Cybersecurity: Preparation for NIS 2 Compliance

Network and Information Security

NIS 2 Directive: 
Enhancing Cybersecurity in Europe

The NIS 2 european directive is a crucial EU initiative aimed at strengthening cybersecurity across member states, particularly in critical sectors like energy, transport, and healthcare. This directive requires individual countries to implement its provisions, enhancing their national cybersecurity frameworks. While focusing on larger organizations, small businesses are generally exempt from its requirements. This page offers a concise overview of the European Directive’s key elements, affected sectors, wether you are concerned or not and fines. This page illustrates how Europe plans to improve its digital resilience. For expert guidance on NIS 2 compliance, please contact us.

Contact Us

Historic of european directive NIS 1 and NIS 2

In France, the concept of OIV (Opérateur d’importance vitale) was introduced by The Military Programming Law (la loi de programmation militaire) to identify and protect critical infrastructure operators whose services are essential for the functioning of society and the economy (national security, public health, and safety).

The identification and protection of OIVs were implemented through national legislation in individual countries. Each country defined its criteria and list of OIVs based on their specific national interests and infrastructure.

Subsequently, the European NIS directive was planned as a harmonization of cybersecurity requirements for all EU countries.

NIS 1 (Network and Information Security Directive)

Adopted by the European Union in July 2016, the NIS 1 Directive marked the first EU-wide legislation on cybersecurity. It was an EU Directive, meaning it required transposition into national law by each Member State. Countries had to adopt and implement the directive within their legal frameworks, ensuring compliance by operators within their jurisdictions.

The primary goals were to improve national cybersecurity capabilities, enhance cooperation among EU Member States, and promote a culture of risk management and incident reporting among key economic sectors. NIS 1 directive focused on Operators of Essential Services (OES) and Digital Service Providers (DSPs). These included:

OES: Energy companies, transport companies, banking and financial services, healthcare institutions, water supply and distribution companies, and digital infrastructure providers.

DSPs: Online marketplaces, online search engines, and cloud computing service providers.

NIS 2 (Network and Information Security Directive 2)

The NIS 2 directive builds on the essential requirements established by the NIS 1 directive while encompassing a broader range of sectors and key entities. It introduces more stringent security requirements, increased accountability, and enhanced incident reporting obligations. It is meant to address the evolving cybersecurity landscape and the limitations of the NIS 1 Directive. The European Union adopted the NIS 2 Directive in December 2020.

You will find below a table that will show the recquisites for your company to be concerned by NIS 2:

Contact our experts to be informed on NIS 2!

Contact Us

Classification and status report of NIS 2 directive

The NIS 2 Directive, adopted by the EU in December 2020, builds on the NIS 1 Directive to address evolving cybersecurity threats and expand its scope. It requires Member States to integrate its provisions into national law, covering more sectors such as public administration, space, waste management, and essential digital services. You can see on the right the maturity of the NIS 2 directive in different EU countries by May of 2024.

The NIS 2 Directive categorizes companies based on size and financial metrics and introduces distinct requirements based on whether a company is classified as an Essential Entity (EE) or an Important Entity (IE). These classifications are determined by the company’s size and role in critical sectors.

To learn more, you can head to the ANSSI NIS 2 or directly to the official EU NIS 2 ressource available in all languages.

If you seek help, feel free to contact us through the contact form to let us help you.

Main changes of NIS 2 directive compared to NIS 1 directive

Broader Scope: NIS 2 covers more sectors and includes a wider range of entities based on size and economic impact.

Risk Management: Both Essential and Important Entities must adopt comprehensive risk management practices, but Essential Entities face more rigorous standards.

Incident Reporting: Both categories must report incidents, but Essential Entities have stricter and faster reporting obligations.

Enforcement: Penalties and sanctions are tiered, with Essential Entities facing higher penalties (fines) for non-compliance.

By differentiating requirements based on the classification of entities, NIS 2 directive aims to ensure that critical infrastructure and services are robustly protected against cybersecurity threats, while also considering the size and capacity of the concerned companies.

Impact of NIS 2 on french companies

What are the companies should put into place to be able to NIS 2 compliant? As of 2024 there are no fines from ANSSI (in France) but in the future it is a huge possibility — so the concerned companies should be prepared to be NIS 2 compliant.

ANSSI has started sharing an initial document to prepare for operational compliance with NIS2. Companies must take the following measures into account : 

– Using IT Asset Management Tools
– Regular backups
– Incident response policy
– Regular updates & upgrades
– Usage of an effective antivirus
– A robust password policy
– An active firewall
– Secure messaging against fishing

Cybersecurity for SMEs (ANSSI)

Our guidance for client companies in the context of compliace with trhe NIS 2 directive

To assist organizations in meeting the demands of the NIS 2 Directive, we offer a comprehensive suite of services tailored to enhance cybersecurity resilience at an organizational level.

Development and Implementation of Security Policies (PSSI)

We assist in creating and implementing robust security policies (Information Security Management System) tailored to your organization’s specific needs. These policies form the foundation of a strong cybersecurity posture.

Information, Communication and digital tools charter

We help develop and enforce an information, communication and digital tools charter that outlines acceptable use policies, security protocols, and collaborators responsibilities. This charter is crucial for fostering a security-conscious culture within the organization.

Employee Training and Awareness Programs

Human error remains a significant vulnerability in cybersecurity. We provide comprehensive training programs to educate employees on best practices, security protocols, and how to recognize and respond to potential threats.

Cybersecurity Risk Management

EBIOS Risk Manager (EBIOS RM) 🔗 is the method for assessing and treating digital risks, published by National Cybersecurity Agency of France (ANSSI) with the support of Club EBIOS. This methodology offers an adaptable toolkit, the use of which varies depending on the project’s objectives : creating a ISMS (Information Security Management System), reducing the risks of cyberattacks.

The NIS 2 Directive represents a significant advancement in Europe’s cybersecurity landscape, addressing the growing threats to critical infrastructure and services. As the compliance deadline approaches, organizations must take proactive steps to align with the directive’s requirements.

Our dedicated services are designed to support your organization through this transition, ensuring that you not only comply with NIS 2 but also enhance your overall cybersecurity resilience. 

By preparing now, your organization can navigate the complexities of NIS 2 with confidence and build a robust defense against cyber threats.