NIS2 Remote Access: What Critical Infrastructure Must Do Now

NIS2 enforcement is active. As of this week, national competent authorities across the EU have moved into active supervision mode, and critical infrastructure operators are among the first organisations in scope.

Much of the NIS2 conversation has focused on governance frameworks, incident reporting timelines, and management accountability. Less attention has been paid to the technical annex of the Commission Implementing Regulation (C(2024) 7151), where the specific obligations for remote access are written in precise, enforceable language. If you operate energy infrastructure, water systems, manufacturing, or transport networks, those obligations apply to you now.

What does NIS2 require for remote access security?

Section 6.7 of the Commission Implementing Regulation lays down network security requirements under Article 21(2)(e) of Directive (EU) 2022/2555. For remote access specifically, in-scope organisations must:

• Determine and apply controls for remote access to network and information systems, including access by service providers (Annex, Section 6.7.2(d))
• Allow connections of service providers only after an authorisation request and for a set time period (for example, the duration of a maintenance operation) (Annex, Section 6.7.2(h))
• Establish communication between distinct systems only through trusted channels isolated using logical, cryptographic, or physical separation from other communication channels, with assured identification of endpoints and protection of channel data from modification or disclosure (Annex, Section 6.7.2(i))

That last requirement carries real weight. The regulation does not accept "software-defined" as a sufficient basis for channel isolation. The channel must be isolated by logic, by cryptography, or, most definitively, by physical separation. For organisations operating critical systems, physical separation is not a premium option. It is the most defensible way to satisfy this requirement under regulatory scrutiny.

Section 11.7 adds multi-factor authentication as a mandatory control for remote access to network and information systems, calibrated to the classification of the asset being accessed. The implementing regulation's recitals are specific: MFA applies "in particular when users access network and information systems from remote locations, or when they access sensitive information or privileged accounts."

Non-compliance carries fines up to €10 million or 2% of global annual turnover for essential entities, whichever is higher.

Remote access is a documented attack vector, and NIS2 knows it

The implementing regulation's recitals name remote access as a primary attack pathway. Recital 18 references VPNs as a typical network security control. But VPNs are software. They run on operating systems. They process authentication tokens in memory. That is not abstract.

This week, it is actively exploited.

CVE-2026-3055 is a critical out-of-bounds read in Citrix NetScaler ADC and Gateway (CVSS 9.3). It was added to CISA's Known Exploited Vulnerabilities catalogue on 30 March 2026. Active exploitation is confirmed. The attack requires no credentials. An unauthenticated remote attacker sends a crafted SAML request to the NetScaler authentication endpoint, omitting the AssertionConsumerServiceURL field. The appliance leaks memory contents, including session tokens, through the response.

NetScaler sits at the internet edge as a remote access broker and SSO gateway. It is precisely the class of device that thousands of critical infrastructure operators use to provide remote access to operational systems. When that device leaks session material, every system behind it is exposed.

This is what software-defined remote access looks like under active attack. The authentication layer — the boundary that SAML, SSO, and VPN-based access all depend on — is readable from memory by an unauthenticated external party.

No software patch reverses that architectural reality. Patches fix individual vulnerabilities. They do not change the fact that software-defined access brokers hold sensitive data in memory that can be reached from the network.

Protecting sensitive data in transit: the cryptography requirement

Section 9 of the implementing regulation requires organisations to establish cryptography policies covering data at rest and data in transit. The policy must specify the type, strength, and quality of cryptographic measures appropriate to each asset classification, and must cover key management across the full lifecycle.

For critical infrastructure, the assets in question are operational systems: SCADA, ICS, PLCs, and the operational data they handle. A memory-disclosure vulnerability in a SAML gateway does not just leak authentication credentials. It leaks whatever the gateway has processed: authentication tokens, session state, and potentially operational data processed in proximity to the authentication flow.

NIS2 Section 9 requires that this data be protected. Software-defined cryptography is only as strong as the implementation it runs on. If the implementation has a memory-disclosure flaw, the cryptographic protections above it are academic.

Hardware-enforced isolation removes the software layer from the equation entirely. There is no software process holding session material in memory that can be read through a network-accessible endpoint.

The compliance floor, not the compliance ceiling

NIS2 Annex Section 6.7.2(i) requires physical separation as one of three acceptable isolation methods. For OT environments, where the systems at stake control physical infrastructure, the question is which method gives security leaders the documented evidence needed to satisfy a regulatory inspection.

"Logical" separation means software-defined rules. "Cryptographic" separation depends on implementation quality, key management, and the absence of memory vulnerabilities in the cryptographic stack. "Physical" separation depends on physics.

Zeroport Fantom delivers hardware-enforced, non-IP remote access. The connection does not run over IP. It does not terminate on a software process that holds session material in memory. The CVE-2026-3055 class of exploit — unauthenticated memory reads through a network-accessible authentication endpoint — has no surface to land on.

For security architects working through NIS2 compliance for critical infrastructure, the choice of remote access architecture is now a documented compliance decision. The regulation specifies the required isolation method. The current threat landscape shows what happens to organisations that rely on software-defined alternatives.

Book a live demo to see how Zeroport Fantom delivers hardware-enforced protection and centralised control for global-scale networks.

‍