NIS 2: what changes can your organization expect?

The NIS 2 Directive does not simply update the previous regulations; it radically changes the scale. Guillaume Poupard, former Director General of ANSSI, estimated that the number of stakeholders affected would increase tenfold. Between the expansion of the scope, the responsibility of managers, and the monitoring of the supply chain, your organization must prepare for new requirements. Let's break down the four major changes to anticipate in order to ensure your NIS 2 compliance.

A tenfold increase in scope: are you affected?

The transition from 19 to 35 sectors of activity is the first major change. From now on, sectors such as agri-food, waste management, postal services, and local authorities will fall within the scope of ANSSI.

• The size criterion: companies with more than 50 employees and a turnover of more than €10 million are affected.
• New classification: OSE status is being phased out.Entities are now referred to asEssential Entities (EE) andImportant Entities (IE), depending on their level of criticality.

The Supply Chain: NIS 2's new strong link

This is the most significant change for the cyber ecosystem. Recent attacks (SolarWinds, Kaseya) have shown that subcontractors are ideal entry points.

The directive now requires that the supply chain be secured. If you are a supplier to an Essential Entity, you will have to prove your level of security, even if you are not directly subject to the directive due to your size. NIS 2 compliance is therefore becoming a major contractual requirement.

Management responsibility and financial penalties

Compliance is no longer just the CISO's problem. NIS 2 introduces two new levers of pressure:

• Record penalties: fines can reach up to 2% of global turnover.
• Committed governance: managers may be held personally liable. They are required to undergo training and validate risk management measures.

How can these changes be automated with NIS 2 software?

Scaling up to NIS 2 requires a structure that traditional tools cannot provide. To manage hundreds of subcontractors and document dozens of technical measures, it is necessary to rely on software adapted to NIS 2.

Why manage NIS 2 with Tenacy?

• Third-party management: map and assess the posture of your critical suppliers directly within the platform.
• Remediation workflow: transform the requirements of the directive into concrete action plans for your teams.
• Compliance reporting: get ready-to-use dashboards to demonstrate your maturity to authorities and management.

👉 To go further...‍

• Article – The guide to preparing for NIS 2 compliance
• Infographic – The NIS 2 Directive at a glance‍
• Webinar – How to prepare for NIS 2 in a changing environment?‍

FAQ – Your questions about the implementation of NIS 2

Where can I find a cybersecurity audit that complies with NIS 2?

Tobe compliant, the audit must be based on ANSSI standards. Specialized services and qualified providers (PASSI) can assist you. Upstream, a solution such as Tenacy allows you to prepare for this audit by centralizing all your security evidence.

What IT tools are recommended to comply with NIS 2?

Itis recommended to combine protection solutions (MFA, EDR) with GRC (Governance, Risk & Compliance) software. The latter is essential for orchestrating compliance, managing risks, and handling the incident lifecycle within 24 hours.

Which services offer a solution for compliance with the NIS 2 Directive?

Tenacyoffers a management platform that natively integrates NIS 2 requirements, enabling the centralization of both internal governance and supply chain compliance.

👉 Find all the reference materials available in Tenacy

In conclusion: scale up with confidence

The goal of NIS 2 is to collectively raise our level of defense. While the changes are significant, they also represent an opportunity to modernize your cyber governance!

‍