BOOK A MEETING

Zero Trust and NIS2: Is it the Answer?

NIS2 shifts cybersecurity conversations from a pure technical focus towards cybersecurity being a critical business requirement. By outlining a variety of requirements for Basic Cyber Hygiene, the directive highlights some factors that make adopting Zero Trust Architecture more compelling. Let’s have a closer look at how a Zero Trust Architecture can help you deliver on your NIS2 compliance posture.

The surge in digital transformation, over the last number of years, has led to organisations managing ever escalating amounts of data. Additionally, external collaborators, such as partners, vendors, and customers, typically require access to some of this information from outside of the corporate network.

This is a shift that has created a complex data landscape, especially when you consider the proliferation of hybrid working, increased adoption of cloud computing, growing complexity of cyberthreats, and now changing regulatory requirements of how corporate data needs to be governed and protected.

paper boats on blue background

Facing this new, dramatically different reality, the European Union’s NIS2 requirements forces organisations to reflect on the shortcomings of traditional perimeter-based security models. Zero Trust Architecture has undoubtedly emerged as the default security architecture. NIS2, for example, aims at establishing a higher level of cybersecurity and resilience within European organisations.

By placing a greater emphasis on preventing cyber incidents, the directive highlights the deficiencies of security models based on implicit trust. With Zero Trust being the only cybersecurity strategy that has prevention at its core, it will play a key role in one’s efforts to meet NIS2 compliance.

In this blog we focus on the pillars of Zero Trust security, outline how a Zero Trust architecture can enforce NIS2 compliance and share a guide to assess how NIS2 ready your organisation is.

Zero Trust as a NIS2 Requirement

Today, organisations require a security model that adapts to the complexity of the modern environment they are operating in. Zero Trust security is designed to adapt to the complexities of the modern workplace by embracing the mobile workforce, safeguarding people, devices, applications, and data, irrespective of their location.

Instead of believing that everything behind the corporate firewall is safe, Zero Trust models assume breach and verify each user and device trying to gain access to corporate resources, regardless of where the request comes from. Zero Trust Security Practices also rely on continuous monitoring of devices and users. Trustworthiness is continuously re-evaluated, and access may be limited or revoked in case of suspicious activity.

In today’s volatile field of cyber conflicts, ‘trust but verify’ is the only way to comprehensively deliver on cybersecurity requirements. It is therefore a vital foundation for securing corporate resources and ensuring compliance.

A Guide to NIS2 Compliance

With the compliance deadline approaches, organisations that fall within the scope of NIS2’s expanded parameters can no longer delay taking the necessary action. Research from the Leading Security Research Firm, Ponemon Institute, shows that organisations are still struggling to adopt Zero Trust.

Nearly half of the surveyed organisations indicates that they haven’t implemented Zero Trust Security yet. Mainly due to the lack of skills and expertise. This is something that confirms our experiences in working with our customers.

Leveraging our expertise in assisting our customers secure their organisations, we have developed a guide to evaluate your NIS2 readiness and support you in developing a plan to successfully adopt Zero Trust.

Our Zero Trust compliance guide defines an approach to implement an end-to-end methodology across identities, endpoints/devices, data, apps, infrastructure, and network:

security balls rolling down diagram

1 Secure Identity

Follow the least privilege access principles. When an identity attempts to access a corporate resource, verify that identify with strong authentication and ensure access is compliant and typical to that it.

2 Secure Endpoints

Once an identity has been granted access to a corporate resource, data can flow to a variety of endpoints. As this diversity creates a massive attack surface area, monitoring and enforcing device health and compliance are key for secure access.

3 Secure Applications

Applications and APIs provide the interface by which data is consumed. Apply controls and technologies to discover shadow IT to ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behaviour, control user actions, and validate secure configuration options.

4 Secure Data

Data should remain safe, even when it leaves the devices, apps, infrastructure and network the organisation controls. Classify, label, and encrypt your corporate resources and restrict access based on those attributes.

5 Secure Networks

All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving across the network. Segment networks and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.

With each of these areas generating their own relevant alerts, there is a need for an integrated capability to better detect and respond to threats. Once consolidated, the burden of proof for NIS2 compliance will be there for the taking.

Whitepaper: Are You Ready for NIS2?

Kick Start Your Journey Towards NIS2 Compliance


To take your first step towards NIS2 compliance, we have composed a whitepaper to help you gain a greater understanding of the NIS2 regulations. Dive into why the upcoming directive is relevant to your organisation and what are the first steps you should be taking.

How Can CWSI Help You on Your NIS2 Journey?

When it comes to NIS2 and Zero Trust you need an experienced partner.

For more than a decade, CWSI has played a pivotal role in enabling our customers to thrive within the continually evolving threat landscape. Our team of security experts have extensive experience and apply strict security policies and processes from our deep knowledge and understanding of the forthcoming NIS2 Directive.

CWSI can assist you in assessing if your organisation falls under the purview of the NIS2 Directive. For each key requirement of the directive, CWSI can help discover and document your current state of preparedness and provide you with an individual roadmap to achieving NIS2 compliance.

With expertise in three Microsoft Security Specialisations: Identity and Access Management, Information Protection and Governance and Threat Protection, CWSI serves as an expert in these crucial NIS2 areas – Identity, Data Governance, Security Threat Protection and Response, Education and Awareness and Security Policy.

It’s our people and their expertise that ensure that your business can close the gap between its current security state and compliance.

Contact Us

Get in contact today to begin your journey to NIS2 compliance:

Relevant Resources

Our Voice

What is Data Classification?

Discover the fundamentals of data classification, why it’s essential for secure information management, and how to implement it effectively in your organisation.

Learn More

Technology Talks

Achieving NIS2 Compliance

Tune into CWSI's Client Solutions Director, Paul Conaty, as he addresses key questions about the new NIS2 directive and its impact on organisations.