NIS2 - Applying the New NIS Directive to Mobile Devices

In 2016, the European Commission instituted the first European Union (EU) cybersecurity initiative, the Directive on Security of Network and Information Systems 2016/1148 (NIS Directive). Although the NIS Directive enhanced the EU’s cyber resilience, Member States implemented it differently, leading to fragmented requirements, supervision, and enforcement. In 2020, the Commission reviewed the NIS Directive and decided to update it. As a result, the EU Parliament passed Directive 2022/2555 (NIS2), repealing the original NIS Directive and amending Regulation No 910/2014.

The regulatory framework of NIS2 has to be passed into national law by Member States by October 17, 2024. Therefore, organizations should allocate enough time to evaluate solutions and design security strategies and architectures accordingly. As Member States adopt NIS2 implementing acts, organizations should understand where mobile device security fits into their broader compliance requirements.

What is the NIS2 Directive and its Objective?

NIS2 formalizes the requirements that Member States need to have in their cybersecurity laws.

Building on this foundation, NIS2 standardizes the requirements that member state implementing acts must have, responding to the digital interconnectedness and interdependence that digital transformation creates. Taking an “all-hazards” approach, Article 21 sets out basic network, information system, and physical environment security measures that shall include at least:

• Policies on risk analysis and information system security
• Incident handling
• Supply chain security
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures
• Policies and procedures regarding the use of cryptography and encryption

Incident Reporting Obligations

To minimize an incident’s impact across interconnected geographic and supply chain technologies, Article 23 establishes strict notification requirements. Covered entities will have to provide the national Computer Security Incident Response Team (CSIRT) or other competent authority about significant incidents, requiring organizations to provide detailed notifications within 72 hours that include:

• Potential unlawful or malicious acts or cross-border impact
• An initial assessment, including severity, impact, and known indicators of compromise

Significant incidents are defined as:

• Causing or capable of causing severe operational service disruption or financial loss for the involved entity
• Affecting or capable of affecting a natural or legal person by causing considerable material or non-material damages

NIS2 supersedes the General Data Protection Regulation (GDPR) notification requirements. Additionally, opponents are stating that reporting obligations with such short timeframes will have adverse effects on the overall cybersecurity posture as it is often impossible to gain a clear understanding of the threat situation within less than 72 hours.

Where does NIS2 Discuss Mobile Device Security?

In Article 6, NIS2 defines “network and information system” as:

“any device or group of interconnected or related devices, one or more of which, pursuant to a program, carry out automatic processing of digital data”

As such, NIS2 extends to mobile devices such as smartphones and tablets.

Who Will Need to Comply with NIS2 Implementing Acts?

Public and private entities across the following sectors, as defined in NIS2’s Annex I and Annex II, will have to comply with their Member State’s implementing act:

• Energy, including electricity, district heating and cooling, oil, gas, and hydrogen
• Transport, including air, rail, water, and road
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Waste water
• Digital infrastructure
• ICT service management (business-to-business)
• Public administration
• Space
• Postal and courier services
• Waste management
• Manufacture, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing, including medical devices, computers, electronics, optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment
• Digital providers of online marketplaces, search engines, and social networking services
• Research
• Critical entities as defined under Directive (EU) 2022/2557
• Entities providing domain name registration services

While NIS2 focuses on medium and large entities, it notes that companies of any size will have to comply with the implementing acts if service disruption could:

• Undermine critical societal or economic activities
• Harm public safety, security, or health
• Create a significant system risk, especially one with a cross-border impact
• Cause damage arising from an entity’s importance at a national or regional level
• Compromise services because of an entity’s role in public administration

Meeting NIS2 Requirement with Mobile Threat Defense (MTD)

For organizations considered Operators of Essential Services (OES) or Digital Services Providers (DSP), securing mobile devices will be fundamental to complying with several NIS2 implementing act requirements.

Mobile Threat Defense fills the security gap that Mobile Device Management (MDM) and Mobile Application Management (MAM) leave behind.

