NIS 2 Directive

The NIS 2 directive is a European regulation which aims to strengthen the cybersecurity of critical sectors by imposing stricter obligations on companies and administrations.

Perform a security audit

What is the NIS 2 directive?

The NIS 2 directive, adopted in December 2022, marks a major turning point for cybersecurity in Europe. Its main objective is to strengthen the protection of the European Union's strategic infrastructures and services in the face of increasingly frequent and sophisticated cyberattacks.

Here are the key points of NIS 2:

Expanded scope of application

NIS 2 significantly expands the scope of European cybersecurity regulation compared to NIS 1. While NIS 1 primarily focused on essential service operators (OSEs) in critical sectors like energy, transport and health, NIS 2 adds many new sectors of activity.

From now on, entities such as public administrations, postal service operators, manufacturers of critical products and waste managers will also have to comply with strict cybersecurity requirements. This will improve the overall resilience of the European digital ecosystem.

Strengthened cybersecurity obligations

NIS 2 imposes stricter cybersecurity obligations on relevant entities. These must in particular:

Manage cybersecurity risks proactively by identifying vulnerabilities and implementing proportionate protective measures.
Report cybersecurity incidents to the relevant authorities within strict deadlines.
Have a crisis management plan to deal with cyberattacks and minimize their impact.
Report major incidents publicly.

Proportionality

NIS 2 recognizes that not all entities have the same level of risk or the same resources. It introduces a proportionality mechanism which adapts cybersecurity requirements to the size and sector of activity of the company.

Thus, small businesses will have less restrictive obligations than large businesses playing a more critical role in the economy.

Cooperation increased

NIS 2 encourages closer cooperation between EU member states on cybersecurity. This will enable better exchange of information about threats and vulnerabilities, as well as more effective coordination of incident response efforts.

Who is affected by the NIS 2 directive?

The NIS 2 Directive, which aims to strengthen the cybersecurity of critical sectors in Europe, applies to a wide range of entities, both public and private. The directive lists 18 sectors classified either as highly critical or critical.

Highly critical sectors

Banking establishments
Financial market infrastructures: credit institutions, investment firms, etc.
Energy: Production, transport, distribution of electricity, nuclear power, hydrogen, oil, gas and heat
Transport: Air, rail, sea, road and navigation services
Health: Analysis laboratories, healthcare providers or clinics
Space
Public administrations
Drinking water suppliers and distributors
Wastewater management: Collection, disposal, treatment of wastewater
Digital Infrastructures: Cloud Services, Routers, Data Centers, Broadcast Networks
ICT Digital Service Management: Managed Service and Security Providers

Critical sectors

Research
Chemical Products: Manufacturing, production and distribution
Waste management
Foodstuffs: Production, processing and distribution
Digital Service Providers
Postal and parcel services
Manufacturing and manufactured products: Various equipment including optical, medical, vehicle, transport, electronics, IT or medical

What are the requirements of NIS 2?

Important and Essential Entities must comply with a set of strict cybersecurity requirements, covering the following key points:

01

Risk management

Conduct a comprehensive and in-depth cybersecurity risk analysis, identifying critical assets and potential threats.
Implement risk management measures that are adequate and proportionate to the risks identified.
Regularly monitor and test the systems and security measures put in place.

02

Security of networks and information systems

Apply robust security measures to protect networks and information systems against cyberattacks, based on the current state of the art.
Use proven security technologies and keep them up to date by applying security patches and software updates.
Implement strict access controls to limit access to systems and sensitive data, following the principle of least privilege.

03

Incident management

Develop and implement a documented incident response plan, defining procedures to follow in the event of a cyberattack.
Immediately notify the relevant authorities in the event of a major cybersecurity incident that may have a significant impact on the services provided.
Analyze incidents that occur in order to learn lessons and make the necessary improvements to security measures.

04

Monitoring and reporting

Implement continuous monitoring systems to detect suspicious activities and potential intrusions on networks and systems.
Report cybersecurity incidents to appropriate authorities in accordance with established procedures.
Publish annual cybersecurity reports describing measures implemented, incidents occurred and lessons learned.

Specific Requirements for Essential Entities

In addition to the fundamental requirements, Essential Entities must comply with additional obligations, given their crucial role in society:

Carry out penetration tests (pentest) and regular security audits to identify potential vulnerabilities and ensure the effectiveness of security measures.
Implement business continuity plans (BCO) and disaster recovery plans (DRP) to ensure the continuity of essential services in the event of a major cyberattack.
Appoint a cybersecurity lead within the organization with the skills and authority to drive the cybersecurity strategy.

