Chronicle NIS V2 - Episode 1

Introduction
The NIS V2 Directive was adopted on December 27, 2022, and published in the Official Journal. Its enforcement is fast approaching, as the directive will come into effect on October 17, 2024.
Companies, particularly those in critical sectors but not limited to them, need to prepare to meet a more demanding cybersecurity framework. However, instead of seeing this as a regulatory constraint, we could view this European directive as a real business opportunity! Indeed, it allows companies to structure their information systems security, enhance resilience against cyber threats, and establish long-term trust with internal stakeholders (business units, security teams, IT, and management) and external ones (customers, partners, and regulators).
Today, threats are increasingly numerous and sophisticated, and NIS V2 offers a clear framework to foresee and address them. For example, a particularly affected sector has been healthcare. According to the 2023 French cyber-malware report, 581 cybersecurity incidents were reported, with 50% being malicious in nature. Ransomware attacks increased by 10% compared to the previous year. Several healthcare facilities had to operate in degraded mode, sometimes for several days, directly impacting patient care. These vulnerabilities revealed the need for a thorough review of the regulatory framework, leading to the creation of NIS V2.
A look back at NIS V1 : A solid foundation, but room for improvement
Adopted in 2018, the first NIS directive aimed to harmonize cybersecurity practices across the European Union. However, it quickly showed its limitations. Since there was no clear requirement framework, each country interpreted and implemented the directive differently, creating notable gaps in eligibility criteria, expected security levels, and company oversight methods. Additionally, during that time, the focus was more on the COVID-19 crisis.
NIS V2 was designed to further harmonize requirements across Europe, offering a more rigorous and coherent framework.
Which sectors are affected by NIS V2 ?
The scope of NIS V2 is broader than the first directive.
It distinguishes between two main categories of companies: essential entities and important entities.
Essential Entities (Highly Critical)
Essential entities include vital sectors such as:
Providers of electronic communication networks,
Public administrations,
Digital service providers,
And more!
Annex 1 of the NIS V2 Directive - Highly Critical Sectors
These companies must meet specific criteria: they have at least 250 employees, generate more than 50 million euros in revenue, or have an annual profit of at least 10 million euros.
Important entities (critical)
Important entities include strategic sectors such as transportation, energy, and digital infrastructure. They must have 50 or more employees and revenue exceeding 10 million euros, and they are listed in Annex 1 or 2 of the Directive. These companies are also subject to strict requirements, although the penalties for non-compliance are less severe than those for essential entities.
Annex 2 of the NIS V2 Directive - Critical Sectors
Summary of entities eligible for NIS V2
The table below summarizes the eligibility of entities for NIS V2 :
NIS V2 eligibility summary
In practice, this means that many companies previously unaffected by NIS V1 will now need to comply with NIS V2 requirements.
If you are unsure about your eligibility, some regulatory authorities in EU member states provide online simulators to check your eligibility for NIS V2. For example, in France, the ANSSI offers such a tool: https://monespacenis2.cyber.gouv.fr/simulateur
What are the key measures to adopt ?
Compliance with NIS V2 is based on several essential measures. These are not just about meeting regulatory requirements but also about strengthening the overall security of businesses.
Security policy
A clear, documented, and management-approved security policy must be implemented and continuously followed. This policy covers various security aspects, including access management, information protection, and incident response.
Risk analysis
Risk analysis is at the core of the compliance strategy. It's not just about listing potential threats. Each company must carefully assess the impact these threats could have on its operations.
A well-conducted risk analysis helps prioritize resources for critical areas and provides tangible elements for management to make informed decisions based on the company's strategy, stakeholders' expectations, and security challenges.
Incident management
Companies must be able to detect, report, and manage security incidents effectively. This management includes an obligation to notify the local control authority in case of a major incident:
Early reporting within 24 hours of detecting the incident,
Complete notification within 72 hours,
Final report to be submitted within 30 days.
