The NIS Directive is the first piece of European legislation dedicated to cybersecurity. Faced with a succession of upheavals in the economic and security context of European Union member countries, the current directive is evolving to meet these new challenges. What does this new version entail? How will the directive be transposed into French law? Are you concerned by the requirements for network and information system security? Let's decipher the upcoming changes in this article.
The NIS Directive: a reminder of Europe's first cybersecurity law
Known in France as SRI, the Network and Information Security (NIS) Directive is a directive concerning the security of networks and information systems. Adopted in 2016 by the European Parliament, this directive aims to raise the level of cybersecurity of critical organizations whose disruption would significantly impact the functioning of the country and its citizens. Conceived as a legislative shield, the text aims to increase collaboration and information sharing between EU member states thanks to CERT. This is all part of the drive to build a strong Europe in the face of the growing number of cyber-attacks.
To apply in each member state, this directive is transposed nationally. The concept of Essential Service Operators (ESOs) was introduced, enabling each country to draw up a list of critical sectors. The companies concerned include those in the energy, transport, banking, insurance, food, water, healthcare and public administration sectors, among others. In this first version, companies categorized as ESSOs and digital service providers (DSPs) are subject to stringent network and information system (ISS) security requirements.
The need for a directive tailored to today's challenges
But the challenges facing our organizations today are not the same as they were in 2016. The proliferation of cyber threats and the professionalization of attacker groups, increased social tensions (energy crisis, climate change, war on Europe's doorstep...), increased digitalization across all business sectors... Faced with this new security context, Europe needed to revise this directive to strengthen its level of cybersecurity.
Supported during the French Presidency of the European Union (FPEU), the revision of the NIS Directive was the subject of a political agreement between the Commission, Parliament and European Council in May 2022. The aim of the NIS 2 directive, as was the case in its initial version, is to raise the level of cybersecurity for European organizations, while harmonizing rules and obligations between players, whatever the size of the company.
The major changes brought about by the NIS 2 directive
Although the new version of the directive has not yet been adopted, it is already raising many questions. Who will be affected by the new directive? What changes are to be expected? What actions can your organization take in anticipation? What are the risks of non-compliance? Here's a detailed 4-point answer!
A wider range of organizations concerned
In addition to the sectors described earlier in this article, the list has been extended from 19 to 35 sectors covered by the NIS 2 directive. Postal services, the agri-food sector, the production and distribution of chemical products and waste management have all been added to the list of sectors concerned. The revised directive will also apply to public institutions . Other criteria, such as company size and turnover, will also be taken into account. Companies with over 50 employees and sales in excess of one million euros will be covered by the new directive.
Guillaume Poupard, Director General of ANSSI, estimates that the number of players involved will increase tenfold! In his speech at the opening of the Assises de la Sécurité conference in Monaco in October 2022, he stressed the need to " change scale to collectively raise the level of cybersecurity "and cited the NIS 2 directive as an example. For his part, Pierre Dartout, Minister of State of the Principality of Monaco, stressed the importance of demanding higher levels of cybersecurity. Cybercriminal groups are attacking intermediate companies that are not well armed, and also essential services. We need to raise awareness, help secure IS and maintain high-performance infrastructures over the long term. ".
Subcontractors, suppliers and service providers working for an infrastructure listed above will have to comply with NIS 2 requirements. Indeed, supply chain players are a prime entry point for cyber-attackers. Take Solarwinds in 2020, Codecov in April 2021, Kaseya in July 2021. These attacks, which affected the customers of these publishers, demonstrate that the software supply chain has become a weak link in end-customer cybersecurity.
In recent months, the number of supply chain attack and it's becoming inevitable to demand the same level of cybersecurity for all. The NIS 2 directive should correct this oversight.
The creation of two types of player: essential entity and important entity
The NIS directive had led to the creation of the OSE status, imagined as an extension of the OIV (Opérateurs d'Importance Vitale) elaborated by the 2013 Military Programming Law. With the forthcoming adoption of the NIS 2 directive, this status will disappear in favor of so-called essential entities (EE) and important entities (EI). The distinction will be made according to the degree of criticality in the event of a shutdown, depending on the sector concerned and the size of the company. For the time being, categorization will be based on self-designation by the company itself.
What does a company risk if it fails to comply with the requirements set out in this European directive? On this point, the directive provides for fines ranging from 1.4% to 2% of the company's sales! But that's not all: the European Commission has also indicated that it intends to hold company directors liable. Enough to get the ball rolling.
In conclusion, this new version aims to respond to the numerous cyber-attacks that have targeted subcontracting chains. With a broadening of the sectors and organizations concerned, and an increase in information systems security requirements, a harmonization of global cybersecurity levels should mechanically see the light of day. The timetable announced by the French national agency for information systems security (ANSSI) calls for validation of the directive by the end of 2022. After that, transposition into French law (and into the law of each Member State) will make the directive applicable in the first half of 2024. All that remains now is to monitor developments and decipher the effects of announcements to translate them into real requirements.