Why NIS2 is a revolution for your business?

The NIS2 Directive, which entered into force on 17 October 2024, lays down obligations for 30 000 French companies and local authorities. This European text marks a major turning point in the cybersecurity approach, considerably extending the scope to the first NIS directive, which concerned only around 300 critical entities.

For managers, ISD and RSSIs, understanding and anticipating this regulation has become indispensable. Beyond legal obligations, NIS2 represents an opportunity to structure your cybersecurity governance and strengthen your organization’s resilience to growing threats.

The EU NIS Directive emphasises the involvement of cybersecurity governance, imposing increased responsibility on the part of management bodies for the validation and supervision of cyber risk management.

What is the NIS2 Directive? Understanding the fundamentals

A major development of the regulatory framework

NIS 2 significantly strengthens the European Cybersecurity Framework by extending the scope of the NIS 1 Directive adopted in 2016. This NIS 2 (Network and Information Security, version 2) Directive aims to harmonise and strengthen cybersecurity on European territory, published in the EU Official Journal of 14 December 2022.

NIS2’s strategic objectives2

The main objective is to encourage companies to increase their level of cybersecurity, representing a major change of scale compared to the previous NIS Directive. These developments are based on three fundamental pillars:

• Accountability of senior management: integration of cybersecurity into corporate governance
• European harmonisation: standardisation of security practices across the EU
• Extension of scope: inclusion of new sectors and medium-sized enterprises

Are you Covered by NIS2? Practical assessment guide

Eligibility criteria: sectors and sizes

For sectors listed in Annex 2, only large and medium-sized companies are considered as Important Entities. Small businesses are not covered by the NIS2 Directive.

Companies are classified into two categories according to their criticality:

Essential Entities: Intermediate-sized companies (ETI) and large companies listed on the essential services operators (OSE) list, including energy, transport, banking and financial services.

Important Entities: Medium and large companies operating in expanded sectors such as food production, certain laboratories or research and development centers, and pharmaceutical production.

New activity sectors included

The NIS 2 directive will apply to 18 sectors of activity, such as: food or chemical manufacturing, wastewater treatment. This extension represents a 100-fold increase in the number of companies covered compared to NIS1.

Concrete obligations: What you need to implement

Mandatory cybersecurity measures

The NIS 2 directive requires concerned organizations to implement robust cybersecurity measures, covering technical, legal and organizational aspects. These measures include:

Governance and IT Security Policy:

• Definition of a formalized IT security policy
• Implementation of a cybersecurity governance system
• Integration of cybersecurity into the business continuity plan

Cyber Risk Management:

• Regular cybersecurity audits
• Assessment of the organization’s cybersecurity maturity
• Implementation of a cybersecurity dashboard for management

Internal Security Control:

• Implementation of technical and organizational security controls
• Compliance with standards such as ISO 27001
• Periodic IT security review

Incident notification: new requirements

The directive imposes strict obligations regarding security incident notification. Companies must:

• Report significant incidents within 24 hours
• Provide a detailed report within 72 hours
• Ensure security incident tracking with regular reporting

Supply Chain Responsibility

NIS 2 aims to strengthen supply chain security and reduce risks related to subcontractors. This involves:

• Enterprise IT audit extended to partners
• Reinforced cybersecurity contractual clauses
• Continuous third-party risk assessment

Cybersecurity Governance: The new role of leaders

Accountability of management bodies

The directive introduces management responsibility in cybersecurity policy management, with increased involvement of management bodies for validation and supervision of cyber risk management.

Leaders must now:

• Validate the cybersecurity strategy
• Allocate necessary budgets for security
• Ensure team training
• Supervise cybersecurity regulatory compliance

Integration with other regulations

NIS2 compliance is articulated with other regulatory obligations:

GDPR Compliance Audit: Synergy between data protection and cybersecurity ISO 27001 Certification: Alignment of security management processes ISO 27001 Compliance: Harmonization of security controls

Transform obligation into strategic opportunity

The NIS2 directive represents much more than a regulatory constraint: it’s an opportunity to modernize your cybersecurity approach and strengthen your company’s resilience. By structuring your cybersecurity governance, implementing IT governance best practices and adopting a proactive cybersecurity regulatory compliance approach, you transform this obligation into a competitive advantage.

Anticipation and preparation are key. The earlier you act, the better you control compliance costs and timelines, while benefiting from enhanced protection against cyber threats.