Understanding the NIS 2 Directive: a turning point for cybersecurity in Europe
Cybersecurity is now a strategic priority for European companies. With cyberthreats on the rise, regulations are adapting to strengthen the digital resilience of organizations. It's against this backdrop that the NIS 2 directive comes into play, with tougher requirements and a broader scope of application.
NIS 2, for Network and Information Systems, replaces the first NIS directive adopted in 2016. Its aim: to better protect the networks and information systems of entities that play a crucial role in our society and economy. It is no longer just a matter of recommendations, but of genuine security obligations, backed up by sanctions in the event of failure to comply.
A directive with a broader scope
NIS 2 now concerns several thousand entities in 18 business sectors. It distinguishes between two categories of organization: essential entities and important entities. While the former include critical players such as energy, healthcare, transport and drinking water, the latter also include structures operating in equally sensitive fields, such as digital services, agri-food and chemicals.
The size criterion becomes a trigger: more than 250 employees or sales in excess of 50 million euros for essential entities, more than 50 employees or sales of 10 million euros for important entities.
Concrete requirements to reinforce security
The directive imposes a series of structural obligations on the companies concerned. It's not just a question of having a cybersecurity plan on paper, but of implementing an active, documented approach to risk management.
This involves :
- Regular information sharing with designated national authorities;
- Implementing legal, technical and organizational measures tailored to risk exposure;
- Reporting major incidents within 24 hours, with ongoing monitoring of the situation.
In addition to its technical obligations, NIS 2 also reinforces the responsibility of senior management. Digital security becomes a governance issue in its own right. Business leaders will need to demonstrate their commitment and ability to effectively manage their organization's cybersecurity.
Gradual implementation, but anticipate today
Originally scheduled for October 2024, the transposition of NIS 2 into French law has been pushed back to early 2025. The official list of regulated entities should be communicated in April, subject to changes in the legislative timetable.
But beware: delay is not synonymous with reprieve. As Vincent Strubel, Director General of ANSSI, reminded us, a series of minimum measures will have to be implemented as soon as the texts come into force, well before the three-year deadline for full compliance.
Service providers and subcontractors of regulated entities will also be affected. It is therefore essential to anticipate the impact of these regulations now.
An opportunity to increase cyber maturity
Beyond the regulatory constraints, NIS 2 is also an opportunity for companies to raise their level of cyber maturity. By structuring their governance, adopting high-performance security tools and integrating digital risks into their strategic thinking, organizations can turn compliance into a performance lever.
At Dattak, we are already assisting numerous companies in this transition. Thanks to a proactive approach combining technical tools and human expertise, we help organizations to prepare effectively for the directive's requirements. Our conviction: NIS 2 compliance is a milestone, but cyber resilience is an ongoing process.
Towards a new culture of cybersecurity
With NIS 2, the European Union is laying the foundations for a structured, shared and empowered cybersecurity culture. A more mature digital security culture, anchored in the reality of threats, and supported by clear governance within companies.
Anticipating these developments means not only avoiding sanctions, but above all protecting ourselves more effectively against the ever-increasing number of cyber-attacks. Cyber risk is the number 1 risk for any company, whatever its size.