NIS2 Directive to impact DNS and critical infrastructure security

As EU member states finalize their national implementations of the NIS2 Directive, organizations should begin preparing for its requirements. The directive aims to harmonize and strengthen cybersecurity for digital services and critical infrastructure across the Union.

NIS2 expands upon and clarifies the requirements of the previous NIS Directive, specifying which organizations are affected and the security measures they must implement. For the Domain Name System (DNS), the directive mandates a common baseline of security to ensure a robust infrastructure throughout the EU. NIS2 was approved in December 2022 and will become national law in member states from October 18, 2024.

The directive impacts several sectors deemed essential for societal function, including electronic communications, energy, finance, healthcare, and transport. Organizations in these fields must ensure redundant DNS infrastructure, protection against DNS attacks, web application firewalls, and reliable routing.

Non-compliance can lead to significant penalties, including fines up to EUR 10 million or 2% of annual turnover. Organizations must review their supply chains and ensure their service providers also meet NIS2 requirements. Utilizing providers within the EU, preferably local ones offering contracts and support in the local language, is strongly recommended.

A security level equivalent to ISO 27000 certification is generally required. The European Union Agency for Cybersecurity (ENISA) and national authorities, such as Sweden's MSB, are providing guidance for implementation.