Mobile Security Blog | Pradeo

NIS2 Directive: What Obligations Apply to Mobile Applications and Usage?

Written by Roxane Suau | November 21, 2024

Effective from October 2024, the European NIS2 Directive aims to enhance the protection of critical infrastructures against cyberattacks.

With a broader scope and stricter requirements compared to the 2016 NIS Directive, it mandates rigorous compliance to safeguard critical information systems, including mobile devices and services provided through applications.

Its objective? Ensuring the continuity of essential services while holding companies accountable for digital risks.

 

Which organizations are affected by the NIS2 Directive?

Thierry Breton, Commissioner for the Internal Market, explains: “Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected. [...] With the agreement on NIS2, we modernise rules to secure more critical services for society and the economy.”

NIS2 covers a wide range of entities considered essential or important, including the following highly critical sectors:

  • Public administration
  • Drinking water
  • Wastewater
  • Energy
  • Space
  • IT services management (B2B)
  • Financial market infrastructures
  • Digital infrastructures
  • Healthcare
  • Banking
  • Transport

And these other critical sectors:

  • Chemical production and distribution
  • Digital service providers
  • Waste management
  • Manufacturing
  • Food production, processing, and distribution
  • Research
  • Postal and courier services

NIS2 applies to all companies in the above-mentioned sectors that operate or provide services within the European Union. This includes both EU-based companies and foreign entities offering services to EU citizens in the relevant sectors.

 

Mobile services now within the scope

A key advancement in this updated directive is the explicit inclusion of mobile services within the context of online services. The preamble to NIS2 acknowledges: “Cloud computing services should include digital services enabling on-demand management and broad remote access [...], including those provided on mobile phones, tablets, laptops, and desktops.”

This explicit recognition of mobile services reflects today’s realities, where mobile devices play a pivotal role in both professional and personal digital activities. As mobile applications become integral to business processes and sensitive exchanges, smartphones and tablets have emerged as significant risk vectors. By including these devices in its scope, the European Parliament mandates that organizations treat mobile terminals as a fundamental component of their overall cybersecurity strategy.

 

Article 21: An "All-Risk" Approach

Article 21 of the NIS2 Directive outlines cybersecurity risk management measures. One key aspect is managing risks related to partners and subcontractors, emphasizing the notion of shared responsibility in cybersecurity. Organizations are required to assess supplier vulnerabilities, product quality, cybersecurity practices, and secure development procedures.

To comply, businesses must adopt a proactive, comprehensive cybersecurity approach. This includes regularly evaluating risks, detecting vulnerabilities, and implementing preventive measures, such as regular security audits, penetration tests, and employee training. In the event of a security incident, organizations must report the attack to competent authorities within 24 hours and provide a full report within 72 hours to enable a coordinated response.

 

How Pradeo ensures compliance with the NIS2 Directive

To meet NIS2 requirements, Pradeo offers organizations solutions to secure mobile devices and applications, which are prime targets for cyberattacks in sensitive sectors.

 

Application Security

Pradeo's application security suite protects the entire lifecycle of applications. It includes a source code analysis solution (SAST) that audits the code of web and mobile applications to detect and correct vulnerabilities. Additionally, shielding strengthens mobile app security against malicious tampering, and Runtime Application Self-Protection (RASP) offers real-time defense against intrusions. Pradeo’s compliance audit solution also verifies the security of externally developed mobile apps before their market release.

Moreover, our longstanding compliance audit solution ensures the security of mobile applications developed externally or relying on external libraries, validating their safety before they are brought to market.

 

Smartphone and Tablet Protection

Pradeo's Mobile Threat Defense (MTD) solution identifies, analyzes, and blocks mobile cyberthreats in real-time, ensuring proactive device protection and securing sensitive data and professional communications, even in high-risk scenarios.

 

The NIS2 Directive marks a critical shift for European businesses in cybersecurity. It provides a framework for enhancing digital defenses while encouraging organizations to rethink risk management practices.

“Cybersecurity was always essential to shield our economy and society against cyber threats; it is becoming critical as we move further in the digital transition. [...]By agreeing on these further strengthened rules, we are delivering on our commitment to enhance our cybersecurity standards in the EU. Today, the EU shows its clear determination to champion preparedness and resilience against cyber threats.” — Margaritis Schinas, Vice-President for Promoting the European Way of Life

Would you like to learn more about how Pradeo can assist you? Contact us today for a personalized assessment.