As of January 16, 2023, the European Union has implemented the NIS2 Directive (Directive (EU) 2022/2555), which has replaced the original Network and Information Security (NIS) Directive of 2016 and will be enforced in all EU member states as of October 18, 2024. This Directive represents a significant upgrade in the EU’s approach to cybersecurity, particularly in DNS services. If your company operates critical infrastructure within the EU, you will be affected by this new regulation. It is also often the case that new EU regulations later get adopted in some form by other countries, so it’s an important piece of legislation to keep an eye on. For example, GDPR originated in the EU to protect privacy of its citizens and then was mimicked across the world, including the CCPA regulation in California.
New requirements for DNS providers.
Under NIS2, entities providing DNS services in the EU will be subject to new requirements and obligations. These include the need to identify and manage risks to their services, as well as the need to report any security incidents to the relevant authorities. DNS service providers will also be required to maintain records of all security incidents and implement measures to prevent and mitigate potential cyber threats. The directive seeks to uphold DNS information’s authenticity, integrity, and availability, focusing on DNSSEC for trustworthiness. This ensures safeguarding the EU’s digital infrastructure and its citizens from cyber threats.
To ensure compliance with NIS2, DNS service providers in the EU will need to conduct regular risk assessments, implement appropriate security measures, and maintain up-to-date incident response plans. They will also need to establish clear lines of communication with relevant authorities and other stakeholders to ensure that they are aware of any potential security threats and can respond effectively to any possible incidents.
Understanding the scope and impact of NIS2.
Implementing the NIS2 Directive represents a significant step forward in the EU’s efforts to enhance cybersecurity and protect critical infrastructure. The EU is taking essential steps to safeguard its citizens and businesses against cyber threats and attacks by ensuring that DNS service providers are held to the highest security and compliance standards. This includes:
Expanding cybersecurity boundaries.
NIS2 is not just a regular update but a complete revamp of the regulation. It goes beyond the conventional limits of cybersecurity, covering a more comprehensive range of digital services and infrastructure. NIS2 pays particular attention to the Domain Name System (DNS), which is crucial for the proper functioning of the Internet.
DNS under the microscope
Under the NIS2 Directive, all providers of DNS services that are essential to the EU’s internal market come under its purview. This includes those who offer domain name registration, operators of root name servers with a significant EU presence, TLD name registries, and others. The wide-ranging scope of the Directive highlights the critical role played by DNS in preserving a secure and stable digital environment.
Critical aspects of NIS2 concerning DNS.
Integrity and authenticity | NIS2 places a significant emphasis on ensuring the authenticity and integrity of DNS information. To accomplish this, it focuses on DNS Security Extensions (DNSSEC) to guarantee the trustworthiness of DNS services. DNSSEC cryptographically signs DNS information, which makes it difficult for attackers to alter it. This feature is essential for maintaining the security and reliability of DNS services, and the advanced state of DNSSEC deployment in the EU makes it a good option for operators. |
Availability | Although NIS2 does not directly address DNS availability, it emphasizes the importance of a reliable DNS infrastructure. The Directive indirectly impacts how DNS information is supplied and highlights the need for resilience in DNS operations. |
Industries in the spotlight of NIS2.
Energy industry | The energy industry is a critical component of the NIS2 Directive. This includes entities involved in electricity, oil, gas, district heating, and hydrogen. As the backbone of other industries and everyday life, the security of this sector is paramount. |
Transport | Transport is another vital sector under NIS2, encompassing air, rail, water, and road transportation. Given its role in economic activities and individual mobility, ensuring the cybersecurity of this sector is essential. |
Financial | Banking and Financial Market Infrastructures; the Directive includes the banking sector and infrastructure. These sectors form the foundation of the EU’s economic stability, making their inclusion in NIS2 an essential aspect of securing financial transactions and services. |
Healthcare | Protecting Vital Services, including laboratories and research facilities focused on pharmaceuticals and medical devices, is a sector where cybersecurity is crucial. This sector’s integrity directly impacts public health and safety. |
Water management | NIS2 also encompasses drinking water and wastewater management, highlighting the importance of protecting resources vital for life and environmental sustainability. |
Digital infrastructure | With the increasing reliance on digital services, the Directive covers digital infrastructure, including internet exchange points and DNS services, which are pivotal in keeping the digital world connected. |
Preparing for NIS2 compliance.
Incident reporting | It is crucial for all entities engaged in DNS services to be well-equipped and ready to report any specific incidents that occur. This requirement enhances the response and recovery mechanisms, ensuring a more robust and resilient digital ecosystem. Timely reporting of incidents is essential to identify potential vulnerabilities and address them before they cause any significant damage. Doing so makes detecting and mitigating threats easier, safeguarding the DNS infrastructure and the Internet. |
EU representation | Any non-EU entity offering DNS services within the European Union must appoint a representative. This representative will act as a point of contact for all communications with EU authorities and data subjects. The main objective of this measure is to ensure that these entities can be held accountable and reachable under EU laws and regulations, especially concerning data protection and privacy. |
Supply Chain security | NIS2 pertains to the security of networks and information systems and includes a requirement for adopting supply chain security measures. This requirement ensures that every stage of the DNS service delivery is secured against potential threats and vulnerabilities. The supply chain security measures, which will be implemented by organizations subject to NIS2, are designed to mitigate risks from third-party providers, vendors, or contractors involved in DNS services. By enforcing supply chain security measures, NIS2 aims to safeguard the integrity, confidentiality, and availability of DNS services, which are critical to the functioning of the digital economy and society. |
Are you ready for NIS2?
The NIS2 Directive represents a significant step forward in the EU’s cybersecurity efforts. The Directive brings new responsibilities and requirements. Ensuring readiness for NIS2 means not only aligning with its regulatory standards, but also embracing a culture of enhanced cybersecurity awareness and preparedness.
Looking for more cyber security news and insights?
Be sure to subscribe to our Open Source Intelligence report for more critical cyber security updates!