Understanding the

NIS 2 Directive
Handbook | Understanding the NIS 2 Directive

2
 Handbook | Understanding the NIS 2 Directive

HANDBOOK CONTENTS

1. What is the NIS 2 Directive? 5

2. What has changed? 9

3. How will NIS 2 impact you? 13

4. What product features can 17

help mitigate threats and
protect against attack?

5. Conclusion 19
Handbook | Understanding the NIS 2 Directive

1
4
 Handbook | Understanding the NIS 2 Directive

What is the
NIS 2 Directive?
The NIS Directive, also known as Directive (EU) 2016/1148, is an
EU directive that establishes cybersecurity requirements for the
operators of essential services and digital services providers in the
European Union. The NIS Directive aims to ensure a high level of
network and information security across the EU and to ensure that
operators of essential services and digital service providers take
appropriate measures to manage the risk posed to their networks
and information systems.
Handbook | Understanding the NIS 2 Directive

On 10 November 2022, the European Parliament adopted the NIS

2 Directive. It replaces and repeals the NIS Directive. NIS 2 will
improve cybersecurity risk management and introduce reporting
obligations across sectors such as energy, transportation, health, and
digital infrastructure. Member States will have 21 months from the
time that the directive comes into force in which to incorporate the
provisions into their national law.

NIS 2 has three general objectives:

Cyber resiliance A unified approach Establish procedures

Increase the cyber resilience of a Reduce inconsistencies in internal Enhance joint situational
broad range of European Union- market resilience in industries awareness and the collective
based enterprises operating in all currently covered by the NIS capacity to plan and respond by
relevant industries and performing Directive by unifying cybersecurity boosting information sharing and
essential activities. capabilities. establishing norms and procedures
in the case of a large-scale
incident or crisis.

6
 Handbook | Understanding the NIS 2 Directive

Both directives focus on:

> The adoption of technical and organisational measures in order

to increase the security of their networks and IT systems.

> The adoption of appropriate measures in order to prevent

security incidents and/or minimise their impact to ensure the
continuity of the service.

> The communication to the competent authority without undue

delay of any service incident that has a significant impact on
the continuity of service.

7
Handbook | What has changed?

2
8
 Handbook | What has changed?

What has
changed?
The new proposal eliminates the distinction between OES (Operators of Essential
Services) and DSP (Digital Service Providers), instead clarifying entities as either
essential or important. What is also worth noting is that under the old NIS
Directive, member states were responsible for determining which entities would
meet the criteria to qualify as operators of essential services. The new NIS 2
Directive introduces a size-cap rule as a general rule for the identification of
regulated entities. This means that all medium-sized and large entities operating
within the sectors or providing services covered by the directive will fall within
its scope.
Handbook | What has changed?

Additional
changes

10
 Handbook | What has changed?

1. The coverage of the NIS 2 Directive is expanded 6. The proposal introduces stricter supervisory
in order to cover new sectors (e.g., wastewater measures for national authorities, stricter
management, food, space and so on) based on their enforcement requirements and aims to harmonize
criticality for the economy and society, including, sanctioning regimes across member states.
for this purpose, all medium and large companies of
these sectors. At the same time, member states are 7. At European level, the proposal strengthens
guaranteed flexibility in identifying smaller entities cybersecurity for key information and
with a high-risk profile. communication technologies. Member States, in
cooperation with the Commission and ENISA, will
2. The creation through the European Union Agency have to carry out coordinated risk assessments
for Cybersecurity (ENISA) of a European Cyber of critical supply chains, building on the effective
Crises Liaison Organisation Network (EU-CyCLONe) approach taken in the context of the Commission
in order to support the coordinated management of Recommendation on the cybersecurity of 5G
cybersecurity on large-scale incidents and crises at networks.
EU level.
8. The new directive has been aligned with sector-
3. Greater coordination is established in the specific legislation, in particular the Digital
disclosure of new vulnerabilities discovered Operational Resilience Act (DORA), applicable to the
throughout the Union. financial sector, and the Critical Entities Resilience
Directive (CER), strengthening resilience of critical
4. A list of administrative sanctions (similar to entities that provide vital services on which the
those of the GDPR) is established, including fines livelihoods of EU citizens depend, such as energy,
for violating cybersecurity risk reporting and transport, health, and drinking water. This will
management obligations. ensure legal clarity and ensure coherence between
NIS 2 and these acts.
5. The proposal includes seven elements that
all companies must address or implement to
strengthen their security requirements:

• Risk analysis and information system security

policies
• Incident handling (prevention, detection, and
response to incidents)
• Business continuity and crisis management
• Supply chain security
• Security in network and information systems
• Policies and procedures for cybersecurity risk
management measures
• The use of cryptography and encryption

11
Handbook | How will NIS 2 impact you?

3
12
 Handbook | How will NIS 2 impact you?

