Bridge your gap to NIS2 Compliant Remote Access
Bridge your gap to NIS2 Compliant Remote Access
Remote access is one of the most overlooked risks under NIS2. This paper explains why, and what to do about it, through actionable strategies and Cybersecurity expert insights.
The NIS2 Directive marks a transformative step in enhancing the cybersecurity resilience across the European Union, especially for organisations who operate within critical infrastructure sectors such as water, energy, transport, health, finance, and digital services. These entities are legally required to implement a range of stringent cybersecurity measures aimed at improving resilience, mitigating risks, and ensuring business continuity.
Remote access is one of the most overlooked risks under NIS2. This paper explains why, and what to do about it, through actionable strategies and Cybersecurity expert insights.
The NIS2 Directive marks a transformative step in enhancing the cybersecurity resilience across the European Union, especially for organisations who operate within critical infrastructure sectors such as water, energy, transport, health, finance, and digital services. These entities are legally required to implement a range of stringent cybersecurity measures aimed at improving resilience, mitigating risks, and ensuring business continuity.
REMOTE ACCESS IS A NIS2 RISK
This white paper is intended for leaders in critical infrastructure who must comply with the NIS2 Directive, especially those responsible for cybersecurity, operational continuity, and third-party/vendor access.
Included in the paper:
- Wy Traditional Remote Access Fails NIS2 Compliance
- Aligning key NIS2 requirements with actionable secure access controls
- Independent insights from cybersecurity expert Mikael Vingaard, ICSRange
- From regulation to reality: How to get real-world compliance through non-persistent, hardware-based remote access
Bridge your gap to NIS2 Compliant Remote Access
REMOTE ACCESS IS A NIS2 RISK
This white paper is intended for leaders in critical infrastructure who must comply with the NIS2 Directive, especially those responsible for cybersecurity, operational continuity, and third-party/vendor access.
Included in the paper:
- Wy Traditional Remote Access Fails NIS2 Compliance
- Aligning key NIS2 requirements with actionable secure access controls
- Independent insights from cybersecurity expert Mikael Vingaard, ICSRange
- From regulation to reality: How to get real-world compliance through non-persistent, hardware-based remote access
Bridge your gap to NIS2 Compliant Remote Access
Why Traditional Remote Access Fails NIS2 Compliance
- Persistent Network Exposure: Always-on VPN tunnels create open pathways that attackers can exploit long after sessions end.
- No Segmentation Between IT and OT: Direct access from corporate networks to operational systems breaks required network separation and increases lateral movement risk.
- Lack of Least-Privilege Control: Users often receive full administrative rights instead of time-limited, role-based access.
- Shared or Reused Credentials: Generic logins eliminate accountability and increase credential theft risk.
- No Multi-Factor Authentication (MFA): Legacy RDP and TeamViewer setups often lack enforced MFA, violating NIS2’s access-control requirements.
- No Session Logging or Recording: Inability to document who accessed what, when, and what actions were taken, – non-compliant with NIS2’s audit ability clause.
- Unmonitored Third-Party Access: No real-time control over when or how vendors connect to critical systems.
- Static Public IP Exposure: Endpoints are reachable from the internet, increasing vulnerability to scanning and brute-force attacks.
- No Out-of-Band Connectivity: Remote access depends on production networks; if they fail, remote intervention becomes impossible.
- Lack of Built-in Resilience: No automatic failover (4G/Wi-Fi/External Satellit), leaving critical infrastructure unreachable during outages.
KEY REQUIREMENTS
As cyberattacks grow more sophisticated, especially through remote access points, many legacy remote access methods fall short of modern cybersecurity standards and NIS2 compliance requirements.
NIS2 introduces legally binding obligations focused on reducing the risk of cybersecurity incidents across critical sectors.
For organisations falling under the “essential” or “important” entity categories, this means implementing controls such as:
§ Article 21: Risk Management & Security Policies
§Article 22: Incident Handling & Business Continuity
§ Article 23: Incident Reporting (within 24 hours)
§ Annex I: Coverage of Energy, Transport, Water, Health, Digital Infrastructure, and more.
Disclosure: Mikael Vingaard has received compensation for his time and expertise in the development of this white paper. His assessments remain independent and based on more than 25 years of experience in IT/OT security.
INDEPENDENT INSIGHTS
from cybersecurity expert Mikael Vingaard, ICSRange
To provide additional expertise, we consulted Mikael Vingaard, an experienced cybersecurity professional and trusted industry advisor. Mikael has worked extensively with critical infrastructure security, IT/OT cybersecurity, and regulatory compliance for over 25 years. His experience includes advising enterprises on cybersecurity strategies, supply chain risk management, and secure remote access solutions
❝
I see three major cybersecurity challenges for
industrial companies under NIS2:
- Supply Chain Control: Risk assessment and control of remote third-party access to OT is central to NIS2.
- Balancing Access & Risk: Organisations must enable secure third-party access without destabilising operations.
- Timely Access: Remote access must be secure, auditable, and rapid to meet legal and operational requirements.
Best Practice for companies, to ensure
secure third-party access:
- Avoid shared accounts: sessions must be traceable to individuals.
- Use the Principle of Least Privilege: only grant what’s needed.
- Enforce session logging and active log review.
- Define clear SLA clauses outlining vendor security obligations.
- Ensure third parties comply with NIS2 and other relevant frameworks.
Traditional remote access:
A traditional remote access like VPN or RDP should often be seen as a door into your home. Whoever has the key can enter and roam freely. Combine that with weak passwords or no MFA, and it’s like leaving the key under your doormat.
BIFROSTCONNECT REMOTE ACCESS:
BifrostConnect allows you to provide ad-hoc secure access where you’re in full control. During a critical incident, for instance, you still need urgent third-party access – but securely.
