Introduction

The European Union's (EU) Network and Information Security (NIS) Directive aims to enhance cybersecurity across the EU. In December 2020, the European Commission adopted a new version of the directive known as NIS2 which will repeal and replace the existing NIS Directive.

A major component of NIS2 is the requirement for a mandatory EU-wide Public Key Infrastructure (PKI) scheme. PKI provides the foundation for secure communications and transactions over networks and the internet by enabling encryption and digital signatures. The mandatory PKI scheme under NIS2 will facilitate trusted digital identities and secure data exchange between entities covered under the directive.

The goal of the new PKI requirements is to improve security and build greater trust in digital communications across the EU. However, implementing mandatory PKI will also bring challenges in terms of cost, compatibility, and compliance for affected entities. As EU member states begin transposing NIS2 into national laws in the coming years, organizations will need to prepare for the changes to infrastructure, policies, and processes needed to meet the new PKI obligations.

What is the NIS2 Directive?

The NIS2 directive (Network and Information Systems Security directive) is a European Union (EU) policy that aims to strengthen cybersecurity across the EU. It is an update to the original nis1 directive from 2016.

The NIS2 directive establishes legal measures to boost the overall level of cybersecurity in the EU. It applies to companies in specific critical sectors like energy, transport, health, and digital infrastructure.

The key objectives of NIS2 are to:

• Improve cybersecurity capabilities and preparedness across sectors that provide critical services. This includes enhancing risk management and reporting obligations.

• Increase cooperation among EU member states and between the public and private sectors on cybersecurity. This facilitates information sharing and coordination.

• Establish cybersecurity rules and common security requirements for devices sold in the EU market. This aims to improve the security of the Internet of Things (IoT) ecosystem.

• Introduce new supervisory structures and enforcement powers. This enables sanctions against entities that fail to comply with the NIS2 requirements.

The NIS2 directive represents a crucial step towards building cyber resilience and improving the security posture across critical industries in Europe. It demonstrates the EU's ambitions to be a global leader in cybersecurity regulation and preparedness.

Mandatory PKI Infrastructure

The NIS2 Directive mandates the use of PKI (Public Key Infrastructure) for secure communication and authentication across the EU. This means that all member states will be required to implement standardized PKI systems that issue, manage, and revoke digital certificates.

Digital certificates are used to cryptographically bind identities to public keys. They enable secure communication through encryption and support authentication by verifying the identity of entities like websites, email servers, and users.

Under the NIS2 Directive, qualified trust service providers will issue qualified certificates to individuals, companies, and government entities. All member states must recognize these qualified certificates. This will create an EU-wide trust framework so digital identities and documents can securely cross borders.

The PKI infrastructure will support services like electronic identification, electronic signatures, website authentication, secure email delivery, and document encryption. Using PKI will be mandatory for public sector entities and recommended for the private sector.

The goal is to increase cybersecurity, enable paperless processes, and make cross-border interactions more efficient. However, implementing standardized PKI represents a major technological and policy challenge for member states. Significant investment and coordination will be required.

Benefits of PKI

A mandatory PKI infrastructure as outlined in the NIS2 Directive will provide several key benefits to organizations operating in the EU.

• Improved security. PKI enables the use of digital certificates to provide authentication, data integrity, and encryption. This heightens security for sensitive information and transactions. With PKI, private keys are only known to the owner, while public keys can be freely shared to allow verification and encryption of messages.

• Stronger encryption. PKI supports the use of robust encryption algorithms and key lengths. This ensures encrypted data remains confidential even if subject to attacks. Proper PKI implementation provides encryption strength compliant with industry standards.

• Better authentication. Digital certificates allow authentication of identity for people, devices, and services. This prevents impersonation and builds trust. Certificates bind public keys to real-world entities verified by certificate authorities. Authentication through PKI is superior to username/password approaches.

Overall, mandated PKI will compel organizations to adopt digital certificates and cryptography best practices. This will significantly improve the security posture across sectors like finance, healthcare, and government by preventing data breaches, financial fraud, and other cyber threats. While implementing PKI comes with costs, the long-term benefits for security are significant.

Challenges of Implementation

Implementing mandatory PKI infrastructure across the EU presents some key challenges that entities will need to address.

Costs

Deploying the required PKI technology across entire organizations will involve significant upfront and ongoing costs. The infrastructure, certificates, hardware security modules, and integration work don't come cheap. Training staff on using digital certificates and managing keys adds more expense. Smaller firms in particular may struggle with the financial burden.

Technical Complexity

For larger enterprises, rolling out PKI on a wide scale brings tremendous technical complexity. They need to set up certificate authorities, establish policies and procedures, integrate PKIs with existing systems, and manage certificate lifecycles. For global entities, they must determine how to connect geographically distributed PKI systems. The effort and coordination involved should not be underestimated.

Technical support and PKI expertise are required for successful ongoing management. This represents a skillset that is in short supply, so finding qualified personnel may prove difficult. Outsourcing to a specialized managed service provider could help alleviate these issues.

The good news is that guidance and best practices exist for tackling these challenges. With proper planning and preparation, entities can overcome the hurdles to achieve a smooth PKI implementation. The long-term security benefits are well worth the effort.

Encryption Standards

The EU NIS2 directive creates standards for the types of encryption methods that must be used for secure communication and verification under the new PKI framework. This aims to establish a baseline level of security and interoperability between EU member states.

