The NIS 2 Directive: Towards stronger, harmonized European cybersecurity

Written by Dreyfus02/12/2024

A new directive at the heart of European challenges

The NIS 2 Directive, published on December 27, 2022 in the Official Journal of the European Union, represents an ambitious response to the intensification of cyber threats. With a deadline for transposition into national law set for October 17, 2024, this regulation strengthens and expands the framework established by the first NIS Directive, adopted in 2016. It imposes harmonized requirements, designed to strengthen the security of networks and critical information systems in all member states.

Unlike its predecessor, NIS 2 applies to a considerably larger number of entities and business sectors, reflecting a growing recognition of the risks posed by cyber-attacks. Its ambition is to ensure greater resilience for critical infrastructures, while boosting competitiveness and stakeholder confidence.

The main objectives of the NIS 2 Directive

The directive aims to protect strategic sectors essential to the smooth running of society and the economy. It targets areas such as energy, healthcare, transport and digital infrastructures. By introducing more stringent requirements, NIS 2 seeks to minimize the potential disruption caused by cyber-attacks.

One of the fundamental aims of the directive is to standardize practices between member states, thereby reducing regulatory disparities and facilitating compliance for entities operating in several countries. This harmonization creates a clear and coherent legal framework, strengthening cross-border cooperation in the face of cyber threats.

The obligations imposed by NIS 2

The directive distinguishes between two broad categories of entities, depending on their strategic importance: essential entities (EE) and important entities (EI). This differentiation is based on criteria such as size, turnover and the critical role played by the entity in its sector. Critical entities, because of their potential impact, are subject to more stringent obligations.

Under NIS 2, the entities concerned must put in place legal, technical and organizational measures to protect their information systems. This includes regular risk analysis, the implementation of appropriate solutions and the deployment of rapid response mechanisms in the event of an incident. Incidents with a significant impact will have to be reported to the ANSSI, which may initiate checks to verify compliance.

Failure to comply with these obligations could result in financial penalties of up to 2% of worldwide sales for EAs and 1.4% for EIs. These fines, proportionate to the seriousness of the breaches, are designed to ensure strict implementation of the measures set out in the directive.

Sectors covered by NIS 2

The directive covers a wide range of sectors, from digital infrastructure and healthcare to food production and postal services. By broadening its scope, NIS 2 recognizes the systemic nature of cyber-risks and the need for a comprehensive approach to protect essential services. This new framework also applies to public administrations, reflecting their central role in national resilience.

French transposition of the NIS 2 Directive

The transposition of the NIS 2 Directive in France is part of the bill on the resilience of critical infrastructures and the strengthening of cybersecurity, presented to the Council of Ministers on October 15, 2024. This text, which also incorporates the REC and DORA regulations, aims to strengthen the security of networks and information systems essential to critical and highly critical sectors. The Commission Supérieure du Numérique et des Postes (CSNP) has played an active role, issuing successive recommendations, notably on the clarification of the sectors concerned, the compliance deadline set at December 31, 2027, and the integration of adaptability clauses for technological advances, such as artificial intelligence. Once adopted by Parliament, the draft will be supplemented by some twenty implementing decrees, detailing the obligations of the entities concerned and finalizing security requirements, notably around the notion of Regulated Information System (RIS). This process illustrates France’s ambition to align itself with European standards, while taking account of national specificities.

ANSSI’s central role in implementation

As the national cybersecurity authority, ANSSI occupies a strategic position in the implementation of the NIS 2 directive. Charged with supporting entities subject to the directive, the agency has favored a collaborative approach, involving key industry players such as professional federations (UFE), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS). This participative methodology led to in-depth consultations in 2023, covering the scope of the entities concerned, interactions with ANSSI and cybersecurity requirements.

Why prepare now?

The NIS 2 directive is more than just a legal obligation. It represents a strategic opportunity for companies and public authorities. By strengthening their cybersecurity practices, organizations can not only protect themselves against growing threats, but also enhance their competitiveness and strengthen the trust of their partners and customers. A proactive approach is essential to turn these constraints into a sustainable advantage.

The NIS 2 directive sets a new standard for cybersecurity in Europe. By tightening requirements and broadening the scope of entities concerned, it seeks to protect critical infrastructures in the face of growing cyber threats. French companies and public authorities need to prepare for these changes now, to ensure their resilience and competitiveness in an increasingly connected and interconnected environment.

