E-time | the software company
The NIS 2 Directive: What Changes in Security Management for Companies
The Legislative Decree No. 138, which transposes Directive (EU) 2022/2555, known as NIS2, was officially published in the Official Gazette and came into force on October 16, 2024.
The NIS2 Directive represents a significant regulatory change for the cybersecurity of European companies. Its primary goal is to enhance the resilience and protection of networks and information systems. It applies to companies and public or private entities operating within the EU.
The new Directive updates the previous NIS (Network and Information Security) Directive, adopted in 2016, which required revision due to the increasing complexity of cyberattacks.
What is the NIS2 Directive?
The NIS2 Directive is a European Union regulation designed to strengthen cybersecurity in member states. Compared to the previous NIS Directive, NIS2 expands its scope and introduces stricter requirements regarding risk management, incident reporting, and corporate accountability.
NIS2 requires companies to collaborate with authorities and other businesses across Europe to share information and best practices in cybersecurity. This aims to ensure a more coordinated and effective response to threats that cross national borders.
The aim is to establish common standards within the Union on cybersecurity issues, working synergistically with other regulations such as the GDPR and the Cyber Resilience Act.
NIS2 obligates companies to raise their security standards and adopt advanced solutions such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), which are essential for protecting access to information systems.
In Italy, the government-designated authority responsible for coordinating cybersecurity activities and implementing the regulation is the ACN (National Cybersecurity Agency).
NIS 2: Who is the target
The NIS2 Directive targets essential entities and important entities, differentiated based on the criticality of the services they provide and their size.
Who are essential entities
Essential entities are companies operating in highly critical sectors listed in Annex 1 of the Directive and meet one of the following criteria:
- More than 250 employees;
- Annual revenue exceeding 50 million euros.
Who are important entities
Important entities are medium-sized enterprises, meaning those with more than 50 employees, that play a significant role in strategic or critical sectors (Annex 1 and Annex 2).
However, it is specified that entities with fewer than 50 employees or lower revenue can also be classified as essential or important if they operate in critical sectors or if their disruption could have a significant impact on security or the economy.
For full details, refer to the complete text published in the Official Gazette.
The obligations of the Directive
Risk management
Companies must implement adequate security measures to manage risks related to the security of networks and information systems
Incident reporting
It is mandatory to report security incidents to the competent authorities by:
- Sending a preliminary alert to the CSIRT (Computer Security Incident Response Teams) within 24 hours;
- Submitting an official notification within 72 hours of the cybersecurity incident.
Security Assessment and Business Continuity
Companies are required to perform regular risk assessments and implement appropriate mitigation measures. Additionally, they must define plans to ensure the operational continuity of critical services even in the event of significant incidents.
Training and Awareness
Companies must provide ongoing cybersecurity training for employees. Furthermore, greater accountability is introduced for executives, as members of boards of directors are directly responsible for compliance with security regulations and may face penalties in cases of non-compliance.
Who Is Required to Comply with NIS2
The NIS2 Directive applies mandatorily to a broad range of companies in both the public and private sectors that, as noted earlier, fall into the categories of Essential Entities or Important Entities. Specifically, the following are considered highly critical sectors:
- Energy (electricity, gas, oil)
- Transportation (air, rail, maritime, road)
- Healthcare (hospitals, laboratories, healthcare centers)
- Public Administration
- Digital Infrastructure (telecommunication networks, data centers)
- Financial Services (banks, financial market operators)
- Postal Services.
- Water Supply and Wastewater Management.
- Digital Service Providers (cloud services, online platforms, search engines)
- Critical Infrastructure Providers (including companies supporting essential sectors like telecommunications)
Additionally, other critical sectors listed in Annex 2 include:
- Food (companies producing and distributing food, particularly those involved in large-scale supply).
- Waste Management (collection, treatment, and disposal).
- Manufacturing (producers of medical devices, machinery, vehicles, and electrical/electronic devices).
- Chemical (production and supply of chemical products).
- Space (satellite operators, space services).
Companies with fewer than 50 employees may also fall under the scope of NIS2 if they are the unique provider of an essential service in a Member State or if a disruption in their service could significantly impact public or national security or health.
