As a cybersecurity manager in a large company, it’s vital to keep up to date with the IT security regulations that can impact our operations. One such important regulation is the European Union’s NIS2 directive.

What is the NIS2 Directive?

The NIS Directive – for Network and Information System Security, short for Directive sur la Sécurité des Réseaux et des Systèmes d’Information – is European Union legislation aimed at strengthening network and information system security within the EU. It is designed to guarantee a high level of security for networks and information systems in key sectors such as energy, transport, healthcare, banking and financial services, as well as providers of essential digital services.

At European level, this directive aims to reinforce the level of cybersecurity of the economic and administrative fabric of each EU member country.

NIS2 is an evolution of the NIS1 directive, taking into account new threats and technological developments since its adoption in 2016. It introduces stricter network and information system security requirements, as well as additional obligations for providers of essential digital services and critical infrastructure operators.

The latest revisions to the European NIS2 directive

At the end of 2023, final clarifications were made to the NIS2 Directive, and new revisions were adopted. These revisions have strengthened companies’ obligations in the field of cybersecurity, introducing more precise requirements for security incident management, notification of incidents to the competent authorities, and cooperation between EU member states.

The main new features of the NIS2 directive include :

1. Extended scope: The Directive extends its scope to new sectors and online services, meaning that more companies will be subject to its cybersecurity obligations.
   
   In Europe, over 10,000 entities in more than 18 business sectors have been identified for enhanced cyber management.
   
   In France, more than 600 entities will be concerned, divided between public entities, essentially linked to the administration, and private entities, ranging from VSE/SMEs to CAC40 companies, according to ANSSI.
   
   Would you like to know whether your organization is affected by the European NIS2 directive?
   Create your NIS2 space and take the online test! You’ll then find out whether you need to register with ANSSI to enter the cyber section of the NIS 2 directive.
   
   
2. Reinforced reporting obligations: Companies are required to report security incidents to their national authorities within stricter deadlines and in greater detail, with the aim of improving the response to cyber-attacks and reducing risks for the EU as a whole.
   
   
3. Enhanced cooperation between member states: The directive encourages greater cooperation and coordination between EU member states in tackling cross-border cyber threats, thereby strengthening digital security across Europe.

October 17, 2024 is the next deadline for NIS 2, with national transposition for member states. NIS 2 will therefore come into force in France in the second half of 2024, at the latest.

Impact on French companies

For French companies, the NIS2 directive means adapting to new cybersecurity requirements and upgrading their IT security practices and infrastructures. Companies operating in key sectors, such as banking, healthcare, transport and energy, will be particularly affected by the new NIS2 obligations.

Find out more about the 18 business sectors affected by NIS 2 on the MonEspaceNIS2 website.

In addition, French companies that provide essential digital services or operate critical infrastructures will have to comply with the directive’s specific requirements, which may require additional investment in information systems security and risk management.

The NIS2 directive represents a milestone in the promotion of digital security in Europe, and its impact on French companies underlines the growing importance of cybersecurity in an increasingly interconnected and digital world. It is essential for companies to prepare now to comply with these new regulations, and to strengthen their IT security posture to protect their businesses and customers against cyber threats.

To find out more about the European NIS 2 directive, you can also consult the following links:

• Cyber.Gouv.fr: https: //cyber.gouv.fr/la-directive-nis-2
• Cyber.Gouv.fr: https: //cyber.gouv.fr/directive-nis-2-ce-qui-va-changer-pour-les-entreprises-et-ladministration-francaises

To find out more about the NIST2 update (Cybersecurity Framework – USA), read our blog post here.