.avif)
Faced with the evolution of cyber threats, the European Union is strengthening its cybersecurity framework with the NIS 2 directive. This summary guide outlines the key points of this legislation to help entities prepare. Understanding the NIS directive is vital.
What is the NIS 2 directive?
The NIS 2 Directive (EU 2022/2555) updates the first NIS Directive, a directive aiming at a high and common level of cybersecurity within the EU. It broadens its scope of application and tightens requirements.
Definition and objectives of the Directive
The main objective of this directive is to improve the cyber resilience of entities providing essential or important services. It harmonizes national approaches and strengthens cybersecurity risk management and oversight. The protection of information systems is essential.
Evolution compared to the NIS 1 directive
NIS 2, this new version of the directive, addresses the weaknesses of NIS 1 by: a scope extended to more critical sectors (18 in total), a clear distinction between essential (EE) and important (EI) entities, stricter security requirements, and increased accountability of managers. Thousands of entities are now concerned.
Why is NIS 2 important?
This directive is crucial because cyberattacks, which are more sophisticated, threaten vital services and the economy, which is why robust cybersecurity is important. NIS 2 aims to protect these services, strengthen the resilience of the EU and strengthen digital trust. Threat management is becoming a priority.
Sectors and entities concerned by NIS 2
The extension of sectors and entities is a major change in the NIS 2 directive.
List of the 18 sectors of activity
The sectors concerned by the NIS 2 directive are described in 2 annexes:
The appendix 1 List the sectors highly critical, which contain either essential entities (EE) or significant entities (EIs), based on criteria of turnover, financial balance sheets and numbers of employees.
The appendix 2 Introduce the other critical sectors, which exclusively contain significant entities (EIs).
Criteria for designating essential and significant entities
The classification into essential (EE) or important (IE) entities depends on the size and the critical sector of activity. EEs are subject to proactive supervision, EIs a posteriori. SMEs and large companies in the sectors listed are generally concerned entities. Precise identification is crucial. (The company size chart remains the same)
Impact on subcontractors
The entities involved are responsible for the security of their supply chain, including their service providers and other partners using information technology. This means evaluating and imposing security measures on them, extending the impact of the NIS 2 directive.
Obligations imposed by the NIS 2 Directive
NIS 2 imposes strict obligations in terms of risk management, governance, incident notification, and technical and organizational cybersecurity measures.
Cyber Risk Management: Requirements and Best Practices
Entities should adopt a cyber risk management approach, taking proportionate technical, operational, and organizational cybersecurity measures. This includes risk analysis, supply chain security, business continuity, and policies to assess the effectiveness of risk management measures, including for the treatment and disclosure of vulnerabilities.
Information Security Governance: Roles and Responsibilities
Management bodies are responsible for cybersecurity. They must undergo cybersecurity training and continuing education and can be held personally liable in the event of a breach. Information security and information systems must be a strategic priority.
Reporting and managing security incidents
Mandatory notification of significant incidents to the competent authority (ANSSI in France): early warning (24 hours), incident notification (72 hours), and final report (1 month). Effective management of cybersecurity incidents is key.
Technical and organizational security measures
A minimum set of security measures is required, including access control, encryption, multi-factor authentication, incident response plans, and staff training. These measures must be adapted and regularly updated to ensure the security of information systems.
Key compliance dates and timelines
The transposition of the NIS Directive into national law by each EU Member State is a decisive step.
Date of entry into force in France
Member States have until 17 October 2024 to transpose the directive. The measures will be applicable from 18 October 2024. A bill is being prepared in France, with the ANSSI (the National Security Agency) playing a central role in its application of the NIS directive. This future law will specify the national modalities.
Steps to compliance
1. Self-assessment and status identification (EE/EI). 2. Variance analysis. 3. Planning and implementing measures. 4. Training and awareness. 5. Test and audit.
Deadlines and deadlines for the various actions
Compliance is expected as early as October 18, 2024. Anticipation is essential for this directive.
Penalties for non-compliance with NIS 2
The NIS 2 directive, the future national law, provides for dissuasive sanctions.
Administrative and pecuniary sanctions
Essential entities: up to €10 million or 2% of global turnover. Major entities: up to €7 million or 1.4% of global turnover. These fines highlight the importance of cybersecurity and compliance with this directive.
Criminal sanctions for managers
Managers can be held personally responsible for breaches.
Consequences of non-compliance
In addition to fines, non-compliance can lead to: reputational damage, financial losses, reinforced controls. Managing the risks of non-compliance with the NIS directive is an issue.
NIS 2 compliance resources and support
Resources exist to help entities.
Resources from ANSSI and other organizations
ANSSI and ENISA (the European cybersecurity agency) publish guides and recommendations. These documents help to structure the process of compliance with the directive.
Financial aid and support for SMEs
EU Member States are encouraged to support SMEs. Support mechanisms are expected.
Tools and solutions for compliance
Many service providers offer tools for risk management, incident detection, training, and auditing, facilitating alignment with the NIS directive.
NIS 2 and other regulations
NIS 2 is part of a wider European regulatory framework in the field of cybersecurity of systems and information and communication.
Interaction with the GDPR, DORA, and CRA
NIS 2 is complementary to the GDPR (personal data) in terms of information security. For the financial sector, DORA is a “lex specialis”. The CRA (Cyber ResilienceAct) will concern the security of digital products.
Regulatory harmonization and simplification
NIS 2 aims to harmonize cybersecurity within the European Union. Specific clauses aim to simplify compliance with the Directive.
Frequently asked questions (FAQ) about NIS 2
This FAQ covers the main points of the directive.
Questions and answers on the most important points
Q1: Is my business affected? Check your sector (18 listed) and your size. ANSSI will provide details on the directive. Q2: EE/EI difference? EAs (often larger, more critical sectors) have proactive supervision. The IS, a posteriori. The safety requirements are similar. Q3: Role of ANSSI? National authority for the supervision of the application of the NIS Directive, the identification of entities, the receipt of notifications and sanctions.
Useful links and resources
To learn more about the NIS 2 directive.
Links to official sites and reference documents
Official text of Directive (EU) 2022/2555 (EUR-Lex).
Complying with the NIS 2 directive is an effort, but also an opportunity to strengthen the overall security of information systems and cybersecurity. Anticipating is the key to this directive.
Derniers articles
