A new directive at the heart of European challenges
The NIS 2 Directive, published on December 27, 2022 in the Official Journal of the European Union, represents an ambitious response to the intensification of cyber threats. With a deadline for transposition into national law set for October 17, 2024, this regulation strengthens and expands the framework established by the first NIS Directive, adopted in 2016. It imposes harmonized requirements, designed to strengthen the security of networks and critical information systems in all member states.
Unlike its predecessor, NIS 2 applies to a considerably larger number of entities and business sectors, reflecting a growing recognition of the risks posed by cyber-attacks. Its ambition is to ensure greater resilience for critical infrastructures, while boosting competitiveness and stakeholder confidence.
The main objectives of the NIS 2 Directive
The directive aims to protect strategic sectors essential to the smooth running of society and the economy. It targets areas such as energy, healthcare, transport and digital infrastructures. By introducing more stringent requirements, NIS 2 seeks to minimize the potential disruption caused by cyber-attacks.
One of the fundamental aims of the directive is to standardize practices between member states, thereby reducing regulatory disparities and facilitating compliance for entities operating in several countries. This harmonization creates a clear and coherent legal framework, strengthening cross-border cooperation in the face of cyber threats.
The obligations imposed by NIS 2
The directive distinguishes between two broad categories of entities, depending on their strategic importance: essential entities (EE) and important entities (EI). This differentiation is based on criteria such as size, turnover and the critical role played by the entity in its sector. Critical entities, because of their potential impact, are subject to more stringent obligations.
Under NIS 2, the entities concerned must put in place legal, technical and organizational measures to protect their information systems. This includes regular risk analysis, the implementation of appropriate solutions and the deployment of rapid response mechanisms in the event of an incident. Incidents with a significant impact will have to be reported to the ANSSI, which may initiate checks to verify compliance.
Failure to comply with these obligations could result in financial penalties of up to 2% of worldwide sales for EAs and 1.4% for EIs. These fines, proportionate to the seriousness of the breaches, are designed to ensure strict implementation of the measures set out in the directive.
Sectors covered by NIS 2
The directive covers a wide range of sectors, from digital infrastructure and healthcare to food production and postal services. By broadening its scope, NIS 2 recognizes the systemic nature of cyber-risks and the need for a comprehensive approach to protect essential services. This new framework also applies to public administrations, reflecting their central role in national resilience.
French transposition of the NIS 2 Directive
The transposition of the NIS 2 Directive in France is part of the bill on the resilience of critical infrastructures and the strengthening of cybersecurity, presented to the Council of Ministers on October 15, 2024. This text, which also incorporates the REC and DORA regulations, aims to strengthen the security of networks and information systems essential to critical and highly critical sectors. The Commission Supérieure du Numérique et des Postes (CSNP) has played an active role, issuing successive recommendations, notably on the clarification of the sectors concerned, the compliance deadline set at December 31, 2027, and the integration of adaptability clauses for technological advances, such as artificial intelligence. Once adopted by Parliament, the draft will be supplemented by some twenty implementing decrees, detailing the obligations of the entities concerned and finalizing security requirements, notably around the notion of Regulated Information System (RIS). This process illustrates France’s ambition to align itself with European standards, while taking account of national specificities.
ANSSI’s central role in implementation
As the national cybersecurity authority, ANSSI occupies a strategic position in the implementation of the NIS 2 directive. Charged with supporting entities subject to the directive, the agency has favored a collaborative approach, involving key industry players such as professional federations (UFE), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS). This participative methodology led to in-depth consultations in 2023, covering the scope of the entities concerned, interactions with ANSSI and cybersecurity requirements.
Why prepare now?
The NIS 2 directive is more than just a legal obligation. It represents a strategic opportunity for companies and public authorities. By strengthening their cybersecurity practices, organizations can not only protect themselves against growing threats, but also enhance their competitiveness and strengthen the trust of their partners and customers. A proactive approach is essential to turn these constraints into a sustainable advantage.
The NIS 2 directive sets a new standard for cybersecurity in Europe. By tightening requirements and broadening the scope of entities concerned, it seeks to protect critical infrastructures in the face of growing cyber threats. French companies and public authorities need to prepare for these changes now, to ensure their resilience and competitiveness in an increasingly connected and interconnected environment.
Our experts are at your disposal to guide you through this transition and guarantee you optimum cybersecurity. Dreyfus Lawfirm works in partnership with a worldwide network of lawyers specialized in Intellectual Property.
Join us on social networks!