The NIS2 directive sets new cybersecurity requirements in the EU, with a clear focus on protecting critical infrastructure. It applies to all devices connected to the network, including mobile devices. For companies, this means shifting from a reactive to a proactive approach to security. Mobile devices should not be overlooked by other security measures, says Pontus Palmgren, Product Owner – App Management at Techstep.
Shortly after the new year, NIS2 will come into effect, a new EU directive aimed at strengthening the security of critical infrastructure and digital services. It covers sectors such as energy, transport, healthcare, and digital infrastructure, with requirements that go well beyond traditional data networks. Companies serving customers in these sectors must comply with NIS2 and adapt to its changes, while suppliers should also prepare for the new security requirements. Mobile phones, tablets, and other mobile devices that handle business data are now in the spotlight, and poor management of these devices can have serious consequences, says Pontus.
- Many might think that NIS2 is only about IT systems and computers, but the directive also covers mobile devices, that are becoming an increasingly important part of daily business operations. Even small companies should take note, as they could be affected if they provide services to a business covered by NIS2.
With NIS2, mobile device security is more important than ever. They have also become an increasingly common entry point for cyberattacks, partly because more business data is stored and used on them. According to a Verizon study, 62% of organizations that reported a security incident said it had a significant impact on their business, and mobile devices played a key role in many of these attacks.
- Mobile Device Management (MDM) alone is not enough to protect against advanced attacks like phishing or network vulnerabilities, says Krister Jensen, Product Owner, UEM & Mobile Endpoint Security at Techstep:
- Mobile phones today hold the same type of sensitive information as laptops, but they are often used for both personal and professional purposes. Without control over which apps are installed and with constant connections to insecure networks, they become much more vulnerable, significantly increasing the risk of breaches and data loss. Mobile phones are therefore a vulnerability that must be taken seriously.
One of the biggest changes brought by NIS2 is the need for a more proactive security strategy. Protecting mobile devices requires more than just the ability to wipe a lost device. Organizations must implement targeted protection for mobile devices such as a Mobile Threat Defense (MTD) tool to close the security gaps that MDM doesn't cover. To meet the NIS2 requirements for network-connected devices, companies need the ability to prevent, detect, manage, and report security incidents.
- It’s no longer enough to sit and wait for something to happen. With NIS2, you need to be proactive and detect cyberattacks in real time. It’s all about having the right tools and processes in place so you can respond quickly if an attack occurs, says Pontus.
Read More: The new digital generations expectations to mobile technology
Companies that don’t comply with NIS2 risk not only fines of up to 10 million euros or 2% of turnover, but also reputational harm and reduced customer trust. In the worst case, sensitive information or customer data could fall into the wrong hands, leading to serious consequences.
- It's not just about avoiding fines. It's about protecting what truly matters, your data and your reputation. Taking cybersecurity seriously is a necessity, not a choice, concludes Krister.
Techstep has developed the Mobility Security Health Check, a smart concept that gives you a clear overview of your company's mobile device security. With this tool, the IT department can quickly and easily improve both the security and management of mobile devices.
This article is based on the NIS2 directive as implemented in the EU and applies throughout the EEA. In Norway, the Digital Security Act, passed in December 2023, is in effect. It is based on NIS1 and includes some elements from NIS2. Therefore, some of the requirements and measures described here may vary for Norwegian companies.