Supply chain security
Securing the supply chain is another crucial element of NIS V2. Companies must ensure that their partners and suppliers also adhere to strict security standards. This includes incorporating security clauses in contracts and conducting regular checks to monitor risks related to subcontractors.
A weak link in the supply chain can expose the entire organization to attacks, so it’s essential to adopt a proactive approach to monitor these interactions.
Security hygiene
Adopting security hygiene practices helps reduce risks. This includes simple yet effective measures such as strict rules for using equipment and managing access.
Security awareness and training
Raising employee awareness and providing training are key to reducing human errors. Continuous training programs must be established to educate all levels, including management, about the importance of information security. Practical exercises also allow teams to test their response to incidents.
Strengthened authentication
Companies must enhance system access security with strong authentication mechanisms (MFA).
Business continuity
A business continuity plan must be implemented to ensure operational resilience in the event of a major incident.
Compliance management
To effectively conduct risk analysis, evaluate the implementation of security policies, and ensure continuous improvement in security, it’s important to assess existing security practices. This exercise identifies gaps between the best practices recommended by NIS V2, the company's security policy, and the measures already in place. Continuous compliance monitoring ensures that security measures are effective and adapted to evolving threats.
It’s not just about ticking boxes to meet requirements, but creating a cybersecurity culture within the company where best practices are followed, adjusted, and constantly re-evaluated. This ongoing monitoring is essential to ensure that measures are not static but evolve with the technological landscape.
⇒ Note that the transposition of the NIS V2 Directive by the local control authority, in the form of a security framework, will specify the security requirements to be implemented.
The enhanced role of the local control authority and strengthened oversight
With NIS V2, local control authorities like the one in each EU member state will play a strengthened role. They will now be able to conduct on-site or remote inspections to verify companies' compliance, even in the absence of a security incident. Essential entities will be subject to regular inspections, while important entities will be inspected in the event of an incident or report.
Local control authorities will also be responsible for reporting information to the European Commission, including statistical reports on incidents and company compliance. This approach will enable better coordination between member states and a faster response to emerging cyber threats.
Sanctions for non-compliance : Serious consequences
Non-compliance with NIS V2 leads to severe sanctions:
Fines of up to 10 million euros or 2% of global turnover for essential entities, and 7 million euros or 1.4% of turnover for important entities. These figures clearly illustrate the importance of taking a proactive approach to avoid financial and reputational risks.
Administrative sanctions such as:
Imposed remediation in case of non-compliance (with a set deadline),
Temporary or permanent suspension of certifications,
Temporary suspension of leadership responsibilities (for individuals),
Public disclosure of specific aspects of directive violations.
⇒ Note that the application details of the administrative sanctions mentioned, when transposed into local law, are not yet detailed to my knowledge.
Beyond sanctions, it’s also the company's reputation and the safety of users at stake. In 2023, 12% of incidents in the healthcare sector endangered patients' lives, demonstrating how crucial cybersecurity is, far beyond purely financial considerations.
Adopting a proactive compliance strategy, coupled with continuous improvement of security practices, is not only a way to avoid fines but also a way to show that the company is ready to face the digital challenges of tomorrow.
An opportunity to seize
NIS V2 goes beyond a simple legal obligation. It offers a unique opportunity for companies to better structure themselves, modernize security practices, enhance competitiveness, and improve their reputation to meet business expectations. In an environment where cyberattacks can seriously harm an organization’s image, complying with NIS V2 sends a clear message: the company takes security seriously and is capable of protecting critical data and systems.
Compliance with NIS V2 also strengthens the trust of customers and partners. In a market where security has become a key criterion, companies that can prove they meet strict standards stand out significantly from the competition.
While the penalties for non-compliance are severe, strict compliance can turn this obligation into a competitive advantage.
I'll see you soon for the next episode of the NIS V2 chronicle !
If you’d like to discuss how NIS 2 impacts your organization or have any questions about compliance, feel free to leave a comment or contact me !
Comments