Furthermore, Public Administrations are all subject to the Directive’s provisions, regardless of size, except those engaged in activities related to national security, defense, public order, and crime prevention.
Have you already implemented an identity and access management system for your services or your clients?
Sanctions under the NIS2 Directive
The specific sanctions and enforcement procedures may vary depending on the national regulations adopted by different Member States in implementation of the NIS2 Directive. In general, the sanctions that may be imposed include:
- Administrative sanctions: Fines of varying amounts depending on the severity of the violation and the size of the company.
- Financial penalties: In addition to administrative sanctions, further financial penalties may be imposed.
- Sanctions for non-compliance: If a company fails to meet security requirements or does not report violations within the established timeframes, it may face more severe sanctions.
- Suspension of services: Temporary suspension of services provided by a non-compliant company or entity.
- Publication of violations: In specific cases or when deemed appropriate, authorities may decide to make violations public.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
The NIS2 Directive encourages the use of Single Sign-On (SSO) systems to simplify and strengthen access management and Multi-Factor Authentication (MFA) to ensure that access to business systems is protected by multiple layers of security, reducing the risk of unauthorized access through credential theft.
SSO allows users to authenticate once to access multiple services, improving both security and operational efficiency.
MFA, on the other hand, adds an extra layer of security by requiring multiple forms of verification (e.g., a password plus a code sent via phone or biometrics).
Combined Use of SSO and MFA
The combined use of SSO and MFA is often overlooked, despite how much this practice can strengthen security. It ensures that even if the credentials used for Single Sign-On are compromised, an attacker would still need to bypass the MFA. The combined use of both systems provides two advantages:
- The convenience of Single Sign-On for the user experience.
- Additional security assurance through Multi-Factor Authentication.
Discover our solutions for Identity and Access Management
IAM Systems in NIS2 Directive
What Are IAM Systems (Identity and Access Management)
A key aspect of the European NIS2 Directive focuses on managing identities and access within organizations, known as Identity and Access Management (IAM).
IAM systems are technological solutions designed to securely and centrally manage the digital identities of users within an organization. These tools oversee the entire system of access rights, which is especially important for safeguarding cloud infrastructures.
Furthermore, IAM systems control user access to company systems, applications, and resources by verifying identities and permissions. They enable administrators to monitor user activity, generate reports, and enforce policies to ensure compliance with current regulations, including the NIS2 Directive.
A properly configured IAM system protects sensitive data and proprietary company information, strengthening overall security.
The Goal of an Identity and Access Management System
The primary goal of an Identity and Access Management (IAM) system is to ensure that only authorized individuals can access the technological resources they need to perform their activities.
This is achieved by defining a user profile that includes attributes such as roles, privileges, and group memberships, ensuring that each individual has the appropriate permissions.
Identity and Access Management Components:
- Identity Management: involves creating, updating, and deactivating user identities to ensure proper control over access to corporate resources.
- User Identity Authentication:
- Traditional Passwords: standard method of user authentication.
- Multi-Factor Authentication (MFA): utilizes multiple verification factors (e.g., passwords, biometrics or tokens) to confirm identity.
- Single Sign-On (SSO): allows users to authenticate once and gain access to multiple applications or services without needing to log in repeatedly.
- Authorization and Access Control: assigns permissions based on business roles, or zero-trust policies to ensure secure appropriate access.
- Monitoring and compliance:
- Tracking user activities: locks and tracks access events with detailed reporting to detect anomalies or unauthorized behaviour.
- Regulatory compliance: ensures adherence to security standards such as ISO 27001 through continuous monitoring and activity analysis.
IAM Systems in the NIS2 Directive: Requirements and Implications
The NIS2 Directive emphasizes the critical role of Identity and Access Management (IAM) in enhancing cyber security. To meet its stringent requirements, organizations are encouraged to adopt measures such as:
- Access Control and Monitoring. Organizations should use activity tracking systems to detect anomalies and maintain detailed logs to monitor access effectively.
- Secure Management of Identities and Access. IAM systems must employ multi-factor authentication (MFA) to safeguard access to sensitive data. Privileged identity management, such as controlling access for administrators handling sensitive areas, is also essential.
