loading experience

Tech

NIS2: If You're Only Thinking About Servers, You're Looking in the Wrong Direction.

With the transposition of Directive (EU) 2022/2555 (NIS2) through Legislative Decree 138/2024, Italy has strengthened its approach to cybersecurity, giving the National Cybersecurity Agency (ACN) a central role in defining and overseeing measures, in line with what is required at the European level.

NIS2: If You're Only Thinking About Servers, You're Looking in the Wrong Direction.


1. Mapping NIS2 Requirements (Legislative Decree 138/2024) onto MDM Features


The Italian decree imposes precise obligations in terms of risk management and incident reporting. Let's see how MDM (Mobile Device Management) technically responds to the decree's key individual articles.

Article 24 (Cybersecurity Risk Management Measures)

Companies must adopt technical, organizational, and operational measures proportionate to the risk. In mobility, this translates into three levels of control managed by MDM:

  1. Cyber hygiene and training (Automatic patching): NIS2 explicitly requires proper cyber hygiene. Through MDM it's possible to force operating system (OS) and security patch updates on Android and iOS, scheduling installation windows outside working hours to avoid impacting productivity (e.g. in logistics).
  2. Access control policies (Zero Trust): MDM acts as a "device posture evaluator". Before granting access to a critical resource (e.g. the electronic health record in healthcare), the Identity & Access Management (IAM) system queries the MDM. If the device has USB debugging enabled or lacks the latest patch, access is blocked at the authentication level.
  3. Supply chain security: Mobile devices are often used by external suppliers or maintenance staff who access the corporate network. MDM allows applying the MAM (Mobile Application Management) model: only individual corporate applications on the third party's device are protected and controlled, isolating them from the rest of the personal phone.

Article 25 (Incident Notification Obligations to ACN)

Companies must notify CSIRT Italia (ACN) of incidents with a significant impact within 24 hours (pre-notification).

  1. The role of MDM: In the event of loss of a rugged device containing industrial configuration data or access credentials to SCADA systems, MDM provides immediate auditing: it logs the exact time of last contact, GPS location (if active), and performs certified Remote Wipe. This allows the CISO to determine whether data exfiltration occurred and whether formal notification to ACN and the Data Protection Authority is required.

2. Sector Focus: Logistics, Manufacturing, and Healthcare


The impact of mobile devices varies drastically depending on the operational context. MDM integration must therefore follow vertical-specific logic.

Logistics and Manufacturing (Rugged Devices)

In these environments, devices (Zebra, Honeywell, etc.) are often shared across multiple worker shifts and govern operational continuity (assembly lines, shipping).

  1. The specific risk: Locking these devices halts production (NIS2 operational impact).
  2. The detailed MDM solution:
  3. Kiosk Mode (Single-Purpose): The device is locked to a single interface showing only the warehouse or production app. It's impossible to access settings, the browser, or download external apps.
  4. Shift Profile Management: Integration with quick-login systems (e.g. via NFC badge). When the shift-A worker swipes their badge on the rugged tablet, MDM configures the personalized profile; at shift change, logout clears temporary data for the next worker.

Healthcare (Clinical Tablets and Smartphones)

Healthcare is one of the sectors most targeted by ransomware. Mobile devices handle extremely sensitive data.

  1. The specific risk: Data Breach and disruption of healthcare services.
  2. The detailed MDM solution:
  3. Containerization (Clean Separation): Creation of a separate encrypted area (e.g. Android Enterprise Work Profile or Apple User Enrollment). Medical record data shown on the tablet cannot be copied, screenshotted, or shared to personal apps (like WhatsApp or private drives).
  4. Dynamic Wi-Fi and Endpoint Protection: Automatic configuration of WPA3 Enterprise interface certificates for authentication only to the hospital's protected Wi-Fi networks, disabling automatic connection to open or unencrypted hotspots.

3. Technical Controls Matrix: Configuring MDM for NIS2


To concretely implement what's required by Legislative Decree 138/2024, an organization must configure the MDM platform following this minimum security controls matrix:

NIS2 RequirementMDM Technical Control (Android / iOS)Operational Risk Impact
Access ControlEnforcement of complex PINs (min. 6 alphanumeric digits), mandatory biometric lock, and automatic wipe after 10 failed attempts.Prevents access to corporate data in case of physical device theft.
Channel ProtectionNative configuration of Per-App or Always-On VPN. Corporate app traffic only passes through encrypted tunnels to the data center.Eliminates the risk of Man-in-the-Middle (MitM) attacks on public or insecure Wi-Fi networks.
Device IntegrityActivation of hardware attestation monitoring (e.g. SafetyNet/Play Integrity for Android, Device Check for iOS).Immediately detects if a device has been rooted or jailbroken, instantly isolating it from the network.
Data Leakage PreventionDisabling copy-paste between corporate and personal containers; blocking unauthorized Bluetooth sharing; mandatory memory encryption (FDE/FBE).Drastically reduces the risk of accidentally or maliciously exfiltrating sensitive data (PII, IP).
Application ManagementCreation of a private Enterprise App Store (White-list). Total block of sideloading (manual .apk or .ipa package installation).Prevents the introduction of malware or commercial spyware through unverified applications.


4. Beyond MDM: Toward MTD (Mobile Threat Defense)


The article emphasizes that security cannot be delegated to a single technology. In technical detail, MDM alone handles configuration and compliance, but has no heuristic or behavioral real-time analysis capability against advanced cyberattacks.

To fully satisfy NIS2's "detection capability" requirement, companies must evolve MDM by integrating it with MTD (Mobile Threat Defense) solutions and centralized monitoring systems:

[Mobile Device] ──> [MTD: Detects network/malware threat in real time]
[MDM: Applies quarantine / Blocks corporate access ]
[Corporate SIEM / SOC: Event correlation and incident reporting to ACN]


MTD acts as a mobile-specific antivirus/EDR agent, analyzing:

  1. Network Threats: Detection of SSL traffic decryption attempts, port scanning, or malicious DNS redirects.
  2. Device Threats: Suspicious changes to system files, attempts to exploit chip vulnerabilities (e.g. modem or processor vulnerabilities).
  3. Application Threats: Behavioral analysis of running apps (e.g. a calculator app that suddenly requests contact access and sends data to foreign IPs).

When MTD detects the anomaly, it reports the "infected device" status to MDM, which performs containment by shutting down corporate network access before the attacker can move laterally toward the central infrastructure. This level of automation and integration is the exact practical translation of the concept of "continuously governing an infrastructure" required by Legislative Decree 138/2024.


Comments (0)

No comments yet.

Leave a comment