Articles
>
NIS 2

NIS 2

The NIS 2 (Network and Information Security 2) directive has been the talk of the town since its publication in the EU Official Journal on December 27, 2022. And with good reason: it represents a major milestone in the evolution of European cybersecurity regulations, replacing its 2016 predecessor, NIS.

Want to better understand the ins and outs of NIS 2? You've come to the right place!

September 2, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

What are the objectives of the NIS 2 Directive?

NIS 2 was designed to address the limitations and shortcomings of the original NIS Directive. Admittedly, the latter marked a huge step forward, as it was the first EU-wide legislation to specifically address the cybersecurity of networks and information systems. Nevertheless, experience has shown that the NIS requirements were sometimes insufficient to cope with the rapid evolution of cyber threats...

The NIS 2 Directive therefore aims to address these shortcomings, and thus:

  • improve the resilience of critical entities by imposing stricter cybersecurity requirements on essential entities (EE) and important entities (EI);
  • strengthen cooperation between Member States, as well as between the public and private sectors, for a more coordinated response to cybersecurity incidents;
  • increase transparency by requiring more systematic reporting of cyber incidents and strengthening communication about threats and vulnerabilities;
  • harmonize national approaches by establishing more uniform minimum standards and cybersecurity requirements across the EU.

Such harmonization is crucial, as it prevents the weaknesses of one Member State from jeopardizing the entire European internal market!

NIS 2: what does it change?

#1 An extension of the scope of application

One of the major changes in NIS 2 isthe broadening of the directive's scope. While NIS mainly covered operators of essential services (OES) and certain digital service providers (DSPs), NIS 2 extends this coverage to a greater number of sectors and entities. The text thus establishes two new statuses: important entities (IE) and essential entities (EE).

Which companies are affected by NIS 2?

The status ofessential entity is granted to companies:

  • more than 250 employees,
  • with revenues exceeding €50 million,
  • with annual revenues exceeding €43 million.

The status ofsignificant entity applies to companies:

  • 50 to 249 employees,
  • with revenues between €10 million and €49 million,
  • with annual revenues ranging from €10 million to €42 million.

Which sectors are covered by NIS 2?

  • Energy: electricity, gas, and oil
  • Air, rail, road, or sea transport
  • Banking and other financial services
  • Healthcare: hospitals, laboratories, and medical device manufacturers
  • Digital service providers, including online platforms, search engines, and cloud computing services
  • Digital infrastructure: DNS providers, data center services, and communication networks
  • Drinking water and wastewater management
  • Public services, including critical government agencies

Why such an extension of the scope? Because many sectors that were not covered by the original NIS Directive now play a critical role in society and the economy—and are therefore potential targets for cyber attackers.

#2 Strengthening risk management requirements

NIS 2 imposes stricter requirements for cyber risk management. The directive requires affected entities to adopt a proactive approach to identifying, assessing, and mitigating cybersecurity risks.

This includes the obligation to implement appropriate technical and organizational measures to manage risks at various levels.

  • Access management: Restrict access to sensitive systems and data to authorized individuals only.
  • Incident management: Implement robust processes to detect, report, and respond to cybersecurity incidents.
  • Vulnerability management: ensuring that information systems are regularly updated and protected against known vulnerabilities.
  • Business continuity: Develop and test business continuity plans (BCPs) to ensure resilience in the event of a cybersecurity incident.
#3 Reporting obligation

Another major innovation in NIS 2 is the introduction of stricter reporting requirements for cybersecurity incidents.

Entities covered by the directive must now report significant incidents to the competent authorities without undue delay—and in some cases, within 24 hours of becoming aware of the incident.

The information reported must include:

  • details about the nature of the incident,
  • its potential impact,
  • the measures taken to remedy the situation.

These reporting obligations aim to ensure that national authorities have an accurate overview of threats and incidents affecting their critical sectors, enabling a faster and more coordinated response.

#4 Capacity building and cooperation

NIS 2 also emphasizes strengthening cybersecurity capabilities at the national and European levels, as well as improving cooperation between Member States. And for good reason: in the face of cyber threats that do not respect national borders (at all), coordinating efforts is essential.

Member States must therefore:

  • establish competent national authorities to supervise the implementation of NIS 2;
  • strengthen the capabilities of their cybersecurity incident response teams (CSIRTs).

The directive also encourages the creation of single national contact points to facilitate communication and coordination in the event of a cyber crisis.

What impact(s) will this have on businesses and public administrations?

Strengthening internal controls

To comply with NIS 2 requirements, affected entities must strengthen their internal controls. This includes:

  • the implementation of robust cybersecurity policies and procedures;
  • the adoption of advanced security technologies;
  • ongoing staff training to ensure they are capable of responding to cyber threats.
Modified governance

NIS 2 also emphasizes the responsibility of executives in cybersecurity.

Boards of directors and senior management must be actively involved in cyber governance and ensure that risk management strategies are aligned with the requirements of the directive.

In the event of non-compliance, executives could be held liable: a good way to emphasize the need for effective cybersecurity governance.

New compliance costs

Compliance with NIS 2 can represent a significant budget for companies, particularly those that have not yet implemented sufficient cybersecurity measures. Such a budget includes:

  • the acquisition of new security technologies,
  • staff training,
  • the hiring of cybersecurity specialists,
  • the implementation of risk management processes.

However, let's not forget that these investments pay off, as they enable us to:

  • reduce the risk of cyberattacks;
  • limit financial losses related to incidents;
  • strengthen the confidence of customers and business partners.
Some implementation challenges

Publishing a text is all well and good, but it still needs to be implemented by the companies concerned. Don't panic: you still have time! The directive will be transposed into French national law in October 2024, and the list of entities concerned in each Member State will not be published until April 2025.

Although NIS 2 represents significant progress in the European cyber sector, its implementation poses significant challenges for businesses, public administrations, and even regulatory authorities.

The implementation of NIS 2 requires close coordination between a (very) large number of stakeholders: national authorities, businesses, service providers, etc. In this context, one of the main challenges isto harmonize cybersecurity practices across EU member states, while taking into account national differences in terms of legislation and capabilities. That's quite a task.

NIS 2 compliance also represents a major challenge for some companies, particularly SMEs, due to limited human and financial resources. They will therefore need to receive appropriate support, particularly through training programs, funding, or public-private partnerships.

NIS 2: what next?

Adapting to the evolving threat

Cyber threats continue to evolve rapidly, and cybercriminals are using increasingly sophisticated techniques to attack critical infrastructure. NIS 2 will therefore need to constantly adapt to stay up to date, in particular through:

  • regular updates to the directive;
  • the introduction of new security requirements;
  • strengthening international cooperation on cybersecurity.
Harmonization and international cooperation

NIS 2 aims to harmonize cybersecurity standards within the EU. However, cyber threats are often transnational, affecting both Member States and other countries around the world! It is therefore essential that the EU also collaborates with international organizations in order to share information, develop common standards, and coordinate responses to major incidents.

Building the future of cyber regulation

NIS 2 should help strengthen the resilience of critical infrastructure in Europe and increase confidence in the digital internal market by ensuring that citizens and businesses benefit from secure and reliable digital services. As a result, the directive could also serve as a model for other regions of the world facing similar cybersecurity challenges.

Great news: the NIS 2 framework is already available in Tenacy! While we wait for the directive to be transposed into French law, the Belgian transposition has been integrated into the tool... So you can start your NIS 2 compliance process right now, thanks to automated action plans tailored to your organizational context!

‍

Other articles

You may be interested in

PCI-DSS: definition and explanations
Glossary
PCI DSS

The Payment Card Industry Data Security Standard (also known as PCI-DSS for short) is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

August 30, 2024
SOC 2 standard and certification: definition
Compliance
Glossary
SOC 2

In today's cyber landscape, it is no longer enough to simply implement protection solutions. Compliance with standards and regulations has quickly become an essential factor in ensuring information security—and therefore user confidence.

Among these standards is SOC 2 (Service Organization Control 2). Less well known in France than in the US, it is nevertheless an essential reference framework for companies, including those in France. Let's take a closer look.

August 30, 2024
Military Programming Law (LPM): focus on cybersecurity
Glossary
LPM

The Military Programming Law (or LPM) is becoming increasingly well known in the world of cybersecurity —but not only there. This French legislation defines all of the priorities, objectives, and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts, and personnel.

However, it is the "cyber" aspect of this law that interests us here. Here is an overview of the requirements of the LPM in terms of IT security —and how to implement them.

June 7, 2024