Over 100,00 organizations are expected to be impacted by Network and Information Security Directive (NIS2) cybersecurity standards that European Union (EU) member states must implement by October 2024. [i]\n\nNIS2 was adopted in early 2023 as a response to increasing digitalization and rising cybersecurity threats stemming from the COVID-19 pandemic and the Russia-Ukraine War. NIS2 regulations expand on previous directives, most notably by broadening the scope of organizations subject to its cybersecurity requirements.\n\nUnder NIS2, any organization (1) with more than 50 employees or 10M Euro in annual revenue and (2) in a sector categorized as \u201cessential and important entities\u201d must comply with NIS2 directives. Sectors now subject to NIS2 compliance include food production, processing, and distribution; postal and courier services; and manufacturing and digital providers. [ii] (Organizations within sectors subject to previous NIS directive requirements must also comply with NIS2 mandates; those sectors include healthcare, banking and finance, and transportation.)\n\nZero Trust is a NIS2 requirement\n\nPreamble 89 of the NIS2 directive outlines a variety of requirements for \u201cBasic Cyber Hygiene,\u201d including the adoption of Zero Trust principles. [iii]\n\nZero Trust principles require users and devices to prove their trustworthiness to gain access to the resources they need to do their jobs or fulfill their functions. This concept of least-privilege access is fundamental to Zero Trust Security practices.\n\nZero Trust Security also requires continuous monitoring of users and devices. Trustworthiness is constantly re-evaluated, and if a user or device begins to act suspiciously or in a fashion inconsistent with their role, their access may be limited or revoked. This limited and dynamically assessed role-based access security can help minimize and even prevent lateral spread of attacks.\n\nThe NIS2 requirement to adopt Zero Trust principles reflects the shortcomings of models based on implicit trust. For example, network security approaches focused primarily on protecting the perimeter grant broad access to users on corporate networks and corporate devices because they are implicitly trusted. Given rising IoT adoption, erosion of the corporate perimeter due to work-from-everywhere, and increasingly sophisticated threats that exploit \u201ctrusted\u201d users and devices for malicious purposes, these security approaches can expose the organization to greater risk.\n\nZero Trust network security offers cybersecurity benefits vs. traditional perimeter-based network security models.\n\nOvercoming challenges with Zero Trust adoption\n\nEnforcement of least-privilege access and continuous monitoring are foundational to Zero Trust Security architectures, yet many organizations struggle to implement these practices.\n\nAccording to research independently conducted by leading security research firm Ponemon Institute and sponsored by Hewlett Packard Enterprise, slightly less than half of organizations (49%) have not yet implemented Zero Trust Security. 19% of respondents believed that the adoption of Zero Trust was a \u201cgoal that will take time.\u201d [iv]\n\nAccording to the Ponemon report, one of the factors that slows down Zero Trust adoption is the lack of integration between tools. Access controls are often fragmented across multiple platforms that are not integrated, making it difficult to establish and enforce consistent policy without added complexity or inadvertent security gaps.\n\nHPE Aruba Networking makes it easier for organizations to adopt Zero Trust capabilities with its HPE Aruba Networking Central NetConductor cloud-native network automation and orchestration solution. Central NetConductor includes all the tools organizations need to deploy, configure, and operate networks that support Zero Trust Security strategies.\n\nAssessing Zero Trust adoption for NIS2 compliance\n\nWith the NIS2 compliance deadline looming, it can be helpful to assess current levels of cybersecurity implementation.\n\nConsider using this Zero Trust Security checklist adapted from the guide, Implementing Identity-based Zero Trust and SASE Architectures, to start your assessment:\n\nFive core capabilities\u2014visibility, authentication and authorization, role-based access, conditional monitoring, and enforcement and response\u2014form the foundation of Zero Trust Security.\n\nResources to help with Zero Trust adoption\n\nNewly subject to NIS2 directives and need to learn more about Zero Trust? Here are some resources that can help you gain a better understanding of Zero Trust Security principles.\n\nThis blog was published on blogs.arubanetworks.com on\u00a08\/30\/2023.\n\n***\n\n[i] Sievers, T. Proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations. Int. Cybersecur. Law Rev. 2, 223\u2013231 (2021). https:\/\/doi.org\/10.1365\/s43439-021-00033-8 (#Fn19)\n\n[ii] Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016\/1148. European Union.\n\n[iii] Directive (EU) 2022\/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910\/2014 and Directive (EU) 2018\/1972, and repealing Directive (EU) 2016\/1148 (NIS 2 Directive). European Union.\n\n[iv] The 2023 Global Study on Closing the IT Security Gap: Addressing Cybersecurity Gaps from Edge to Cloud. Ponemon Institute. March 2023.