Coming into force on January 16, 2023, many uncertainties remain regarding the transposition of the NIS 2 directive into French national law. However, one certainty is required with the introduction of financial sanctions for defaulting entities, which underlines the urgency for organizations to prepare for this new regulatory framework. We take stock.
Cybersecurity illustration showing technology symbols with a padlock representing data protection.
Background and need for the NIS 2 directive
Since 2016, the first version of the Network and Information Systems Security Directive (NIS) has strengthened the security of operators of essential services and digital service providers. However, the rapid evolution of technologies and threats has highlighted its limitations. To address these challenges, the European Union adopted a second version of the NIS Directive - Network and Information Systems Security Directive - in December 2022, namely NIS 2.
This provides for a period of 21 months for each EU ig database Member State to transpose the various regulatory requirements into national law . NIS 2 will therefore enter into force in France on 17 October 2024 at the latest . Some requirements will be applied directly and others should be subject to a compliance period.
This update aims to improve cooperation between Member States on the subject, to strengthen the resilience of critical infrastructures and to protect essential and digital services.
Where is France?
In the European framework, France has a maturity level of 3. It is therefore clearly legislatively advanced on this subject.
Map of Europe showing different levels of maturity in the transposition of draft laws, classified into 4 levels of maturity per country.
ANSSI has favored a participatory method that involves key players in the sector, including sectoral professional federations such as UFE (French Electricity Union), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS, etc.).
Work to bring the transposition of NIS into line with that of the REC (Resilience of Critical Entities) is planned by the authorities in order to clarify the regulatory framework for organizations affected by the two laws.
Webinar
Cybersecurity: How to prevent cyberattacks on your website?
Watch the webinar
Main provisions of the NIS 2 Directive
In the NIS 1 Directive, Member States were responsible for individually nominating, within their national scope, the operators subject to the Directive. NIS 2 removes this designation mechanism in order to increase the resilience of all players in the same sector of activity.
Under NIS 2, an entity is deemed essential or important based on two criteria :
The size of the entity (number of employees, turnover, annual balance sheet);
The criticality of the sector of activity : to what type of entities do the activities carried out by the entity refer?
Table showing NIS2 criteria: entity size, number of employees, turnover, annual balance sheet, highly critical sectors and other critical sectors for different sizes of companies (intermediate and large, medium, micro and small).
Exceptions are provided for: NIS 2 allows Member States to include and exclude , if necessary, actors regardless of these two criteria (monopoly situation, essential cross-border service, service particularly critical for the Member State, etc.).
Impacts on businesses
As we have just seen, the NIS 2 directive is a game changer and now applies to many more companies than in the past. But which sectors do they belong to exactly? And above all, what do their new obligations consist of? Let's take a look together.
Who is affected by the NIS 2 directive?
The NIS 2 Directive distinguishes two categories of entities , regulated according to their level of criticality, the sector or type of service they provide, as well as their size: essential entities (EE) and important entities (EI) .
Illustration indicating “More than 10,000 entities concerned in 18 sectors”, with icons for local authorities, public administrations, medium and large companies.
These two categories cover a wide range of sectors. For example, essential entities include:
