The NIS Directive: a reminder of the first European law on cybersecurity
Known in France as SRI, the Network and Information Security (NIS) Directive is a directive relating to the security of networks and information systems. Adopted in 2016 by the European Parliament, this directive aims to raise the level of cybersecurity for organizations of critical importance, whose disruption would significantly impact the functioning of the country and its citizens. Designed as a legislative shield, this text aims to increase collaboration and information sharing between European Union member states through CERT. The overall goal is to build a Europe that is strong in the face of increasing cyberattacks.
In order to apply in each Member State, this directive is transposed nationally. The concept of Operators of Essential Services (OES) has been introduced, allowing each country to draw up a list of critical sectors. The companies concerned are mainly in the energy, transport, banking, insurance, food, water, health, and government sectors. In this first version, companies categorized as CSO and digital service providers (DSP) are subject to high network and information system security (NISS) requirements.
The necessary shift towards a directive adapted to current challenges
But the challenges our organizations currently face are no longer those of 2016. Cyber threats are multiplying and attackers are becoming more professional, social tensions are rising (energy crisis, climate change, war on Europe's doorstep, etc.), and digitalization is increasing across all sectors of activity. Faced with this new security context, Europe had to revise this directive to strengthen its level of cybersecurity.
Supported during the French Presidency of the European Union (PFUE), the revision of the NIS Directive was the subject of a political agreement between the Commission, the Parliament, and the European Council in May 2022. The objective of the NIS 2 Directive, as was the case in its initial version, is to raise the level of cybersecurity among European organizations, while harmonizing rules and obligations among stakeholders regardless of company size.
The major changes brought about by the NIS 2 Directive
Although the new version of the directive has not yet been adopted, it is already raising many questions. Who will be affected by this new directive? What changes can be expected? What actions can be anticipated within your organization? What are the risks of non-compliance? Detailed answers in four points!
A broader scope of organizations involved
In addition to the sectors described earlier in this article, the list has been expanded from 19 to 35 sectors covered by the NIS 2 Directive. Postal services, the agri-food sector, the production and distribution of chemical products, and waste management have been added to the list of sectors covered. Local authorities will now also be affected by the revision of this directive. Other criteria such as company size and turnover will also be taken into account. Companies with more than 50 employees and a turnover of more than €1 million will be affected by the new directive.
Guillaume Poupard, Director General of ANSSI, estimates that the number of players involved will increase tenfold! In his opening speech at the Assises de la Sécurité conference in Monaco in October 2022, he emphasized the need to " change scale in order to collectively raise the level of cybersecurity " and cited the NIS 2 directive as an example of how this could be achieved. For his part, Pierre Dartout, Minister of State of the Principality of Monaco, reiterated the importance of demanding an increase in cybersecurity levels: " Cybercriminal groups are attacking intermediary companies that are not well equipped, as well as essential services. We must raise awareness, help secure information systems, and maintain high-performance infrastructure over the long term."
The supply chain now subject to the NIS 2 directive
Subcontractors, suppliers, and service providers working for any of the infrastructure listed above will have to comply with the requirements of NIS 2. This is because supply chain players are a prime target for cyber attackers. Take, for example, Solarwinds in 2020, Codecov in April 2021, and Kaseya in July 2021. These attacks, which affected the customers of these publishers, demonstrate that the software supply chain has become a weak link in end-customer cybersecurity.
In recent months, the number of supply chain attacks has continued to grow, and it is becoming inevitable to require the same level of cybersecurity for everyone. The NIS 2 directive should correct this oversight.
The creation of two types of actors: essential entities and important entities
The NIS Directive led to the creation of the OSE status, designed as an extension of the OIV (Operators of Vital Importance) developed by the 2013 Military Programming Law. When the NIS 2 Directive is adopted in the future, this status will disappear in favor of entities known as essential entities (EE) and important entities (EI). The distinction will be made according to the degree of criticality in the event of a shutdown, depending on the sector concerned and the size of the company. For the time being, categorization will be done by self-designation by the company itself.
Penalties for non-compliance
What risks does a company face if it fails to comply with the requirements set out in this European directive? On this point, the directive provides for fines ranging from 1.4% to 2% of the company's turnover! But that's not all: the European Commission has also indicated that it intends to hold managers accountable. This is enough to shake things up.
In conclusion, this new version aims to respond to the numerous cyberattacks that have targeted subcontracting chains. With an expansion of the sectors and organizations concerned and an increase in information system security requirements, harmonization of the overall level of cybersecurity should automatically follow. The timetable announced by the French National Cybersecurity Agency (ANSSI) provides for the directive to be validated by the end of 2022. It will then be transposed into French law (and into the law of each Member State), making it applicable in the first half of 2024. It now remains to follow developments and decipher the effects of the announcement in order to translate them into real requirements.
‍
![[White paper] 5 keys to managing your cybersecurity](https://cdn.prod.website-files.com/68eccb60f9cf9c228c061b75/695f73ba996b3472b4fa4e34_visuel-tenacy%20(2).jpg)
