Are you familiar with the contents of the NIS 1 directive? Then start looking at the second version of the text now. The NIS 2 directive will be transposed into French law in the coming months. It concerns more entities of all sizes (except micro and small enterprises) and in many sectors.
What is the content of the NIS 2 directive? What changes does it bring? How can we prepare for it? Let's take a look at the main changes to come, and what you need to do to prepare for NIS 2.
What is the NIS 2 directive?
Presentation of the NIS 2 directive
The NIS 2 Directive (NIS for Network and Information Security / Sécurité des réseaux et des systèmes d'information) is an expansion of the NIS 1 Directive, the first version of the text published in 2016 and transposed into French law in 2018. The cyber context has changed profoundly in the space of a few years.
Malicious actors are now targeting new entities (SME and ETI type companies, local authorities), ransomware can have serious consequences, and supply chain players are now also targeted. The second version of the directive takes these new elements into account.
The NIS 2 Directive was published in the Official Journal of the European Union in December 2022. EU member states have a maximum of 21 months to transpose the directive into national law, i.e. until October 2024 (entry into force of the directive).
Objectives and scope of the NIS 2 directive
Faced with a rapidly evolving cyber environment (malicious actors are increasingly well-equipped and organized), the NIS 2 directive's objective is even more ambitious: to encourage more entities to better protect themselves, through security measures that reduce the exposure of their critical infrastructure to cyber risks.
To support this objective, the NIS 2 directive is marked by several changes, including:
- Extending the scope of application (more sectors and types of entity are concerned, both private and public)
- Reinforcing obligations and penalties
- Empowering corporate management bodies
What are the main changes brought about by the NIS 2 directive?
Extended scope of application: a real change of scale
One of the main changes brought about by the NIS 2 directive concerns its scope of application, now extended to numerous entities of all sizes:
- Companies in the broadest sense, from SMEs to CAC40 groups
- Central government and local authorities (optional regulation for local authorities)
- Supply chain players
The NIS 2 directive extends the list of activities concerned by adding sectors (space, wastewater, public administration, postal and shipping services, waste management, digital providers, chemicals, foodstuffs, manufacturing, etc.) and sub-sectors (heat and cold networks in the energy sector, for example).
The criteria used to define the entities covered by the directive are the size of the entity (number of employees, sales, etc.) and the criticality of its sector of activity.
Introduction of a proportionality mechanism
The NIS 2 directive also introduces a proportionality mechanism. The entities concerned are now divided into two categories, according to their level of criticality:
- Essential Entities, or EE (formerly Essential Service Operators): activities in highly critical sectors
- Important entities, or EI
The security requirements applied to these two categories of entity will not be the same.
What are the implications of the NIS 2 directive for businesses, public authorities and local authorities?
What are the obligations of the entities concerned?
Regulatory compliance: key obligations
The NIS 2 directive lists a number of mandatory security measures in the areas of risk analysis, information systems security policy, incident management, business continuity and recovery, etc.
NB: while some requirements will be applied unchanged on a national scale, others will be adapted and adapted at national level. It is therefore still too early to give an exhaustive breakdown of the various obligations that will apply in France. Consult the regularly updated FAQ on the ANSSI website..
Nevertheless, it is possible to indicate that the entities concerned are subject to new obligations or to a reinforcement of existing obligations, in particular :
- Reducing the time taken to report cyber incidents to the national CSIRT (Computer Security Incident Response Center)
- Strengthening cybersecurity standards
- The obligation to train employees about cyber risks
- The obligation to carry out regular safety audits
Notification of major security incidents
Entities affected by the NIS 2 directive must report any significant security incident to their CSIRT, following several steps:
- Initial notification within 24 hours of learning of the incident,
- Detailed notification within 72 hours of learning of the incident,
-Final report to CSIRT within one month of incident.
What is the role of the competent authorities?
ANSSI's role has been strengthened. The agency will support the entities concerned in the adoption of security solutions (understanding the regulations and the actions to be taken). The agency will also be in a position to carry out controls that may lead to injunctions (in the event of identified non-compliance).
As the second version of the directive concerns a much larger number of entities, these will also be able to be supported by CSIRTs.
How do you comply with the NIS 2 directive?
How to prepare for the transposition of the NIS 2 directive?
ANSSI advises entities concerned (companies, administrations, local authorities) not to wait for the NIS 2 directive to be transposed into French law, but to start preparing now. Entities already affected by NIS 2 should continue their efforts.
As for smaller entities about to enter the scope of the new directive, ANSSI advises them to adopt its guide to cybersecurity for VSEs and SMEs as of now. These entities have every interest in developing a proactive approach to IT security (identifying vulnerabilities, raising employee awareness, etc.).
Drawing up an information systems security policy (ISSP)
The ISSP is an action plan designed to maintain the security of an organization's network and information system. A reference document on IS security, it reflects management's strategic vision on the subject.
The ISSP defines IS security objectives, as well as the means and choices made to ensure this security. The implementation of an information systems security policy is one of the obligations contained in the NIS 2 directive, and constitutes a fundamental basis for the implementation of an effective cybersecurity approach. To find out more, here is the full text of the law.
What are the consequences of non-compliance with the NIS 2 directive?
Financial penalties
One of the changes brought about by the NIS 2 directive concerns the strengthening of the sanctions regime. In the event of non-compliance with the requirements set out in the European directive, all entities subject to the directive are liable to fines ranging from at least 1.4% (for large entities) to 2% (for essential entities) of annual worldwide sales.
Sanctions against top management
The NIS 2 directive also seeks to make management bodies more aware of their responsibilities in cyber risk management. It therefore provides for sanctions (excluding public administrations) that can go as far as the suspension of certifications and authorizations relating to services or activities provided by the entity, as well as a temporary ban on the managing director or legal representative from exercising management functions within the entity concerned.
While the NIS 2 directive follows on from the first version of the text, it greatly expands its scope. By broadening its scope, introducing new obligations and reinforcing the sanctions regime, it calls on organizations to take the measure of cyber threats and strengthen their security posture. Businesses and local authorities, get ready now to strengthen your security posture.
Would you like us to help you deploy a CAASM solution? Contact us.
