To do this, Board of Directors will be directly involved and made responsible in terms of cyber governance. Failing that, they are at risk of administrative fines (which can range between 1.4% and 2% of the global turnover of the entity concerned) or even criminal sanctions. Given the structuring issues at stake contained in this imminent regulation, we invite stakeholders to take ownership of these requirements and prepare their organization to comply with them. EGERIE’s team is here to support you in this journey through our platform, which allows you to meet the objectives of NIS2.
NIS2 at a glance
The European directive known as « NIS2 » on measures for a high common level of cybersecurity across the Union, has been published in December 2022 and has to be transposed and implemented within all the Member States by 17th October 2024 at the latest.
These new rules require a high level of cybersecurity to be taken into account for the information systems of critical and sensitive infrastructures in the countries of the Union. In France, a bill is expected in Parliament in spring 2024 to transpose the directive, following the consultations ran by ANSSI, to which EGERIE among others has contributed.
The NIS2 directive repeals the NIS1 directive which has been in force since 2018. The European Commission has decided to reinforce the ambition of this text, given notably the evolution of the threat these last 6 years (in connection with the increased interconnection and dependence of our society and economy on the digital world) and the heterogeneous application of NIS1 obligations in the Member States.
Who is in the scope of NIS2 ?
NIS2 represents a significant change of scale with an extended scope of application: from 300 entities designated as "essential service operators" in France in accordance with NIS1, to an expected estimate of around 10,000 to 15,000 regulated entities in France and at least 150,000 entities across the EU.
The organizations (public and private) concerned (known as essential entities and important entities) are those that meet two criteria that are cumulative :
The size of the organisation: this applies to medium-sized organisations, i.e. organisations with at least 50 employees and an annual turnover of at least €10 million, as well as intermediate or large organisations with more than 250 employees and a turnover of more than €50 million.
Its industry:
Whether the entity falls under one of the sectors of high criticality (as listed in the annex 1 of the directive):
Energy
Transport
Banking
Financial market infrastructures
Health
Drinking water
Waste water
Digital infrastructure
ICT service management (B2B)
Public administration
Space
or as other critical sectors (as listed in the annex 2 of the directive):
Postal and courier services
Waste management
Manufacture, production and distribution of chemicals
Production, processing and distribution of food
Manufacturing including electrical equipment or motor vehicles
Digital providers
Research
Please note: for the financial sector, the European DORA regulation will apply first. For the transport (aviation, maritime, etc.) and energy sectors, NIS2 will complement existing sectoral legislation.
Essential Entities (EEs) include intermediate-sized and large-sized entities in sectors of high criticality. Important Entities (IE) are (i) medium-sized entities whatever the sector operated (among the 18 referred to in the annexes) and (ii) intermediate-sized or large-sized entities operating in a sector classified as highly critical.
Which are the requirements from NIS2?
The NIS2 directive is more prescriptive than the previous one and includes enhanced security requirements. Relevant entities must take proportionate technical, operational and organisational measures to protect networks and information systems and their physical environment from incidents. This includes regular identification and assessment of cyber risks.
The types of security measures are detailed in the article 21 of the directive and include the following :
policies on risk analysis and information system security
policies and procedures assessing the effectiveness of cybersecurity risk-management measures
incident handling (prevention, detection and response)
crisis management & business continuity
supply chain security
security in network and information systems development and maintenance
cyber hygiene & cybersecurity training
policies and procedures for the use of cryptography & encryption
HR security, access control policies and asset management
use of multi-factor or continuous authentication solutions
Further details may be provided by the European Commission by October 2024 through the publication of an implementing act. In the meantime and to get prepared before the transposition, it is recommended to look at the reference document (available here) that was planned in the context of NIS1 and which can only be enriched. These measures refer to the following pillars:
Governance of network and information systems security (NIS)
NIS protection
NIS defence
Business resilience
This can only be achieved through agile and effective risk management.
NIS2 also requires entities to notify significant cybersecurity incidents within prescribed deadlines to the CSIRT (alert within 24 hours and detailed notification within 72 hours).
Finally, NIS2 leads to a move upmarket on cyber issues for all economic actors throughout the supply chain, with EE and IE being responsible for the level of protection of their suppliers and service providers.
Which impact on the organisations?
These new rules imply greater accountability for regulated entities. As such, while the "essential service operators" were previously designated, essential and important entities will now be required to declare themselves as such to the competent authorities (the ANSSI in France).
Management teams and boards of directors will also get directly involved and more empowered: in particular, they must approve cybersecurity risk management measures and oversee their implementation, as well as provide training to management as well as employees on risk management practices.
In addition, the sanctions regime provided for by NIS2 is intended to be a deterrent: administrative fines range between 2% and 1.4% of worldwide turnover (depending on whether it is an essential or important entity) and the criminal liability of managers can be engaged in the event of frequent violations of cybersecurity requirements.
This new approach to accountability should be seen as an opportunity to focus on the assessment, reporting and decision making regarding investments, in order to achieve cybersecurity outcomes.
How can EGERIE help towards NIS2 compliance?
The EGERIE platform directly addresses the Articles 20 and 21 of the NIS2 Directive, which respectively provide for the establishment of a real cybersecurity governance, as well as the implementation of a risk analysis and procedures to assess the effectiveness of cyber risk management measures.
The regulatory corpus reflects an evolution from a pure compliance approach to a more global approach, and specifically a risk-based governance approach. This vision is fully in line with that of EGERIE platform. It allows you to set up and manage your cybersecurity strategy, including continuous cyber risk analysis :
Work as part of a team on risk analyses and reach out to the business teams of each department through security forms to audit your security measures internally and externally with your third parties.
Bring more precision in the consideration of critical risks that could have a significant impact on your organization.
Take into account your specificities, your own assets as opposed to "typical or generic" assets.
Help demonstrate the value and return on investments of cyber investments for risk mitigation.
Make more informed decisions about risks and prioritize actions and risk mitigation measures.
Be considered as a business enabler, as the risk-based approach addresses the most critical risks and threats that have the potential to disrupt revenue-generating activities, which are your company's asset.
In the context of NIS2 compliance, EGERIE platform’s main benefits include the following :
A tool for modelling and financial quantification of cyber risk to raise awareness and accountability among senior management.
A consolidated view of risks (within a geographical or functional scope) to support decision-making.
A complete mapping of the risks and associated measures, allowing you to identify the most effective security solutions and thus control your level of exposure and optimize your security budgets.