MDM is good at establishing perimeters through device configurations but lacks robust capabilities for detecting app vulnerabilities, malware, and malicious apps, often relying on third-party tools.

MAM exclusively focuses on apps with capabilities that enable companies to protect both user-owned and fully managed devices. However, they fail to provide proactive cybersecurity measures to safeguard all attack vectors.

MTD is essential for a proactive security-first strategy for NIS2 compliance. MTD covers all major attack vectors and supplies the necessary forensic data to fulfill incident reporting obligations. Further, a robust MTD enables organizations to implement cryptography and encryption across all mobile devices.

Continuous Monitoring to Identify Threats

Compromised mobile devices introduce network and access control risks that undermine information security programs.

With MTD, organizations gain visibility into known and unknown risks and threats like:

• Advanced threats
• Mobile phishing attacks
• Real-time device health
• Cloud application security
• Malicious applications downloaded from untrusted sources

With these capabilities, OES and DSP entities incorporate mobile device security that enables comprehensive:

• Risk analyses: identify and mitigate risks associated with employee-owned devices
• Information security policies: establish baselines for mobile devices, including smartphones and tablets
• Supply chain security: mitigate risks arising from shadow IT by marking risky or banned apps as Out Of Compliance (OOC)
• Access control policies: implement conditional access for risky devices and mitigate risks arising from app access to resources
• Cybersecurity training: reinforce employee awareness training using behavioral and machine learning that detects device, network, phishing, and application mobile attacks, even when a device is not connected to the network

Blocking Known and Unknown Threats

With MTD, OES, and DSP, entities can implement state-of-the-art cybersecurity risk management measures that automate activities like blocking:

• OOC app-specific domains
• Malicious links from loading
• Unauthorized access to resources

Enforcing Conditional Access Controls

Much of NIS2 responds to new risks arising from digital transformation, noting that Member States should take relevant European and international standards into account. Increasingly, international standards focus on zero-trust architectures. MTD supports these initiatives by enforcing security and access controls on mobile devices.

With MTD, OES and DSP entities can set and enforce robust conditional access policies that limit device access to resources after the following:

• Scanning for known and unknown malware, device exploits, and phishing attacks
• Verifying that device configurations conform to security policies
• Providing attestation for the whole device without requiring a persistent internet connection or installing an agent

Reporting Details of Significant Incidents

With MTD, OES and DSP entities have deep forensic data on the device, network connections, and malicious applications that enable their security operations teams to comply with NIS2’s technical reporting requirements. With this forensic data, entities have the information necessary for meeting 24- and 72-hour reporting requirements, such as:

• Attacks against an app or OS software, such as side-loaded apps
• Attacks via wireless networks
• Malicious links embedded in SMS-phishing attacks

With this information, they can supply initial assessments that incorporate indicators of compromise associated with attacks that use mobile devices as the primary vector.

Zimperium MTD™ for Comprehensive Security and Compliance

Zimperium Mobile Threat Defense (MTD) – formerly known as zIPS – is a privacy-first mobile security solution that provides comprehensive mobile security for organizations. Zimperium MTD protects an employee’s corporate-owned or BYOD from advanced persistent threats without sacrificing privacy or personal data.

Zimperium MTD can help organizations identify which mobile devices have risky or banned apps by pinpointing what servers these apps are connecting to and blocking these apps and browsers from sending data off the device to the domains to which the app connects. In addition, by leveraging zero-touch activation, Zimperium MTD can automatically enforce conditional access controls as part of a zero-trust strategy, which prevents the use of enterprise apps and access to sensitive corporate data while these banned apps are installed.

Zimperium MTD is the only on-device mobile security solution that protects against the latest zero-day attacks. As the mobile attack surface expands and evolves, so does Zimperium’s dynamic on-device threat detection. Zimperium MTD detects across all four threat categories — device compromises, network attacks, phishing and content, and malicious apps.

To raise your mobile cybersecurity posture and to prepare for NIS2 compliance in time, contact us today.