How will NIS 2

impact you?
The NIS Directive requires OESs and DSPs to secure their critical assets in order
to minimise the risks that a security incident will present to the delivery of their
service. In theory, every organisation knows what is important to deliver its service
and run its business. It could be argued that technologies, such as a network
surveillance camera, are not classed as critical assets. However, it is important to
consider a holistic approach during scoping. Some systems might present a risk
even though they are out of scope. For example, while a camera might not be
essential to the service, it may contain vulnerabilities through which an attacker
could launch an attack on critical assets. It is therefore critical that OESs and DSPs
assess such risks during their NIS Directive assessment.
Handbook | How will NIS 2 impact you?

Supporting Demonstrating
compliance cyber maturity
Securing a network, its devices, and the services
With a greater focus on supply chain security, it is
it supports requires active participation by the
expected that organisations that need to comply with
entire vendor supply chain, as well as the end-user
NIS 2 will have to carry out a greater lever of due
organisation. Axis provides tools, documentation and
diligence on their technology partners. As part of this
training to help mitigate risks and keep Axis products
evaluation process and a vendor risk assessment, it is
and services up-to-date and protected. Axis has an
expected that policies and processes will play a greater
extensive list of policies and processes in place as well as
role.
third-party certifications.

These are as follows:

• Certification for ISO/IEC 27001 for our Information

Security Management System (ISMS)
• Cyber Essentials Plus
• Building Security in Maturity Model (BSIMM)
• The Axis Security Development Model (ASDM) - a
framework that defines the process and tools used by
Axis to build software with security built-in
throughout the lifecycle, from inception to
decommission
• Axis is a CVE Numbering Authority (CNA) under the
MITRE domain
• Vulnerability Management Policy
• Security Advisory Notifications

14
 Handbook | How will NIS 2 impact you?

Supply chain product integrity

Product integrity can be achieved when hardware and firmware are successfully protected from unauthorized
change or manipulation during the product’s journey through the supply chain. Together with our suppliers
and manufacturing partners, Axis applies a multitude of quality controls to maintain and protect the integrity
of its products. For example:

• Axis’ Information Security Management System (ISMS) is • Critical production equipment and the underlying
ISO 27001-certified, which means it follows test system is developed, produced and provided by
internationally recognized processes and best practices in Axis, as is the system for testing the components,
managing the internal information infrastructure and modules, and products at the different levels during
systems that support the product’s journey through the production. This limits the risks associated with
supply chain. tampering. Axis provides a list of built-in enhanced
• It applies the concept of Zero Trust which is based on the security features.
principle of never trust and always verify, whether human • ARTPEC® is the Axis in-house developed system-
or machine, connecting to and within the networks and on-chip (SoC) chipsets which are compliant with
architectures. the National Defence Authorisation Act (NDAA).
• Components are always sourced from a supplier on the ARTPEC has built-in security features exclusively
Approved Vendor List, according to Axis bill of materials for Axis devices. These include signed firmware,
in the Axis specification. ensuring that only secure authorized firmware can
be installed, and secure boot, which prevents booting
• The supplier may not change critical production
of unauthorized firmware.
specifications without permission from Axis. Any
approved change must be documented and logged. • To further enhance security controls, all test data is
shared with Axis 24/7 from our production partners,
• A material handling process always ensures status of
so unauthorized modifications can be immediately
materials, revealing any deviations that could
identified.
compromise quality.
• Suppliers and manufacturing partners are required to
maintain a system which ensures traceability of produced
batches from incoming material to finished part. During
production, the part will undergo multiple tests, such
as Incoming Quality Control (IQC) and Automatic Optical
Inspection (AOI), which can check that no counterfeit
components are mounted.

15
Handbook | What product features can help mitigate threats and protect against attack?

4
16
 Handbook | What product features can help mitigate threats and protect against attack?

