Three good reasons to use a VPN to achieve NIS2 compliance

Auteur : Arnaud DUFOURNET, Marketing & Customer Experience Director

The annual activity reports published by the French National Cybersecurity Agency ANSSI, and the French government’s cyberattack assistance service Cybermalveillance [report in French only], both show a worrying rise in cyberattacks in 2024 (49.9% more requests for assistance logged by Cybermalveillance, and 15% more security events recorded by ANSSI). It is vital that European companies strengthen their resilience in response to the growing danger posed by these threats. This is, of course, the entire point of the NIS2 directive currently being transposed into national laws by the EU member states. In France, the bill on “critical infrastructure resilience and strengthening cybersecurity” presented to the Council of Ministers on October 15, 2024 and adopted by the Senate (upper house) on March 12, 2025 is not expected to go before the National Assembly before September. This bill, as readers might recall, transposes three European Union directives (REC, NIS2, and DORA) to harmonize and simplify the compliance of those entities affected by them.

A new set of technical and organizational requirements

One of the major challenges in implementing this legislation is the extension to the scope of those organizations needing to deal with cyber resilience. Some 15,000 organizations in France will have to comply with the provisions, and the vast majority of them will be discovering previously unknown levels of cybersecurity requirements.

To guide them, ANSSI has been working since late 2023 on a reference framework based on 20 security objectives through which NIS2 compliance can be achieved. These objectives cover four key issues, namely Protection, Defense, Governance, and Resilience.

Following consultation with federations, industry bodies, associations of elected representatives, and local authority representatives, a second version, still containing 20 objectives, is currently being finalized. These objectives are accompanied by tangible measures to be put in place, plus acceptable means of compliance for NIS2 “essential entities” and “important entities”. Of these measures, the use of VPNs is emerging as a must-have in terms of meeting three of the objectives set by ANSSI.

Keeping remote access secure

Whether they are categorized as important or essential, organizations subject to NIS2 must without fail control access to their information systems. The major new aspect to this European directive is that this control concerns remote access granted both to off-site employees such as those working from home, and to IT service providers and suppliers who also have such access.

Using a VPN meets the objective of keeping remote access secure in two respects:

• Enhanced authentication. For essential entities, remote access must be protected by multi-factor authentication. For example, ensuring that a VPN tunnel can only be established after a) presentation of a valid certificate linked to a smart card, and b) confirmation via a PIN code.
• Connection encryption. Using a VPN ensures that data interchange remains confidential, thanks to encryption mechanisms that comply with the requirements of the security reference framework.

Keeping IS architecture secure

The NIS2 directive requires access control and resource partitioning, including when third parties (e.g. service providers) are authorized to access information systems. It is crucial to restrict such access to only clearly-identified resources. Authentication and access audit trails are further measures to be taken.

What advantages does an IPsec VPN, such as that offered by TheGreenBow, bring?

• Access microsegmentation. VPNs can be used to set up specific tunnels that give access only to certain resources matching a user’s profile. For example, essential entities use IPsec VPNs to secure access to their restricted information systems, ensuring that only authorized personnel can reach sensitive resources.
• Traceability and control. Every VPN connection is traced and can be supervised through a dedicated console, guaranteeing enhanced authentication (especially if multi-factor authentication is implemented) and highly granular access management.
• Communications filtering. In addition to entry point firewalls and gateways, a VPN can be configured to filter the URLs or IP ranges made accessible, thereby blocking all non-essential communication.

Identifying and reacting to security incidents

When it comes to defense, it is crucial to identify security incidents quickly, and to put a clear procedure in place for analyzing, assessing, and reacting to suspicious events.

The framework recommends using reports from a variety of sources (employees, service providers, customers, and users) and analyzing event causes to avoid any recurrence.

How can a VPN help to achieve that objective?

• Secure log collection. Installing a VPN client on every endpoint that needs to access the IS remotely enables essential information to be collected and transmitted, in encrypted form, so that connection incidents can be investigated. Centralized logs from VPN clients are an effective complement to the information sources offered by an EDR or XDR platform.
• Continuous supervision. Events collected by the VPN, once analyzed, can help to identify attempted attacks, or to minimize the impact of an incident. A supervision console (such as a Connection Management Center) provides a history of such events and a continuous audit trail of remote connections.

As cyberattacks continue to cause havoc—as evidenced by the costly attack that hit Marks & Spencer in April this year, estimated at £300 million—transposition of the NIS2 directive is taking shape. The use of VPN tunnels, combined with ZTNA rules, seems to be a sine qua non for meeting security requirements. To help organizations find solutions to meet these new standards, Hexatrust has published a detailed catalog [in French] of NIS2-compliant French and European cybersecurity solutions. It is vital to start preparing now to ensure resilience tomorrow.