Key issues and points of the NIS 2 Directive for your organization
📔 Table of contents
On November 10, 2022, MEPs voted in favor of the NIS 2 directive, which aims to harmonize and strengthen cybersecurity in the European market. This directive will come into force in the second half of 2024. Find out what will change for European companies: scope of application, classification, obligations and sanctions...
What is the NIS 2 directive?
Cybersecurity risk is at the heart of the concerns of European governance bodies. In fact, the number of successful cyberattacks against public and private organizations in France reached 385,000 in 2022, for a total cost of 2 billion euros, according to a statistical assessment by Asterès published in June 2023. This total breaks down into 887 million euros in direct costs (lost productivity, higher production costs), 888 million euros in ransoms and 7 million euros in lost working hours.
The destabilization of an economic player on the scale of the European market could lead to the global disorganization of populations and states. This is the background to the NIS2 directive. It commits companies to adopting proactive measures to protect their information systems and contribute to the stability of the European Union.
successful cyber attacks in France in 2022
When will the NIS 2 directive take effect?
The NIS 2 directive was published in the Official Journal of the European Union on December 27, 2022. It gives each EU member state 21 months to transpose the various regulatory requirements into national law. In France, NIS 2 will therefore come into force in the second half of 2024 at the latest. Some requirements will be applied directly, while others will require a compliance period.
2nd half 2024
A broader scope of application :
The physical security sector also falls within the scope of the directive, and will have to comply. Indeed, NIS 2 requires players in critical sectors to guarantee that the physical security solutions (access control, intrusion detection, video surveillance, etc.) they use will not jeopardize their cybersecurity. In concrete terms, security professionals will have to implement measures to ensure that their equipment is sufficiently robust and protected.
What's more, in order to reinforce the level of cybersecurity and resilience in the face of this risk, which has become a priority and is considered highly important by all risk prevention players, the NIS 2 directive now covers 18 sectors of activity and various types of entity, increasing the number of regulated entities from around 300 under NIS 1 to almost 10,000 under NIS 2, in France alone.
The notions of "essential entities" (EE) and "important entities" (EI) replace the former categories of essential service operators (ESO) and digital service providers (DSO). Significant Entities (SEs) will be entitled to a lighter version of these regulations, while Essential Entities (EEs) will have to comply fully with them.
Which companies are affected by NIS 2? Here is the list of sectors affected:
| Highly critical sectors : | |
|---|---|
| Energy | Transport |
| Banking sector | Financial market infrastructure |
| Health | Drinking water |
| Waste water | Digital infrastructure |
| ICT service management | Public administration |
| Space |
| Other critical sectors |
|---|
| Postal and shipping services |
| Waste management |
| Manufacture, production and distribution of chemical products |
| Food production, processing and distribution |
| Manufacturing |
| Digital suppliers |
| Search |
Is my company an important or essential entity?
The classification of companies as major or essential entities depends on a number of factors.
Essential Entities are organizations whose failure or breach of security would have a significant impact on the essential services provided to society.
Examples of essential entities: electricity suppliers, hospitals, transport services, etc.
Companies providing critical services, without which society could not function normally, are considered essential.
Significant Entities are organizations that are not essential, but whose failure could still cause significant disruption.
This can include medium-sized companies, online service providers and critical infrastructures. Companies playing a key role in a specific sector or providing essential services to a group of people are considered important.
Significant entities are organizations that are non-essential, but whose failure could still cause major disruption. This can include medium-sized companies, online service providers and critical infrastructures.
Obligations, measures and penalties
Non-application of the NIS 2 directive can have significant consequences for the entities concerned. In particular, financial and legal sanctions could be severe:
- Essential entities may face fines of up to 10 million euros (or 2% of worldwide sales)
- Larger entities could face fines of up to 7 million euros (or 1.4% of annual sales).
- NIS2 reinforces the responsibility of management bodies for managing cybersecurity risks. Those who fail to comply may be held personally liable in the event of cybersecurity negligence.
A study carried out by Censuswide in October 2023 on behalf of SailPoint showed that 55% of companies are not yet ready for NIS2. The study was based on a panel of 1,500 IT decision-makers in France, the UK and Germany, from companies with 250 or more employees and sales of €10 million or more.
The Agence nationale de la sécurité des systèmes d'information (ANSSI), as the authority responsible for overseeing the future implementation of the NIS2 directive, plans to create an "independent structure". This entity will be responsible for deciding on sanctions. ANSSI Director General Vincent Strubel announced this at the InCyber Forum held on Wednesday, March 27, 2024 in Lille. He also stressed that this "collegial formation" will respect the principles of contradictory and proportionality.
How to prepare for the NIS 2 directive, a few tips :
- Determine whether your organization is affected by NIS 2. The directive broadens the scope of application to include more public and private sectors and entities.
- Identify the impacted units within your organization.
- Evaluate your existing security measures. If necessary, make changes to your security policies to comply with NIS 2.
- Plan the implementation of any additional safety measures required.
- Ensure management support. NIS 2 strengthens the responsibility of management bodies for managing cybersecurity risks.
- Integrate legal compliance into your governance processes.
- Involve security experts to guide you through the compliance process.
- You can also consult legal experts or use software based on legal compliance.
- Implement a sustainable compliance strategy.
What actions can you take quickly?
- Assess risks: Identify critical assets and evaluate the risks associated with your IT infrastructure.
- Draw up a staff training plan to make your employees aware of good cybersecurity practices, and organize regular training sessions.
-
Implement monitoring tools to quickly detect any suspicious activity and establish a crisis management plan in the event of a security incident.
How can Onet Security help you apply this standard?
Onet Sécurité can help you set up and bring your sites into compliance by offering auditing services for your structures. Our expertise and services include :
- Scope identification through an in-depth analysis of your situation. We map the systems, processes and data affected by NIS 2 within your organization.
- Training and awareness-raising for your teams. We make your managers and staff aware of the challenges of NIS 2. A solid understanding is essential for effective compliance.
- Management training: we prepare your managers for their new responsibilities.
- Acknowledging and managing your risks. We assess your current risk management measures and identify gaps to be filled. We anticipate your budgetary and human resources requirements for successful compliance.
- Legal support. We analyze the legal risks associated with NIS 2 and guide you through the steps to be taken.
Ces contenus peuvent vous intéresser
Do you have a need or a question?
Our experts Onet Security are at your disposal to answer all your requests for information or quotes.