- Data Protection. The directive recommends the use of cryptographic methods to ensure the confidentiality and security of credentials and other sensitive information.
- Resilience and Operational Continuity. Organizations must guarantee the resilience of critical systems and ensure operational continuity in the event of cyberattacks or security incidents.
- IAM Risk Management. Regular assessments should be carried out to identify vulnerabilities in identity management systems, supported by a swift incident response plan to address risks effectively.
- Incident Notification. Timely reporting is crucial, with an early warning required within 24 hours and a formal official notification within 72 hours of an incident.
- Adoption of Zero Trust Architecture. Continuous authentication should be enforced for every access attempt, even within internal networks, to minimize risks. As a result of these provisions, developing a robust identity and access management system is essential to ensure the organization’s compliance with the regulation.
The Role of IAM Systems in Corporate Security
IAM systems not only ensure compliance but also play a critical role in safeguarding corporate resources, significantly enhancing overall security.
This preventive and proactive role of Identity and Access Management is achieved through several key actions, including:
- Enhanced and Strict Control of Identities and Credentials: Ensuring that only authorized individuals have access to sensitive resources.
- Protection against Unauthorized Access: Mitigating the risk of breaches and maintaining secure access to corporate systems.
- Centralized Identity Management: Utilizing techniques such as multi-factor authentication (MFA) to streamline and fortify access management processes.
- Support for Regulatory Compliance: Enabling organizations to adhere to stringent security and privacy standards, such as ISO 27001 and NIS2, through rigorous identity and access management practices and proper documentation. Ultimately, IAM systems are indispensable for strengthening corporate security and preventing cyber threats.
Achieving Compliance with the NIS2 Directive through Yookey
Yookey is a platform that provides advanced Identity and Access Management (IAM) solutions based on Keycloak. It emphasizes secure identity management by integrating multi-factor authentication (MFA) with Single Sign-On (SSO), all while ensuring compliance with the NIS2 Directive.
In addition, Yookey supports businesses in meeting the provisions of NIS2 by adopting a Zero Trust model, which verifies every access attempt, including those originating from internal networks. For access monitoring, Yookey securely tracks all actions and generates detailed reports, enabling the thorough analysis of cybersecurity incidents as mandated by NIS2.
In the realm of supply chain security, Yookey facilitates Identity Federation, allowing businesses to securely and compliantly manage external users’ access, including suppliers, partners, and third parties. Furthermore, the platform centralizes access management, enhancing visibility and monitoring of all identities.
By offering these comprehensive solutions, Yookey helps businesses address the challenges of digital security and ensures compliance with the requirements of the NIS2 Directive.
Rexpondo is the new ticketing system adopted by AIFA, the Italian Medicines Agency.
We are pleased to welcome AIFA (Italian Medicines Agency) on board. Starting from October 1, 2024, Rexpondo has been integrated into the agency’s digital infrastructure, becoming the primary ticketing system for managing internal and external support requests. It ensures assistance and provides useful information for resolving any user-related issues (more details in this article).
For users already registered with AIFA’s Online Services, a helpdesk service will be available, allowing them to manage their tickets. Users will be able to submit new reports or review existing ones.
The new Rexpondo Customer Portal represents a significant step forward in handling support requests for professionals working with AIFA. It offers a more intuitive and accessible platform that is continuously updated.
E-time ISO 27001 certified.
The certifications acquired by E-time
We are proud to announce that E-time has achieved the UNI CEI EN ISO/IEC 27001:2024 certification. This international standard establishes the requirements for an Information Security Management System (ISMS), ensuring a structured approach to data protection.
Below is a list of all certifications E-time has obtained under ISO/IEC 27001:
- Cert. no. 84671 UNI CEI EN ISO/IEC 27001:2024 – Information security, cybersecurity, and privacy protection – Information security management systems – Requirements.
- Cert. no. 84673 ISO/IEC 27018:2019 – Information technology — Security techniques — Code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors.
- Cert. no. 84674 ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
E-time has always prioritized data security and, over the years, we have implemented internal procedures to protect it. By obtaining this certification, we have chosen to implement these processes in compliance with the standards set by ISO 27001, validated by an authorized third-party body.
