NIS 2 Directive Explained : Our Comprehensive Overview and Guide
In 2023, nearly one out of every two businesses was the target of a successful cyberattack with “significant” consequences. It's not just large corporations that are being targeted anymore. Small and medium-sized enterprises (SMEs), local governments, and even hospitals are now in the crosshairs of cybercriminals. At Scalingo, we are on the front lines of this cybersecurity battle, and our teams work tirelessly to protect and alert our clients in case of intrusion attempts 🔐.
It is in this tense context that the European NIS2 directive was introduced. Designed to enhance digital security within the European Union, its aim is to strengthen the resilience and security of critical digital infrastructures across a multitude of sectors deemed essential or important.
But what does it actually entail? What are the new obligations? Who is affected? And most importantly, how can you prepare to meet these new requirements, whether with or without Scalingo? 🤔
What is the European NIS 2 Directive?
The NIS 2 Directive, or Network and Information Security Directive 2, represents a significant advancement in protecting digital infrastructures within the EU 🌐. Designed to bolster cybersecurity across Europe, the directive expands the scope of its predecessor, NIS1, by targeting new sectors and imposing stricter obligations (and penalties!) ⚖️.
✅ In France, the term "NIS" is commonly used, but you might also hear it referred to as the “SRI directive” for “Sécurité des Réseaux et des Systèmes d’Information” (Network and Information Systems Security).
Key Changes Introduced by NIS 2
The NIS 2 Directive brings several major developments:
- Expanded Scope: NIS 2 broadens the regulatory coverage to include more entities and sectors. In addition to Essential Service Operators, it now encompasses around twenty additional sectors, including Public Administration and a large part of the supply chain. In France, it is estimated that the number of affected companies could increase by 20 to 30 times compared to NIS 1, impacting thousands of entities, from public administrations and SMEs to major corporations in the CAC40. Overall, approximately 160,000 entities across Europe will be affected 🏢🌍.
- Stricter Obligations: The directive imposes more stringent requirements for cyber risk management and security incident notification 🚨. Organizations will need to implement robust and responsive cybersecurity measures to prevent and address cyber threats. We will discuss these requirements in more detail later.
- Responsabilité des dirigeants : Executive Responsibility: NIS 2 also introduces executive accountability for managing their organization's cybersecurity. Leadership bodies will be held personally responsible for implementing appropriate security measures and ensuring compliance with the new obligations 🔒.
- Penalties for Non-Compliance: With responsibilities come penalties. The directive now includes significant financial consequences for entities that fail to meet the requirements. Similar to GDPR, this includes fines proportional to the size of the company ⚖️. We will elaborate on this point later as well.
- Enhanced European Cooperation: Finally, NIS 2 promotes increased cooperation among EU member states to improve collective responses to cyber threats. This is its core purpose. It includes information sharing, coordinated actions, and the development of common strategies to strengthen European resilience against cyberattacks 💪🇪🇺.
Which Sectors are Affected?
A total of around twenty sectors are now targeted by NIS 2, each playing a vital role in our daily lives. The directive primarily aims to protect sectors where the security and availability of networks and information systems are crucial for society.
Highly Critical Sectors (or “Annex 1”)
- Energy ⚡
- Transport 🚚
- Banking 💰
- Financial Market Infrastructure 📈
- Healthcare 🏥
- Drinking Water 💧
- Wastewater 🚽
- Digital Infrastructure 💻
- IT Services Management 🛠️
- Public Administration 🏛️
- Space 🚀
Critical Sectors (or “Annex 2”)
- Postal and Courier Services 📬
- Waste Management 🗑️
- Manufacture, Production, and Distribution of Chemical Products 🧪
- Production, Processing, and Distribution of Food Products 🍞
- Manufacturing (medical devices, IT, electronics and optical products, machinery, motor vehicles, trailers and semi-trailers, other transport equipment, etc.) 🏭
- Digital Providers 💻
- Research 🔬
Entities within these two sectors are then categorized based on their "criticality" as well as their size in terms of the number of employees and revenue:
| Entity Size | Number of Employees | Revenue (in million €) | Annual Balance Sheet (in million €) | Highly Critical Sectors | Other Critical Sectors |
|---|---|---|---|---|---|
| Intermediate and Large | ≥ 250 | ≥ 50 | Z ≥ 43 | Essential Entities | Important Entities |
| Medium | 50 ≥ X ≥ 250 | 10 ≥ Y > 50 | 10 ≥ Z > 43 | Important Entities | Important Entities |
| Micro and Small | <50 | Y <10 | Z<10 | Not concerned | Not concerned |
This distinction allows legislators to use a proportionality mechanism and adjust regulatory requirements (and imposed penalties) based on the risks involved and the human and financial resources each entity possesses.
