Home > Digital technologies > Cybersecurity > NIS 2: how do you prepare to apply the new cyber security directive?

NIS 2: how do you prepare to apply the new cyber security directive?

Published on 3 June 2024
Share this page :

The countdown is on: there are just 5 months to go before the directive comes into force. NIS 2.0 on cybersecurity. These European regulations will apply to SMEs, local authorities and major CAC 40 groups alike. What are the requirements? What are the penalties for non-compliance? How can you prepare and bring your information system into compliance? Discover our recommendations to help you through this crucial transition.

Illustration of article NIS 2

NIS 2 is giving CIOs the cold sweats. Published in December 2022, the NIS 2 (Network and Information Security) Directive is due to come into force in France very shortly, on 17 October 2024. The aim? To strengthen the cyber security of businesses throughout the European Union.

To this end, it builds on the NIS 1 directive already in force by increasing security requirements and extending its scope to a wider range of businesses and organisations.

The directive A particular feature of NIS 2 is that it makes managers responsible for managing cyber incidents. (art. 20 of the directive). In other words, not only the manager, but also all the individuals in the management bodies (e.g. the executive committee) may be declared responsible for the cyber security of the reporting entity (art. 32 and 33).

Which companies are affected by NIS 2?

The NIS 2 directive will apply to 18 business sectors (compared with 7 for NIS 1). Companies are divided into 2 categories, according to 3 criteria: sector of activity, number of employees and turnover:

  • Essential entities (EE)
  • Major entities (EI)

More than 20,000 French entities are expected to be affected, including administrations of all sizes and companies ranging from SMEs to CAC 40 groups.

Entities will no longer be designated by decree, but by the criteria below (sector of activity, number of employees, turnover).  

Company size
Number of employees
Sales figures
(in € millions)
Highly critical sectors
Critical sectors
Micro-businesses and SMEs
≤ 50
< 10
Not affected by NIS 2
SMEs
51-249
10-49
Significant Entities (SE)
ETIs and large companies
≥ 250
≥ 50
Essential Entities (EE)
Significant Entities (SE)

The 18 business sectors are divided according to their criticality:

  • The highly critical sectors These include drinking water, transport, health, energy, the financial market, banking and digital infrastructure, all of which are already covered by NIS 1. To these can be added wastewater management, space, ICT services (including e-commerce sites) and public administrations (central, regional and local).
    Depending on their size (number of employees, turnover), they will be either EEs or IEs.
  • The other critical sectors These include postal and shipping services, waste management, foodstuffs, research and higher education, manufacturing, production and distribution of chemical products, and digital suppliers.
    These sectors only include IEs.

At national level, theANSSI (Agence nationale de la sécurité des systèmes d'information), which will implement NIS 2. The national authority for cybersecurity and cyberdefence will provide support to the entities concerned, while at the same time exercising a supervisory role.

What are the NIS 2 requirements?

The NIS 2 directive draws heavily on the ISO 27001 which certifies risk management protocols. Organisations affected by NIS 2 will have to provide ANSSI with certain information, implement appropriate risk management measures (risk analysis and management plan).

What's more, companies must report any major cyber security incident to ANSSI within 72 hours. This requires the technical and organisational infrastructure to detect and respond to them.

How do you prepare for NIS 2?

1. Check that your organisation is concerned

The first step is to check that your organisation is concerned by taking the test proposed by ANSSI (see higher).

2. Assessing the current state of cyber security

The second is to assess the current state of the organisation's cyber security. To do this, organisations can :

  • Carrying out a security audit Identify weaknesses and gaps in current security arrangements. For example, an SME may discover that it does not have a robust password policy, which could leave it vulnerable to brute force attacks.
  • Assessing risks Risk analysis: a risk analysis will identify potential threats and their impact on the organisation. For example, a transport company might identify that its fleet management systems are susceptible to cyber attacks that could disrupt its operations.
  • Mapping assets Identify critical assets and critical infrastructures to understand where to focus security efforts. For example, a healthcare company will need to identify its patient databases as critical assets requiring enhanced protection.

3. Introducing enhanced security measures

Then, depending on the results of the initial assessment, companies can introduce enhanced security measures :

  • Updating security policies. For example, an SME might introduce a policy requiring regular software updates to avoid vulnerabilities.
  • Improving controls and detection systems (firewall advanced, EDR...) or encryption
  • More robust identity and access management (IAM). For example, an e-tailer can implement multifactor authentication (2FA) to secure customer access.

4. Strengthening organisational resilience

The entity will also be able to strengthen its organisational resilience:

  • Develop continuity plans (PCA) and return to work (PRA). For example, an e-commerce company must have a plan to continue processing orders even if its website is attacked.
  • Implement incident management procedures. For example, a manufacturing company could put in place a process to quickly isolate compromised systems to minimise damage.
  • Training and raising staff awareness To raise awareness of good cyber security practices among all employees and organise regular training sessions for staff. For example, teach staff how to spot e-mails from phishing.

Lastly, it must ensure compliance and ongoing monitoring. through regular security audits, ongoing communications with ANSSI, etc.

What are the penalties for non-compliance with NIS 2?

Unlike NIS 1, the NIS 2 directive provides for a range of penalties in the event of non-compliance by entities subject to the directive. These penalties can be very heavy, particularly in terms of fines.

For example, an SME that fails to report a major security incident could face fines representing a significant percentage of its annual turnover, similar to what is provided for in the General Data Protection Regulation (GDPR). In addition, the ANSSI will be able to impose administrative sanctions such as compliance orders.

In addition other possible sanctions :

  • From alerts sent to an entity's customers about potential risks
  • From administrative measures such as compliance orders, business suspensions, licence withdrawals, etc.
  • From court injunctions ordering the entity to comply through specific measures.

The directors of ES may be banned from practising in the event of non-compliance. It is therefore important for these managers to be trained in the governance cybersecurity.

How much does compliance cost?

This cost can vary considerably depending on the size of the organisation and its state of readiness for compliance. Then there's the number of digital devices and the number of people responsible for cyber security.

The costs to be taken into account include: safety audits, technological upgrades, staff training and, if necessary, the use of external consultants.

The NIS 2 Directive represents a major challenge for organisations, but also an opportunity to improve their cybersecurity and resilience in the face of threats. For CISOs, CIOs and SME managers, preparing for this directive involves a rigorous assessment of current security arrangements, the implementation of robust security measures, and a commitment to continuous improvement. The NIS 2 Directive also imposes an obligation to provide cybersecurity training for managers and to raise awareness among staff.

By following these steps, organisations will not only be able to comply with the NIS 2 Directive, but also strengthen their overall security posture.

Our expert

Made up of journalists specialising in IT, management and personal development, the ORSYS Le mag editorial team [...]

field of training

associated training