In about 9 months, more than 150,000 entities across Europe and from a wide range of industries, will be required to comply to strong requirements in the field of cybersecurity. The aim of this directive known as NIS 2 is to ensure the resilience of essential services and prevent security incidents that could have a major impact on the economy and society in the European Union. To do this, Board of Directors in particular will be directly involved and made responsible in terms of cyber governance. Failing that, they are at risk of administrative fines (which can range between 1.4% and 2% of the global turnover of the entity concerned) or even criminal sanctions. Given the structuring issues at stake contained in this imminent regulation, we invite stakeholders to take ownership of these requirements and prepare their organization to comply with them. EGERIE’s team is here to support you in this journey through our platform, which allows you to meet the objectives of NIS 2.
The European directive known as « NIS 2 » on measures for a high common level of cybersecurity across the Union, has been published in December 2022 and has to be transposed and implemented within all the Member States by 17th October 2024 at the latest.
These new rules require a high level of cybersecurity to be taken into account for the information systems of critical and sensitive infrastructures in the countries of the Union. In France, a bill is expected in Parliament in spring 2024 to transpose the directive, following the consultations ran by ANSSI, to which EGERIE among others has contributed.
The NIS 2 directive repeals the NIS 1 directive which has been in force since 2018. The European Commission has decided to reinforce the ambition of this text, given notably the evolution of the threat these last 6 years (in connection with the increased interconnection and dependence of our society and economy on the digital world) and the heterogeneous application of NIS 1 obligations in the Member States.
NIS 2 represents a significant change of scale with an extended scope of application: from 300 entities designated as “essential service operators” in France in accordance with NIS 1, to an expected estimate of around 10,000 to 15,000 regulated entities in France and at least 150,000 entities across the EU.
The organizations (public and private) concerned (known as essential entities and important entities) are those that meet two criteria that are cumulative :
– The size of the organisation: this applies to medium-sized organisations, i.e. organisations with at least 50 employees and an annual turnover of at least €10 million, as well as intermediate or large organisations with more than 250 employees and a turnover of more than €50 million.
Please note: for the financial sector, the European DORA regulation will apply first. For the transport (aviation, maritime, etc.) and energy sectors, NIS 2 will complement existing sectoral legislation.
Essential Entities (EEs) include intermediate-sized and large-sized entities in sectors of high criticality. Important Entities (IE) are (i) medium-sized entities whatever the sector operated (among the 18 referred to in the annexes) and (ii) intermediate-sized or large-sized entities operating in a sector classified as highly critical.
The scope of NIS 2 can be summarized as follows:
The NIS 2 directive is more prescriptive than the previous one and includes enhanced security requirements. Relevant entities must take proportionate technical, operational and organisational measures to protect networks and information systems and their physical environment from incidents. This includes regular identification and assessment of cyber risks.
The types of security measures are detailled in the article 21 of the directive and include the following :
Further details may be provided by the European Commission by October 2024 through the publication of an implementing act. In the meantime and to get prepared before the transposition, it is recommended to look at the reference document (available here) that was planned in the context of NIS 1 and which can only be enriched. These measures refer to the following pillars:
• Governance of network and information systems security (NIS)
• NIS protection
• NIS defence
• Business resilience
This can only be achieved through agile and effective risk management.
NIS 2 also requires entities to notify significant cybersecurity incidents within prescribed deadlines to the CSIRT (alert within 24 hours and detailed notification within 72 hours).
Finally, NIS 2 leads to a move upmarket on cyber issues for all economic actors throughout the supply chain, with EE and IE being responsible for the level of protection of their suppliers and service providers.
These new rules imply greater accountability for regulated entities. As such, while the “essential service operators” were previously designated, essential and important entities will now be required to declare themselves as such to the competent authorities (the ANSSI in France).
Management teams and boards of directors will also get directly involved and more empowered: in particular, they must approve cybersecurity risk management measures and oversee their implementation, as well as provide training to management as well as employees on risk management practices.
In addition, the sanctions regime provided for by NIS 2 is intended to be a deterrent: administrative fines range between 2% and 1.4% of worldwide turnover (depending on whether it is an essential or important entity) and the criminal liability of managers can be engaged in the event of frequent violations of cybersecurity requirements.
This new approach to accountability should be seen as an opportunity to focus on the assessment, reporting and decision making regarding investments, in order to achieve cybersecurity outcomes.
The EGERIE platform directly addresses the Articles 20 and 21 of the NIS 2 Directive, which respectively provide for the establishment of a real cybersecurity governance, as well as the implementation of a risk analysis and procedures to assess the effectiveness of cyber risk management measures.
The regulatory corpus reflects an evolution from a pure compliance approach to a more global approach, and specifically a risk-based governance approach. This vision is fully in line with that of EGERIE platform. It allows you to set up and manage your cybersecurity strategy, including continuous cyber risk analysis :
In the context of NIS 2 compliance, EGERIE platform’s main benefits include the following :
– a tool for modelling and financial quantification of cyber risk to raise awareness and accountability among senior management ;
– an consolidated view of risks (within a geographical or functional scope) to support decision-making ;
– A complete mapping of the risks and associated measures, allowing you to identify the most effective security solutions and thus control your level of exposure and optimize your security budgets.