💡 Note: Some entities, even if they do not meet these criteria, could be included based on a national risk assessment. Others may be excluded for reasons of national security and defense.
💡 This size criteria does not apply to the following entities, which are affected regardless of their size:
- Providers of public or publicly accessible electronic communications networks or services
- Trust service providers
- Top-level domain name registry operators and domain name system service providers.
In Summary, How Do I Know if My Company is Affected by NIS 2?
To determine if your company is affected by NIS 2, here are a few key points to consider:
- Generally, medium, intermediate, or large entities operating in the previously mentioned sectors will be subject to this regulation.
- In France, the criteria for determining the size of an entity are as follows:
- A number of employees greater than or equal to 50 📊
- An annual turnover or balance sheet total greater than or equal to 10 million euros 💰
The government has also implemented a simulator to help assess your company's status: Government Simulator
Please note that the results of the test are strictly indicative and subject to further confirmation, pending the final adoption of the legislative and regulatory texts transposing the NIS 2 directive. Additional details will be provided for companies still uncertain about their status.
In the meantime, as we constantly emphasize, early preparation will be beneficial for all French companies, whether undertaken as a precaution or with certainty 😉.
Has the NIS 2 Directive come into force in France?
The NIS 2 Directive was officially published on December 27, 2022, in the Official Journal of the European Union. In accordance with the provisions of the directive, each member state was given a 21-month deadline to transpose these regulatory requirements into its national law.
Thus, the draft law dedicated to transposing NIS 2 into French national law was supposed to come into effect no later than October 17, 2024. However, due to delays, particularly caused by the dissolution of the National Assembly last June, the text has not yet been reviewed and voted on by Parliament. Therefore, it is the original version of the NIS 2 Directive that comes into force in France as of today.
Vincent Strubel, Director of ANSSI, reassures businesses and local authorities by granting them a three-year period to fully comply, although certain requirements will be enforced before this deadline.
It is therefore crucial for companies to start preparing now to ensure a gradual compliance with the new NIS 2 requirements. 📆
To assist with this, the French government has created a dedicated page with answers to frequently asked questions. This page is regularly updated to provide all necessary new information. You can check it out here: : Directive NIS 2 - French Government
What Will the New Obligations for Regulated Entities Be?
While some details are still being finalized, three main areas structure these new requirements:
- Security measures and compliance areas,
- Requirement for notification, contact, and reporting of major Incidents
- Penalties for Non-Compliance
Let’s explore each of these aspects in detail to better anticipate the upcoming changes!
1. Security Measures and Targeted Compliance Areas
Articles 20 to 21.2.j of EU Directive 2022/2555 outline in detail the organizational and technical measures expected. These measures cover a broad spectrum of cybersecurity, including risk management governance, data encryption, and business continuity…
The main compliance areas include:
- Risk Analysis: Regularly identify, analyze, and assess potential risks to the security of your information systems. 🛡️
- Security Policy: Develop and maintain an information security policy tailored to identified risks. 🔒
- Incident Management: Establish processes to detect, report, and promptly respond to security incidents. 🚨
- Crisis Management: Prepare detailed plans to manage crises caused by cyberattacks or other major incidents. 🌐
- Data Backup and Recovery Protocol: Implement regular and secure backup solutions for critical data, with restoration plans in case of loss or corruption. 💾
- Business Continuity and Recovery Plan: Develop plans to ensure operational continuity and rapid recovery after an incident. ⏱️
- Supply Chain Security: Ensure the security of interactions with suppliers and partners. 🛡️
- Data Encryption: Implement measures to protect sensitive data through encryption. 🔐
- Rights and Access Control: Manage access rights to information and systems based on user needs. Use strong authentication mechanisms to verify user identities. 🤖
- Asset Management: Maintain an accurate and up-to-date inventory of IT assets to ensure their adequate protection. 📋
- Communication Security: Ensure the security of internal and external communications. 📡
- HR Management: Implement recruitment, training, and employee management processes that consider security aspects. 👨💼
2. Obligation for Notification, Contact, and Reporting of Major Incidents
To ensure full compliance with the NIS 2 directive, companies must also adhere to a series of procedures regarding notification, contact, and reporting of major incidents.
- Companies and entities covered by the NIS 2 directive will be required to register with ANSSI (French National Agency for the Security of Information Systems). The agency will establish an online notification mechanism to streamline this process.
- They must also provide contact and company identification information, which must be kept up to date at all times.
- In the event of a major incident, a report must automatically be submitted to ANSSI (via regional CSIRTs - Computer Security Incident Response Teams).
💡 What is the ANSSI’s role? In France, the ANSSI (National Agency for the Security of Information Systems) will oversee the implementation of measures under the NIS 2 directive. As a key player in national cybersecurity, the ANSSI already coordinates strategies for preventing and responding to cyber crises at the national level. It is also a member of the Cyber Crisis Liaison Organisation Network, which brings together major stakeholders in cybersecurity and cyber crisis management across Europe.