Our experts are at your disposal to guide you through this transition and guarantee you optimum cybersecurity. Dreyfus Lawfirm works in partnership with a worldwide network of lawyers specialized in Intellectual Property.

Join us on social networks!

Instagram

LinkedIn

The EU AI Act and Its Implications for Global Business

Written by Dreyfus14/10/2024

Rapid artificial intelligence (AI) technology development has created the need for clear and harmonized regulation to ensure ethical use, safety, and innovation. The European Union’s AI Act (EU AI Act) is poised to become the world’s first comprehensive legal framework regulating AI, impacting not only European businesses but global industries operating within or interacting with the EU market. This article delves into the key aspects of the EU AI Act and its far-reaching implications for global business operations.

Overview of the EU AI Act

The Scope of the AI Act. The EU AI Act categorizes AI systems into different risk levels—unacceptable, high, limited, low, and minimal—each requiring varying degrees of regulatory scrutiny. The legislation primarily targets high-risk AI systems that significantly impact people’s safety, rights, and freedoms. These include AI applications in healthcare, transportation, and critical infrastructure sectors.

Compliance Requirements for High-Risk AI Systems. Under the AI Act, businesses must adhere to stringent compliance requirements for high-risk AI systems. These compliance requirements include conducting conformity assessments, ensuring robust risk management systems, and maintaining transparency and accountability throughout the AI lifecycle. Companies must also prepare for regular monitoring and audits, which designated authorities across EU member states will enforce.

Implications for Global Businesses

Direct Impact on AI Developers and Providers. Any company developing or providing AI systems based within or outside the EU must comply with the EU AI Act if its products are used within the Union. This extraterritorial reach of the regulation means that global businesses, particularly those in tech-heavy industries, must prioritize legal compliance to avoid penalties, including fines of up to 6% of their global annual turnover.

Increased Costs of Compliance and Innovation. The need for AI system conformity assessments, data governance policies, and risk management frameworks can significantly improve operational costs. For non-EU businesses, navigating the complex compliance landscape may require engaging local legal and technical experts, further driving up costs. However, these compliance measures also encourage responsible AI development and consumer trust, potentially opening new markets for companies able to demonstrate adherence to ethical AI standards.

Strategic Considerations for Businesses

Risk Mitigation and Liability. Understanding the liability risks associated with AI implementation under the EU AI Act is critical for global businesses. Companies must proactively establish comprehensive risk management processes to mitigate the legal and financial risks tied to AI systems that are deemed high-risk. Compliance can help reduce liability exposure and enhance operational security.

Competitive Advantages of Early Compliance. While compliance with the EU AI Act may initially seem burdensome, businesses that invest in early compliance efforts stand to gain significant competitive advantages. These include improved consumer trust, better market positioning in Europe, and reduced risk of facing regulatory penalties. Additionally, businesses that adhere to the Act’s principles will likely see enhanced brand reputation globally as ethical AI becomes a growing concern for consumers and regulators worldwide.

Broader Global Impact of the EU AI Act

Influence on Other Jurisdictions. As the EU AI Act sets a global precedent, other jurisdictions, including the U.S., China, and the UK, are expected to follow suit with their own AI regulations. This cascading effect may lead to the global harmonization of AI laws, pushing businesses to simultaneously adapt their AI strategies in multiple markets.

The Role of AI in International Trade. AI has become integral to various industries, and its regulation will affect international trade agreements, especially those involving digital products and services. Global companies must prepare for AI-related clauses to appear in trade negotiations, with compliance with the EU AI Act becoming a critical element of future international agreements.

Conclusion

The EU AI Act represents a landmark regulatory effort that will have significant implications for global businesses. While the compliance requirements are rigorous, they offer opportunities for companies to lead in the AI space by embracing ethical AI practices. The key for businesses is to view this regulatory shift not as a burden but as a pathway to building trust and ensuring sustainable growth in the ever-evolving world of artificial intelligence.

Our expertise in intellectual property enables us to guide companies through the regulatory challenges related to artificial intelligence. The European AI Act imposes strict requirements for compliance, transparency, and risk management, particularly for high-risk AI systems. With our deep understanding of intellectual property and emerging technologies, we help our clients navigate this complex framework, protecting their innovations while ensuring they meet the new standards.

Dreyfus Law Firm partners with an international network of lawyers specializing in Intellectual Property.

Join us on social media!