NIS2 Directive

The initial NIS Directive was adopted on July 6, 2016 with the goal to establish a standard action plan against cybersecurity threats across the EU. With changes in the cybersecurity landscape, there was a need to address new security challenges. The NIS2 Directive was suggested in 2020, later being officially enacted on January 16, 2023. 

With its implementation, the EU simplified reporting requirements and enforced stricter non-compliance fines and sanctions, including proposed new channels that needed extra attention, such as supply chain security.

Private and public companies (that qualify as medium or large enterprises) operating within the EU and providing critical services must comply with NIS2. The directive also impacts supply chains, requiring entities to assess third-party risks as part of their cybersecurity strategies. With NIS2, stricter regulatory oversight is applied, affecting obliged entities’ management and increasing accountability. 

Banking, transport, financial market, health energy and digital infrastructure service providers are impacted by the Directive. The NIS2 Directive expanded the scope to sectors like digital service providers, postal and courier services, public administration, research, electronic communication service providers and food distribution services. 

Yes. Under Article 26, non-EU entities offering services within the EU (including DNS providers, cloud services, TLD registries, and online platforms) must comply with the NIS2 Directive. Another requirement for such entities is to appoint an EU-based representative in one of the Member States where the non-EU business operates. 

The NIS2 Directive introduced new provisions, specifically targeting domain name registrars and DNS service providers. In practice, this means implementing the Know Your Customer (KYC) or identity verification process. As per Article 28, domain name registrars must verify the identity of domain registrants and ensure that their registration is legitimate.

A domain name registrar is a business that manages domain names and assigns IP addresses. For instance, “Google Domains” is an example of a domain name registrar, which is a store where people can buy names for their websites.  Domain names simplify website access by eliminating the need to memorize IPs. So, instead of typing in 192.0.2.3, you can enter the name — like domaincentre.com and access the site. 

A DNS hosting service provider is a business that manages Domain Name System (DNS) servers. This means translating domain names into IP addresses and offering the infrastructure to handle DNS queries. DNS providers are responsible for ensuring reliability, security, speed and the option to manage domain names. They ensure faster website access by minimizing the distance DNS queries must travel.

Domain name registrars must ensure that domain owners provide valid, up-to-date personal or organizational details. To do so, they need to verify the identity of registrants, which can be both individuals and corporate entities. 

Key facts to remember:

• By enforcing mandatory KYC checks, Article 28 reduces anonymity, which is often exploited by criminals online. 
• The new provisions of the Directive help prevent domain misuse for fraud and other malicious activities, such as phishing, bot misuse, multi-accounting, and more. 

Under Article 28, law enforcement must also have access to registrant data for cybersecurity and investigation purposes.

Top-Level Domain (TLD) registries and domain registration service providers must collect and maintain accurate domain registration data to comply with NIS2 and existing EU data protection laws.

This includes information regarding the:

• Domain name
• Date of registration
• Registrant’s name, contact email, and phone number
• Admin contact details (if different from the registrant)

Registries must provide domain registration data upon requests from authorized entities. This includes regulatory bodies and law enforcement agencies, including KYC service providers. All requests must be addressed within 72 hours and must be documented.

Under the NIS2 Directive, obligated entities must follow an all-hazards approach, which is required to protect network and information systems from incidents. 

These measures should include the following:

• Risk analysis and information system security policies.
• Incident handling procedures.
• Business continuity plans, including backup management, disaster recovery, and crisis management.
• Supply chain security, covering security aspects in relationships with direct suppliers or service providers.
• Security in the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure.
• Policies and procedures to evaluate the effectiveness of cybersecurity risk management.
• Basic cyber hygiene practices and cybersecurity training.
• Policies and procedures for cryptography use and encryption where appropriate.
• Human resources security, access control policies, and asset management.
• Use of multi-factor authentication or continuous verification solutions, secured communications (voice, video, text), and emergency communication systems within the entity, where applicable.

To mitigate risks and implement a proper compliance strategy aligned with the NIS2 framework, you need to:

• Determine if your company is covered by NIS2.
• Align NIS2 with other EU cybersecurity laws.
• Evaluate third-party risk and address cultural and behavioral risks.
• Strengthen incident response and cybersecurity risk management.
• Implement an automated RegTech solution, preferably both for identity verification and fraud prevention processes. 

Identity verification, fraud prevention and ongoing monitoring measures to ensure your cybersecurity and risk mitigation program works are vital.

 Here are some examples of concrete solutions that help comply with the NIS2 Directive:

1. ID verification (verify the registrant’s name against their uploaded ID document data, including comparing their selfie biometrics). 
2. IP address verification (check the user’s IP address to detect fraudulent proxy use). 
3. Period screening and monitoring (ensure ongoing compliance by screening users at any time of their customer lifecycle to ensure proper incident reporting and clear auditing practices).