Severe Consequences for Non-Compliance
During audits, you must be able to document and demonstrate your organization's compliance with protection measures. This underscores the importance of ensuring all executive bodies are aware.
Failure to achieve compliance or inadequate adoption of security measures can result in significant penalties. Financially, a company may face fines of up to 10 million euros or 2% of its total annual turnover.
What Does the Proportionality Rule in NIS 2 Directive Mean?
The proportionality rule applied to the NIS 2 directive aims to adjust regulatory requirements based on the criticality of sectors and the size of the entities involved. Essentially, this means that not all entities will be subject to the same obligations.
The distinction is primarily between entities classified as "essential" (EEs) and "important" entities (EIs). This differentiation can affect:
- Security Measures: There may be different requirements between EEs and EIs, considering the resources and stakes of large companies versus SMEs.
-
Audits Conducted:
- For EEs: Controls may be ex-ante (beforehand) or at the discretion of ANSSI.
- For EIs: Controls are more likely to be ex-post (after the fact),
-
Sanctions: These will generally align with those applied under GDPR:
- For EE: Up to 2% of global annual turnover.
- For EI: Up to 1.4% of global annual turnover.
This approach ensures a fair and balanced adaptation of requirements, taking into account both the importance of sectors and the capacity of entities to comply. This framework is specific to France. 🎯
NIS 2: Three Essential Resources to Start Preparing Right Away
While the NIS 2 directive is set to take effect in France by October 2024, preparing for upcoming changes now is crucial. Some measures required by this directive will demand significant time and investments to be fully implemented.
What can you do right now?
- Read the European NIS 2 Directive : Begin by familiarizing yourself with the content of the directive, especially Articles 20 and 21. By studying the original directive articles, you can anticipate the key cybersecurity measures to implement, both organizationally and technically.
- Study the ISO 27001 standard : In France, the ISO 27001 standard is renowned for its best practices in information security management. This standard can provide a solid framework to structure your compliance efforts with NIS 2, particularly in terms of risk management and security policy implementation.
- Consult the ANSSI’s IT Hygiene Guide : This practical guide offers recommendations to enhance the security of your information systems. It covers various cybersecurity aspects such as access management, data protection, and secure communications.
Based on these resources, you can identify specific risks relevant to your organization and determine which compliance areas should be prioritized for addressing first.
✅ Are NIS 2 and ISO 27001 Equivalent?
While the ISO 27001 certification provides a strong foundation for NIS 2 compliance, they are not equivalent. ISO 27001 is an international standard for information security management, whereas NIS 2 is a European Union directive specifically focused on cybersecurity for important and essential sectors. NIS 2 includes specific aspects of network and information security, incident reporting obligations, and cooperation requirements during cyber crises.
How Scalingo’s PaaS Can Help You Comply with NIS 2
When it comes to complying with the NIS 2 directive, choosing your service providers is crucial, especially regarding hosting and protecting your data and applications. Opting for a reliable and certified partner like Scalingo is essential to ensure compliance with security standards and safeguard sensitive data.
✅ Integrated Security and Continuous Updates : Scalingo provides an infrastructure where security is integrated from the outset. The platform ensures all critical components are regularly updated, minimizing risks from vulnerabilities due to outdated software. This includes regular security updates and patch management, crucial for meeting NIS 2 requirements on vulnerability management.
✅ Compliance with Standards and Certifications : Scalingo adheres to recognized security standards such as ISO 27001, aligning with NIS 2 expectations. Using a platform that is already certified greatly simplifies the compliance process, as many regulatory requirements are covered by the platform. Scalingo also holds HDS certification.
✅ Business Continuity and Disaster Recovery : Scalingo integrates data backup and recovery features, ensuring business continuity and quick recovery in case of incidents. The platform facilitates the implementation of disaster recovery strategies, as per Article 21.2.c of NIS 2.
✅ Support et expertise en cybersécurité : Using Scalingo also means benefiting from the support of a cybersecurity-savvy team. This includes guidance on implementing best security practices and swift incident response, in line with Article 21.2.e of NIS 2.
By leveraging Scalingo's capabilities and certifications, organizations can enhance their readiness for NIS 2 compliance, ensuring robust cybersecurity measures are in place to protect against evolving threats.
Key takeaways
- The NIS 2 directive aims to strengthen the original NIS directive adopted in 2016. This European directive will come into effect in October 2024 in France. It focuses on cybersecurity, data protection, and information system security across several essential and critical sectors.
- Unlike NIS 1, NIS 2 includes sanctions for non-compliance by businesses, enforced in France by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information).
- Opting for a secure cloud provider such as Scalingo can already help meet some requirements of this new directive.
