Get called
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
Introduction
Europe is facing an increase in cyberattacks that expose large volumes of sensitive information. This situation places digital security at the heart of companies' strategic priorities.
In response, the European Union has adopted the NIS 2 Directive (Network and Information Systems Security). Its implementation is becoming a major issue for executives, at the heart of every page of their digital strategies. It will potentially impact thousands of European organizations and now raises a question for decision-makers: how can these new obligations be anticipated? This article aims to help companies understand these requirements and prepare for compliance.
1. NIS 2 Directive: definition, objectives, and application
The NIS 2 Directive is a European regulation that aims to strengthen the digital resilience of critical actors. Succeeding the first NIS Directive (Network and Information Systems Security), it imposes a high level of protection against threats to networks and information systems.
It came into effect in 2023 and marks a paradigm shift for corporate digital security governance. This evolution involves:
- transposition into national law by Parliament (National Assembly, Senate) and the adoption of new, stricter rules
- a phased implementation in order to harmonize cybersecurity requirements across the European Union.
1.1. The main objectives of this European legislation
The main objective of the NIS 2 Directive is to improve the cybersecurity of critical infrastructure and ensure the continuity of essential services. Its sub-objectives are:
- Strengthen security requirements.
- Require oversight mechanisms.
- Promote cooperation between EU Member States in preventing and responding to incidents.
Led by the European Commission, this directive creates a common framework for managing and sharing threats, under the supervision of the Commission. It also supports the development of national digital security strategies and requires their transposition into local legislation. Its effective implementation relies on close coordination between authorities and operators.
1.2. The risks that the NIS 2 Directive seeks to prevent
The NIS Directive targets the most frequent threats:
- Ransomware,
- Phishing,
- Supply chain attacks.
- Data breach
It requires risk management and improved security controls to protect sensitive information. Entities must regularly conduct assessments and strengthen vulnerability management to anticipate incidents.
This requires investing in detection, analysis, and rapid response capabilities. These efforts must be supported by robust and continuous cybersecurity measures.
2. Which entities and sectors are affected by the NIS 2 Directive?
2.1. Targeted strategic sectors.
The NIS Directive applies primarily to so-called essential sectors and other critical sectors. These include energy, transport, health, water, and finance. It also applies to important sectors such as digital services, research, and agri-food.
These domains include both essential entities and important entities. They play a strategic role in protecting the infrastructure of European markets and highly critical sectors.
2.2. Companies subject to the NIS 2 Directive.
The NIS Directive applies to medium-sized and large companies operating in critical sectors.
In concrete terms, the NIS Directive affects a large number of sectors that directly support the European economy: hospitals, telecom operators, transport companies, and cloud service providers are among the entities concerned. It also indirectly affects the supply chain, particularly the distribution of critical foodstuffs.
3. What obligations does the NIS 2 Directive impose?
Cybersecurity requirements
The NIS Directive sets out governance requirements aimed at developing capabilities in the following areas:
- Detection and response,
- Risk prevention.
- risk management.
Entities must ensure that appropriate security measures are implemented, supported by clear security policies. These must include regular vulnerability assessments, data encryption, and continuous monitoring of their systems, supplemented by risk-appropriate management measures. These actions must also be accompanied by staff awareness training and documented monitoring to ensure their effectiveness over time.
Incident management and notification
The NIS Directive also imposes strict obligations for detecting, managing, and reporting security incidents. Any significant breach must be reported within a specified time frame, with a documented incident response plan. These procedures help limit operational impacts and preserve the security of critical networks and services.
Responsibilities of managers
Finally, the NIS Directive directly engages the Accountability senior management. Administration teams must oversee compliance and allocate the necessary resources. Senior managers are responsible for overall security and must establish a culture of trust around cyber risk management.
4. Penalties in force under the NIS 2 Directive
NIS 2 provides for penalties for non-compliance of up to €10 million or 2% of global annual turnover. In France, the ANSSI (National Cybersecurity Agency) is the competent authority responsible for supervision and control.
It will be able to issue injunctions, impose appropriate corrective measures, and impose administrative fines in the event of breaches of the NIS Directive, in order to ensure a high level of national security.
5. How to comply with the NIS 2 Directive
The NIS Directive requires affected organizations to implement a structured approach to achieving compliance, in line with the national transposition timetable. To successfully achieve compliance, it is essential to follow the points below.
5.1. Determine your eligibility for the NIS Directive
Start by analyzing your activities and their dependence on critical networks and systems. This mapping will allow you to confirm whether your company falls within the scope of the NIS Directive.
5.2. Assess your level of cybersecurity maturity
Conduct a comprehensive assessment of your existing cybersecurity and ICT service management systems: infrastructure, procedures, governance. This audit will highlight your vulnerabilities and priorities for action.
5.3. Deploy a robust foundation of security measures
Implement appropriate cybersecurity controls, including for your partners and service providers: access segmentation, event logging, regular backups, continuity and disaster recovery plans.
5.4. Establish structured cybersecurity governance
Clearly define roles and responsibilities related to the NIS Directive, with a steering committee and regular follow-ups to ensure compliance over time.
5.5. Embedding a cybersecurity culture within the organization
Involve all employees; organize cybersecurity training and awareness sessions to develop a shared culture of security.
5.6. Organize incident management and notification
Establish a procedure for detecting, qualifying, and quickly reporting incidents, in accordance with the requirements of the NIS Directive.
5.7. Manage and prove your compliance over time
Document all policies, controls, and actions taken to demonstrate your level of compliance and ongoing efforts in cybersecurity.
6. NIS 2 Directive and GDPR how do they complement each other?
The NIS 2 Directive and the GDPR General Data Protection Regulation) share a common goal: to protect sensitive information and strengthen digital resilience. Both require rapid incident notification and demand robust cybersecurity safeguards, which directly contributes to improving the overall cybersecurity of organizations.
Conclusion
The NIS 2 directive should be seen as an opportunity to strengthen your organization's digital resilience and overall security. Anticipating its implementation means protecting your activities, building trust with your partners, and raising your level of cybersecurity. Don't just comply with the regulation: turn it into a strategic lever. Conduct an audit now.
