As the European Union continues to strengthen its cybersecurity framework, the NIS2 Directive serves as a pivotal measure to protect critical infrastructure and essential services across member states.
Committed to advancing secure and interoperable digital identity standards, the OpenID Foundation welcomes the opportunity to contribute to this critical initiative and has provided comments on ENISA’s draft technical guidance for the cybersecurity measures of the NIS2 Directive.
Below, we highlight key themes and recommendations from our review.
Taking compliance monitoring beyond paper-based processes
ENISA’s guidance on compliance monitoring emphasizes regular reviews and reporting to management bodies. However, we believe this framework can be strengthened to incorporate empirical testing and global standards-based approaches.
Compliance monitoring should, for example, evaluate and certify implementations against relevant global standards. Certification ensures systems are built on a robust foundation and remain aligned with evolving requirements.
Processes also need to be more empirical. Paper-based compliance captures the intent of a solution but can fail to capture changes in deployed systems and can also lag evolving adversarial tactics. Real-time monitoring and periodic recertification are critical to address these gaps.
The OpenID Foundation’s recommendations are to incorporate steps to evaluate applicable global standards, test implementations for conformity to standards, certify compliance, and maintain real-time reporting to highlight non-conformant implementations.
Ensuring robust independent security reviews
Independent reviews are vital for assessing security practices. The OpenID Foundation emphasizes the importance of aligning such reviews with global standards.
When it comes to certification and self-certification, implementations of security protocols, such as OpenID Connect and FAPI, should undergo technical conformance testing and certification. This ensures interoperability and security across ecosystems.
Continuous testing also needs to be considered. Cloud-based and dynamic environments require ongoing testing to detect implementation issues in real-time.
The OpenID Foundation recommends that steps be taken to document technical certifications and ensure real-time conformance testing as part of the review process.
Expanding the scope of security testing
The guidance outlines a range of security tests, but omits protocol conformance testing. This is a critical measure for detecting implementation errors in security protocols.
The OpenID Foundation recommends revising the guidance to include protocol conformance testing alongside vulnerability assessments, penetration testing, and other methodologies. Additionally, OIDF emphasizes the importance of certification in ensuring secure implementations.
Network security addressing interoperability challenges
Modern systems increasingly rely on external integrations and APIs, creating a complex web of dependencies. ENISA’s guidance on network security should address these realities. All endpoints, especially those involving external integrations, should be regularly tested and certified for conformance.
Furthermore, integrating shared signals frameworks can enhance real-time risk detection and response, particularly in scenarios involving session or credential lifecycle changes.
The OpenID Foundation recommends adding provisions for endpoint testing and integration of shared signal protocols for dynamic decision-making and enhanced security.
Strengthening policies and implementation for access control
The guidance on access control would benefit from additional considerations. The incorporation of data classification and risk appetite into access control decisions will help ensure that controls are tailored to the sensitivity and criticality of assets. Another consideration is enabling real-time revocation of access rights based on signals indicating changes in risk.
The OpenID Foundation recommends including references to asset classification and shared signals frameworks to enhance access control policies.
Clarifying the scope of authentication and authorization
While the guidance addresses authentication, it often extends into areas of authorization without explicitly acknowledging the distinction. Clear terminology is essential to avoid misunderstandings. A starting point would be to rename the section to ‘Authentication and Authorization’ to reflect its broader scope.
Further, specifying secure protocols like OpenID Connect, FAPI, and Shared Signals Framework would help ensure implementations can effectively mitigate specific security risks.
The OpenID Foundation recommends renaming the section and providing detailed examples of secure authentication and authorization practices, including conformance testing.
Secure communication protocols for privileged and administrative accounts
Managing privileged accounts is a high-risk area that requires stringent controls, but the current guidance simply calls for policies for managing privileged accounts as part of access control.
The OpenID Foundation recommends referencing secure communication protocols for privileged account management. The need for rigorous authentication measures, linking to broader authentication requirements and the use of secure communication protocols, should also be highlighted clearly for implementers.
More accountability in identity management
Guidance around identity management highlights that organizations should maintain an inventory of user and privileged identities. However, more comprehensive identity management procedures and technology are needed to ensure risk is minimized and that there is clear accountability.
The OpenID Foundation recommends clarifying the term ‘service identities’ and providing examples. Details on the privileges associated with each identity should also be included, and identity lifecycle processes should be documented to ensure ongoing accountability.
Why global standards matter
The OpenID Foundation commends ENISA for its comprehensive guidance and commitment to improving cybersecurity across the EU and urges further alignment with global standards.
Standards, such as OpenID Connect and FAPI, ensure security, interoperability, and scalability across digital identity ecosystems. By incorporating them, ENISA can further enhance the effectiveness of cybersecurity measures, reduce fragmentation across EU member states, and foster trust and collaboration among stakeholders.
The OpenID Foundation remains committed to supporting ENISA and the broader cybersecurity community through open standards and constructive dialogue. We welcome the opportunity for follow-up discussions and stand ready to provide further input as needed.
About the OpenID Foundation
The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy-preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.