We are not alone in our confusion regarding what NIS2 requires in regards to password and multi-factor authentication (MFA). Like many others, I had similar concerns regarding NIS2 initially. However, the good news is that once you break down the information into smaller components, NIS2 will no longer be that complicated! In fact, the NIS2 requests organizations implement better passwords and stronger login protection.
Instead, under the NIS2 Regulation, organizations are encouraged to:
NIS2's Request for Password Information
NIS2 is a European Cybersecurity Regulation that requires organizations to discontinue the practice of using weak constructed passwords. For example, short and complex passwords, such as "P@ssw0rd123", are no longer an acceptable manner of securing accounts in accordance with the requirements of NIS2.Instead, under the NIS2 Regulation, organizations are encouraged to:
- Have a minimum of 15 characters for all passwords
- Utilize a unique password for sensitive systems
- Block passwords that have been compromised in previous data breaches
- Stop the practice of requiring users to change their passwords every few months (as users generally just change a character or two in their previous password).
The Importance of Multi-Factor Authentication (MFA)
Multi-Factor authentication (MFA) provides an effective way for users to authenticate themselves when logging into a system. MFA can block access to a user's account if the hacker has obtained the user's password. Therefore, multi-factor authentication (MFA) is imperative for the following:- Admin accounts
- VPN services
- Email systems
- Critical business applications
What You Can Do to Maintain Compliance
Businesses should:- Reassess their current password policies and improve upon any existing weak policies.
- Use a password manager to generate stronger passwords for users.
- Implement MFA as broadly as possible.
- Educate employees so they are aware of their personal responsibilities to ensure adequate security for their respective companies.