At a minimum, the NIS2 directive requires support for:

• RSA encryption - A commonly used public-key encryption method relied upon for secure data transmission. Key sizes of at least 2048 bits will be required.

• AES encryption - The Advanced Encryption Standard (AES) will be mandatory for symmetric encryption. Keys of 256 bits or higher must be supported.

• SHA-2 - Secure hash algorithms will be required for cryptographic functions like digital signatures. Variants such as SHA256, SHA384, and SHA512 will be permitted.

• ECC - Elliptic curve cryptography, an approach based on elliptic curve math, will also be supported. ECC offers similar security to RSA but with smaller key sizes.

In addition, algorithms and key lengths will be subject to review every 5 years to determine if they need to be upgraded to maintain adequate security. The standards aim to balance strong encryption while minimizing complexity that could hinder adoption and interoperability. Strict use of validated, standardized algorithms is stressed over proprietary solutions.

Adherence to these encryption standards will ensure the NIS2 PKI framework has the cryptographic foundations necessary for trusted communication, digital signatures, identity verification, and overall security.

Entities Affected

The NIS2 Directive will affect a wide range of entities across the EU's digital landscape. Organizations operating in certain sectors will be required to comply with the new regulations.

Organizations that Must Comply

The NIS2 Directive applies to organizations in these critical sectors:

• Energy - Electricity, oil, and gas companies
• Transport - Airlines, railway operators, maritime and inland waterway transport
• Banking - Credit institutions, financial market infrastructures
• Financial market infrastructures - Stock exchanges, central counterparties
• Health - Healthcare providers, hospitals, private clinics
• Drinking water supply and distribution
• Digital infrastructure - Internet exchange points, domain name system service providers, top–level domain name registries
• Public administration
• Space

Within these sectors, NIS2 will apply to small, medium, and large companies. Organizations in these industries that are identified as essential service operators will need to fully comply with the cybersecurity regulations.

Some specific services like public cloud computing, data center services, and public digital infrastructure will also fall under the scope of the directive.

Overall, several thousand companies across the EU will need to take action to adhere to the new cybersecurity rules. Proper implementation of NIS2 will require extensive coordination and investment.

Implementation Timeline

The NIS2 Directive sets out a timeline for implementing the new mandatory PKI infrastructure across the EU. Here are some of the key dates and deadlines to be aware of:

• September 2022 - The NIS2 Directive was approved by the European Parliament and the Council of the EU. This set the directive into motion.

• June 2023 - Member states must adopt national legislation to comply with the NIS2 Directive. They have 9 months from the directive's approval to update their national laws.

• December 2023 - Providers of essential and important services have 6 months from adoption of national laws to identify the digital products, services and processes that will require PKI encryption and signing.

• June 2024 - Certification authorities have 12 months from national adoption to comply with requirements under NIS2 and ensure their certificates adhere to approved standards.

• December 2024 - Providers of essential services must operationally deploy the mandatory PKI infrastructure. This is the deadline for having PKI fully implemented.

• June 2025 - Providers of important services must operationally deploy the mandatory PKI infrastructure.

• December 2025 - Potential deadline for the European Commission to review and evaluate implementation of the NIS2 Directive across member states.

The timeline sets out a phased approach but the key date is December 2024 - that is when the mandatory PKI must be fully operational for providers of essential services across the EU.

Looking Ahead

The NIS2 directive ushers in a new era of cybersecurity regulation in the EU. While the initial implementation focuses on securing communications for public sector entities, the impacts will likely expand over time. As more organizations adopt PKI encryption and digital signatures, we may see a push to broaden the scope to additional industries in the future.

The mandatory PKI infrastructure will also spur further development and innovation in encryption standards and technologies. We can expect to see growth in the cybersecurity industry as providers emerge to meet the new regulatory requirements. Auditing and compliance solutions will also be needed.

Data breaches and cyber attacks make headlines daily. NIS2 represents a proactive move by the EU to get ahead of the threats. By taking steps to secure critical information systems now, the EU aims to prevent future attacks that could have severe economic and societal consequences.

While NIS2 compliance will present challenges initially, the long-term benefits are significant. Over time, NIS2 will lead to greater trust and security in digital communications and transactions for both the public and private sectors. The EU is leading the way globally in using regulation to harden cyber defenses. Other nations may follow suit by enacting similar legislation.

Conclusion

The implementation of the NIS2 Directive represents a major step forward for cybersecurity in the European Union. By mandating PKI across sectors like finance, energy, transport and healthcare, the EU aims to strengthen encryption and digital identity frameworks.

While the technical challenges of implementing PKI are not insignificant, the potential benefits make this a worthwhile endeavor. PKI enables trusted digital communications and transactions, reducing fraud and enhancing privacy. As cyberattacks become more sophisticated globally, the NIS2 Directive will help the EU safeguard critical systems and data.

Ultimately, this regulation reflects the EU's leadership in cybersecurity policy. By taking a proactive regulatory approach, the EU is aiming to make PKI ubiquitous and lay a foundation for robust cyber protections. As other nations grapple with increasing cyber risks, the EU's model provides useful guidance on governance and standardization around PKI. With cyber threats growing daily, the NIS2 Directive represents a pragmatic step to enhance resilience.