What Changes After Obtaining Certification
Achieving this certification has several implications and entails specific operational responsibilities for the company, including:
- Risk identification and management: the organization must mitigate risks related to information security, preventing and monitoring them continuously.
- Implementation of an Information Security Management System: Introducing a set of procedures and controls to ensure the protection of confidentiality, integrity, and availability of information.
- Compliance with legal and regulatory requirements: Adhering to information security provisions and current regulations, primarily GDPR.
- Implementation of the PDCA (Plan-Do-Check-Act) cycle: ensuring continuous improvement of the ISMS, which involves periodic internal audits, management reviews, and updates to controls.
What This Means for Our Clients
Achieving certification guarantees the validity of ongoing processes for information security and data protection, reducing the likelihood of incidents related to data breaches or cyberattacks.
By reaching this milestone, E-time reinforces its tangible commitment to maintaining the highest standards of information security.
The certifications can be fully reviewed at this link.
Chatbot & AI: a new Partnership between E-Time and Botpress Is Born
We are pleased to announce the launch of a new strategic collaboration with Botpress one of the most advanced platforms for creating and managing chatbots on the market.
The partnership between E-Time and Botpress will lead to the integration of Botpress into our services (integration with Rexpondo is already available), allowing us to leverage the potential of artificial intelligence (AI) and natural language processing (NLP).
Botpress integrates AI into its chatbots through an advanced modular architecture that enables the use of NLP and machine learning to create smarter and more personalized interactions.
The partnership between E-Time and Botpress combines E-Time’s technological know-how with the capabilities of an innovative and constantly evolving platform.
This growth-oriented collaboration has the shared goal of providing companies with advanced tools to enhance user experience, automate customer service, and optimize internal processes.
Passkey is added to the MFA methods supported by Yookey
Passkey is the alternative to passwords and marks a definitive transition to a new chapter in cybersecurity, this time, Passwordless.
Despite authentication systems having relied on passwords until now, it has become clear over time that while they serve as a security key, they also represent the weak link in account security due to their susceptibility to Phishing attacks.
Passkey is a secure authentication method based on a recognition system (fingerprint, face, PIN, sequence), generated and stored locally on users’ devices.
During the registration process, two keys are created: a public key and a private key, which is encrypted and securely stored on the user’s device. Both keys are required for accessing the account. This mechanism is known as Asymmetric or Public Key Authentication.
Passkey adopts the WebAuthn Standard, or rather, adheres to and implements the technical specifications provided by FIDO2, which include WebAuthn and CTAP (Client to Authenticator Protocol).
WebAuthn Standard
WebAuthn or Web Authentication is the open standard (FIDO2 framework) established by the FIDO Alliance and the World Wide Web Consortium (W3C) with participation from Google, Mozilla, Microsoft, and other major players, upon which Passkey is based.
The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password, ensuring that authentication works regardless of the device’s operating system, whether it be Android, iOS, Mac, or Windows.
In most cases, the WebAuthn client that implements the authentication API is a compatible browser (currently supported by all major browsers and Android and Apple devices).
Why is Passkey an effective measure against Phishing?
Passkey is effective against phishing attacks because the unique password is stored locally on the user’s device and is never transmitted over the network.
This means that even if a user is tricked into providing their passkey to a phishing site, cybercriminals will not be able to use it to access their accounts, as the passkey is not valid on other devices. This makes it much more difficult for hackers to compromise user access, thus protecting their personal and financial information.
Passkey and FIDO
The birth of Passkey is closely tied to FIDO (Fast Identity Online), an organization that promotes open standards for strong authentication. The FIDO Alliance comprises key players in the web industry such as Google, Microsoft, and Apple.
FIDO’s main objective is to enhance online security by using more advanced authentication methods, such as biometrics and asymmetric cryptography, aiming to reduce reliance on traditional (static) passwords, which are too vulnerable to theft regardless of their complexity.
The other MFA methods supported by Yookey | Keycloak SaaS
In addition to Passkey, the other MFA methods supported by our Yookey- Keycloak as A Service are:
- Sms and email
- Virtual Authenticator (Microsoft and Google authenticator)
- Physical tokens.
Would you like to know more?
E-time with Rete Dafne against every form of violence
It’s time to reveal our second “Useful Gift” for Christmas 2023.
