuss Mobile Device Security?
In Article 6, NIS2 defines “network and information system” as:
“any device or group of interconnected or related devices, one or more of which, pursuant to a program, carry out automatic processing of digital data”
As such, NIS2 extends to mobile devices such as smartphones and tablets.
Who Will Need to Comply with NIS2 Implementing Acts?
Public and private entities across the following sectors, as defined in NIS2’s Annex I and Annex II, will have to comply with their Member State’s implementing act:
Energy, including electricity, district heating and cooling, oil, gas, and hydrogen
Transport, including air, rail, water, and road
Banking
Financial market infrastructures
Health
Drinking water
Waste water
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space
Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Production, processing, and distribution of food
Manufacturing, including medical devices, computers, electronics, optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment
Digital providers of online marketplaces, search engines, and social networking services
Research
Critical entities as defined under Directive (EU) 2022/2557
Entities providing domain name registration services
While NIS2 focuses on medium and large entities, it notes that companies of any size will have to comply with the implementing acts if service disruption could:
Undermine critical societal or economic activities
Harm public safety, security, or health
Create a significant system risk, especially one with a cross-border impact
Cause damage arising from an entity’s importance at a national or regional level
Compromise services because of an entity’s role in public administration
Meeting NIS2 Requirement with Mobile Threat Defense (MTD)
For organizations considered Operators of Essential Services (OES) or Digital Services Providers (DSP), securing mobile devices will be fundamental to complying with several NIS2 implementing act requirements.
Mobile Threat Defense fills the security gap that Mobile Device Management (MDM) and Mobile Application Management (MAM) leave behind.
MDM is good at establishing perimeters through device configurations but lacks robust capabilities for detecting app vulnerabilities, malware, and malicious apps, often relying on third-party tools.
MAM exclusively focuses on apps with capabilities that enable companies to protect both user-owned and fully managed devices. However, they fail to provide proactive cybersecurity measures to safeguard all attack vectors.
MTD is essential for a proactive security-first strategy for NIS2 compliance. MTD covers all major attack vectors and supplies the necessary forensic data to fulfill incident reporting obligations. Further, a robust MTD enables organizations to implement cryptography and encryption across all mobile devices.
Continuous Monitoring to Identify Threats
Compromised mobile devices introduce network and access control risks that undermine information security programs.
With MTD, organizations gain visibility into known and unknown risks and threats like:
Advanced threats
Mobile phishing attacks
Real-time device health
Cloud application security
Malicious applications downloaded from untrusted sources
With these capabilities, OES and DSP entities incorporate mobile device security that enables comprehensive:
Risk analyses: identify and mitigate risks associated with employee-owned devices
Information security policies: establish baselines for mobile devices, including smartphones and tablets
Supply chain security: mitigate risks arising from shadow IT by marking risky or banned apps as Out Of Compliance (OOC)
Access control policies: implement conditional access for risky devices and mitigate risks arising from app access to resources
Cybersecurity training: reinforce employee awareness training using behavioral and machine learning that detects device, network, phishing, and application mobile attacks, even when a device is not connected to the network
Blocking Known and Unknown Threats
With MTD, OES, and DSP, entities can implement state-of-the-art cybersecurity risk management measures that automate activities like blocking:
OOC app-specific domains
Malicious links from loading
Unauthorized access to resources
Enforcing Conditional Access Controls
Much of NIS2 responds to new risks arising from digital transformation, noting that Member States should take relevant European and international standards into account. Increasingly, international standards focus on zero-trust architectures. MTD supports these initiatives by enforcing security and access controls on mobile devices.
With MTD, OES and DSP entities can set and enforce robust conditional access policies that limit device access to resources after the following:
Scanning for known and unknown malware, device exploits, and phishing attacks
Verifying that device configurations conform to security policies
Providing attestation for the whole device without requiring a persistent internet connection or installing an agent
Reporting Details of Significant Incidents
With MTD, OES and DSP entities have deep forensic data on the device, network connections, and malicious applications that enable their security operations teams to comply with NIS2’s technical reporting requirements. With this forensic data, entities have the information necessary for meeting 24- and 72-hour reporting requirements, such as:
Attacks against an app or OS software, such as side-loaded apps
Attacks via wireless networks
Malicious links embedded in SMS-phishing attacks
With this information, they can supply initial assessments that incorporate indicators of compromise associated with attacks that use mobile devices as the primary vector.
Zimperium MTD™ for Comprehensive Security and Compliance
Zimperium Mobile Threat Defense (MTD) – formerly known as zIPS – is a privacy-first mobile security solution that provides comprehensive mobile security for organizations. Zimperium MTD protects an employee’s corporate-owned or BYOD from advanced persistent threats without sacrificing privacy or personal data.
Zimperium MTD can help organizations identify which mobile devices have risky or banned apps by pinpointing what servers these apps are connecting to and blocking these apps and browsers from sending data off the device to the domains to which the app connects. In addition, by leveraging zero-touch activation, Zimperium MTD can automatically enforce conditional access controls as part of a zero-trust strategy, which prevents the use of enterprise apps and access to sensitive corporate data while these banned apps are installed.
Zimperium MTD is the only on-device mobile security solution that protects against the latest zero-day attacks. As the mobile attack surface expands and evolves, so does Zimperium’s dynamic on-device threat detection. Zimperium MTD detects across all four threat categories — device compromises, network attacks, phishing and content, and malicious apps.
To raise your mobile cybersecurity posture and to prepare for NIS2 compliance in time, contact us at CAYES for more information and advice.