What product
features can
help mitigate
threats and
protect against
attack?
This section describes some of the advanced security features available in
Axis products.
Handbook | What product features can help mitigate threats and protect against attack?

Signed firmware Safe key storage with a

Signed firmware is implemented by the software
trusted platform module
vendor and involves signing the firmware image (TPM)
with a private key. When firmware has this signature
attached to it, a device will validate the firmware A trusted platform module (TPM) is a component
before accepting installation. If the device detects that which provides a certain set of cryptographic features
the firmware integrity is compromised, the firmware suitable for protecting information from unauthorised
upgrade will be rejected. access. The private key is stored in the TPM and never
leaves the TPM. All cryptographic operations requiring
the use of the private key are sent to the TPM to be
Secure boot processed. This ensures that the secret part of the
certificate never leaves the secure environment within
Secure boot is a boot process that consists of an the TPM and remains safe even in the event of a
unbroken chain of cryptographically validated security breach.
software, starting in immutable memory (boot ROM).
Based on the use of signed firmware, secure boot
ensures that a device can boot only with authorised Signed video
firmware.
Signed video ensures that video evidence can be
verified as untampered without proving the chain of
Axis Edge Vault custody of the video file. Each camera uses its unique
Axis device ID, securely kept in Axis Edge Vault, to add
Axis Edge Vault is a secure cryptographic compute a signature into the video stream. When the video
module which can be used for cryptographic is played, the file player shows whether the video is
operations on securely stored certificates. Edge Vault intact. Signed video makes it possible to trace the
provides tamper-protected storage, enabling each video back to the origin camera and verify that the
device to protect its secrets. It sets a foundation for video has not been modified or edited and is still in its
the safe implementation of more advanced security original untampered form.
features.

HTTPS Enabled
Axis device ID
HTTPS is enabled by default with a self-signed
Axis device ID works like a digital passport and certificate since AXIS OS 7.20. This enables setting the
is unique for each device unit. It is securely and device password in a secure way. In AXIS OS 10.10 and
permanently stored in Edge Vault as a certificate, higher, the self-signed certificate has been replaced by
signed by Axis root certificate. Axis device ID is the IEEE 802.1AR secure device ID certificate.
designed to prove the origin of the device, enabling a
new level of device trust through the life cycle of the
product.

18
 Handbook | What product features can help mitigate threats and protect against attack?

Axis tools and guides to support the installation, commissioning and

maintenance process are listed below:
Hardening Guide AXIS Device Manager
As a means of structuring our recommendations AXIS Device Manager is the go-to-tool for fast and
in the context of a cybersecurity framework, Axis easy installation and configuration of new devices. It
has chosen to follow the methods outlined in offers security installers and system administrators a
CIS Controls version 8, launched by the Center highly effective tool to manage all major installation,
for Internet Security (CIS). Previously known as security and maintenance tasks, either one-by-one
SANS Top 20 Critical Security Controls, the CIS or in batches. This is the most efficient way to track
controls provide 18 categories of Critical Security Axis devices on a network, implement security
Controls (CSC) focused on addressing the most policies across the devices and carry out all firmware
common cybersecurity risk categories faced by an updates in a quick and efficient manner.
organisation. This information can be found in the
Axis Hardening guide.

Conclusion
While it is very unlikely that security systems will be classed as a critical
asset, it is important for OESs and DSPs to consider a holistic approach
during scoping. This means that physical security technologies need to be
thoroughly evaluated as part of a NIS 2 Directive assessment to highlight
any potential risks.

Axis takes a full 360 view in regard to its cybersecurity offering. Products
are designed with inbuilt features to address cybersecurity concerns,
while an extensive list of policies and processes, tools, documentation and
training will help mitigate risks to keep customers protected.

19
 About Axis Communications
Axis enables a smarter and safer world by creating solutions for improving security
and business performance. As a network technology company and industry
leader, Axis offers solutions in video surveillance, access control, intercom, and
audio systems. They are enhanced by intelligent analytics applications and
supported by high-quality training.

Axis has around 4,000 dedicated employees in over 50 countries and collaborates
with technology and system integration partners worldwide to deliver customer
solutions. Axis was founded in 1984, and the headquarters are in Lund, Sweden.

©2023 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ARTPEC and VAPIX are registered trademarks of Axis
AB in various jurisdictions. All other trademarks are the property of their respective owners.