The events of the last months of 2023 have received significant media attention, bringing the issue of gender-based violence back into the spotlight, which remains a real scourge in Italy and beyond.
Therefore, we have chosen to make our small contribution to Rete Dafne, which daily provides support and assistance to victims of gender-based violence, and not only because the work of Rete Dafne concerns all victims of any type of crime.
For further information about the valuable work carried out by this association, we refer you to their website: retedafne.it
E-time is participating in the Plastic Pull project.
This Christmas, we have focused on two themes that are very important to us, and one of them is the Environment.
E-Time has contributed to collecting 37 kg of waste abandoned on beaches, in parks, and on streets, requalifying degraded ecosystems in Italy located in areas where local administrations do not intervene. All of this has been made possible thanks to the Plastic Pull project by Piantando.
The project
Plastic Pull is one of Piantando’s social and environmental impact projects, with the goal of recovering tons of scattered waste throughout Italy, leveraging its network of associations and initiatives.
After identifying the areas of degradation to intervene, Piantando coordinates the intervention with field contacts. Each collected bag is certified, including photographs, location and date of collection, weight, disposal method, and the operational team.
Who is Piantando
Piantando is a Benefit company that initiates social and environmental impact projects worldwide by collaborating with companies of all sectors and sizes. The central focus of Piantando’s work is transparency and sustainability, which characterize each project and ensure its proper development.
Below is the link where you can find more information about the project supported by E-time and our contribution: E-time X Plastic Pull
Keycloak: Identity and Access Management solution
Keycloak, an open source solution for IAM Management
Keycloak is an open source software platform for unified identity and access management. It enables companies and organizations to centrally and securely manage the authentication and authorization of their users.
Keycloak is designed to work with modern applications and services. It provides a variety of authentication mechanisms by supporting several protocols, including social login, OAuth 2.0, SAML, and OpenID Connect.
A modern interface and high level of scalability make it the ideal product for those who want to opt for a secure yet highly customizable solution. Now let’s look at its features in more detail.
[INDEX]
Single Sign On (SSO) & Multi-Factor Authentication (MFA)
Keycloak supports Single Sign-On (SSO) allowing users to log in to multiple applications and services using a single set of credentials. This greatly simplifies the login process for users and results in increased security from reducing the number of passwords that must be remembered and managed.
The platform also supports multi-factor authentication (MFA) thus providing an additional layer of security by asking users to provide additional authentication information, (e.g. code sent to their phone) before accessing resources.
Function and installation
It functions as a central authentication server that delegates authentication to external sources and provides access tokens for requesting applications. Regarding the users, the platform provides a division into 3 macro categories that can be managed through a customizable admin dashboard:
- Users: those who can access resources.
- Roles: used to define the access levels of individual users.
- Groups: allow for quick management of the different roles present, creating aggregations between roles and users.
Keycloak supports multiple user stores including LDAP and Active Directory. In this way existing directories can be used for user authentication. Deployment can be on-premise, in the cloud or as a hybrid solution and it provides a flexible architecture with a high degree of scalability.
Features and Benefits
- Single Sign-On (SSO): allows users to access multiple applications and services using a single set of credentials.
- Identity brokering: identity validation using OpenID Connect or SAML 2.0 IdPs.
- Centralized management: customizable interface for managing users, roles and permissions.
- Multi-factor authentication: requires users to provide additional authentication information before accessing resources.
- Directory integration: Integration with LDAP and Active directory for authentication through existing directories.
- Scalability: Easily extendable according to different needs.
Keycloak: integrations
Keycloak has a number of APIs that allow the platform to be integrated with third-party services and systems thus making it an extremely versatile solution created to be integrated into the IT infrastructure of companies of any size.
Keycloak in SaaS
It is possible to have Keycloak as a SaaS solution, with a fully managed service.
Yookey is our product/service that allows you to take full advantage of Keycloak without worrying about the burden of installation and updates, and with the added benefit of a customizable Support.
Yookey ensures maximum security for access and authentication processes with Single Sign-On, and once integrated into your IT environment, no additional effort is required for software operation and maintenance.
For more information about Yookey, visit our dedicated website at this link: Yookey – Keycloak SaaS.