What are the sanctions for non-compliance with NIS 2?

The NIS 2 directive establishes a reinforced sanctions regime to deter Important and Essential Entities from failing to comply with its requirements.

Two categories of sanctions exist:

Administrative fines

For Essential Entities

Member States have the option to impose administrative fines of up to €10 million or 2% of overall annual turnover, whichever is higher.

For Important Entities

The ceiling for administrative fines is set at 7 million euros or 1.4% of overall annual turnover, whichever is higher.

Additional measures

In addition to administrative fines, Member States can also take additional measures against non-compliant entities, such as:

Compliance orders requiring the entity to take corrective action within a specified time frame.
Suspension or withdrawal of authorizations necessary for the exercise of its activities.
Publication of deficiencies noted.

Sanctions Details

The aim of the sanctions is to deter breaches of the NIS 2 Directive and to encourage relevant entities to invest in cybersecurity to effectively protect their activities and customer data.

It is important to note that the precise arrangements for implementing sanctions, including fine levels and additional measures, may vary between Member States. The entities concerned should therefore refer to the national legislation transposing the NIS 2 Directive in their respective country to know the exact provisions applicable.

In addition to regulatory sanctions, non-NIS 2 compliant entities may also face significant reputational and business risks in the event of a major cyberattack. Loss of customer trust and damage to brand image can have significant financial consequences.

How to prepare for the NIS 2 directive?

The entry into force of NIS 2 is scheduled for October 2024. Many companies will therefore have to comply by strengthening their cybersecurity measures.

NIS 2 represents a major step forward for cybersecurity in Europe and should help to better protect essential infrastructure and services from cyberattacks.

Here is a practical guide to help you prepare for the NIS 2 directive:

Assess your situation

Identify if your organization falls within the scope of the NIS 2 directive

The directive targets operators in critical sectors such as energy, transport, health, financial services, etc.
You can use the guides and tools available on the websites of the relevant national authorities to determine whether your organization is affected.

Carry out an in-depth analysis of your cybersecurity risks

Identify your critical assets, potential threats they are exposed to, and existing vulnerabilities.
This analysis will allow you to define priorities in terms of implementing security measures.

Implement the necessary security measures

Apply the basic requirements of the NIS 2 directive

This includes implementing risk management, network and information systems security, incident management, monitoring and reporting measures.
You can refer to the Directive's annexes and practical guides published by the competent authorities for detailed guidance.

Strengthen your existing security measures

Evaluate whether your current practices comply with the enhanced requirements of the NIS 2 directive.
Update your security policies, procedures and technologies as necessary.

Take a proactive approach to risk management

Implement continuous monitoring and detection mechanisms to identify cyber threats and potential intrusions in real time.
Implement preventive protection measures such as strict access control, network segmentation and regular software updates.

Strengthen your incident management capabilities

Develop a documented incident response plan

This plan must define the roles, responsibilities and procedures to follow in the event of a cyberattack.
It should also include communications and systems recovery plans.

Regularly test your incident response plan

Attack simulations and training exercises will test the effectiveness of your plan and identify areas for improvement.

Establish effective communication mechanisms

Ensure you can communicate quickly and effectively with relevant authorities, customers and stakeholders in the event of a cybersecurity incident.

Designate a cybersecurity manager

Appoint a cybersecurity manager within your organization

This person must have the skills, experience and authority to drive the organization's cybersecurity strategy.
The cybersecurity manager must be able to educate and train employees on good security practices, and oversee the implementation and maintenance of protective measures.

Raise awareness and train your employees

Implement cybersecurity awareness and training programs for all your employees

Employees need to be aware of cyber threats and know how to identify and avoid them.
Regular training will allow them to understand the security procedures put in place and know how to react in the event of an incident.

Comply with reporting requirements

Implement procedures to document and report cybersecurity incidents to the appropriate authorities.

Make sure you respect the deadlines and reporting formats defined in the NIS 2 directive.

Keep detailed records of security measures implemented and cybersecurity incidents that occur

This information may be requested by authorities during audits or investigations.

Seek expert advice and support

Do not hesitate to seek help from cybersecurity consultants and experts

These professionals can help you assess your risks, implement necessary security measures, and prepare for compliance audits.

Stay informed of regulatory developments and new cyber threats

Subscribe to communications from competent authorities and participate in webinars and training offered on the NIS 2 Directive.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities.

Contact us!

+33 1 85 09 15 09

Directive NIS 2