7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

11.6 Authentication

11.6.1. The relevant entities shall implement secure authentication procedures and technologies based on access restrictions and the policy on access control.

11.6.2. For that purpose, the relevant entities shall:

(a) ensure the strength of authentication is appropriate to the classification of the asset to be accessed;
(b) control the allocation to users and management of secret authentication information by a process that ensures the confidentiality of the information, including advising personnel on appropriate handling of authentication information;
(c) require the change of authentication credentials initially, and when suspicion that the credential is revealed to an unauthorised person;
(d) require the reset of authentication credentials and the blocking of users after a predefined number of unsuccessful log-in attempts;
(e) terminate inactive sessions after a predefined period of inactivity; and
(f) require separate credentials to access privileged access or administrative accounts.

11.6.3. The relevant entities shall use state-of-the-art authentication methods, in accordance with the associated assessed risk and the classification of the asset to be accessed, and unique authentication information.

11.6.4. The relevant entities shall regularly review the identities and, if no longer needed, deactivate them without delay.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!