The NIS Directive is the first European legislative act dedicated to cybersecurity. Faced with a succession of upheavals in the economic and security context of the member countries of the European Union, the current directive is evolving to respond to these new challenges. What does the reform of this new version consist of? How will this directive be transposed into French legislation? Are you concerned by the requirements relating to the security of networks and information systems? In this article, let’s decipher the upcoming changes.
The NIS directive: reminder of the first European law on cybersecurity
The Network and Information Security (NIS) directive is a directive relating to the security of networks and information systems. Adopted in 2016 by the European Parliament, this directive aims to raise the level of cybersecurity of essential organizations whose interruption would significantly impact the functioning of the country and its citizens. Designed as a legislative shield, this text aims to increase collaboration and the sharing of information between the Member States of the European Union thanks to CERT. All in a process of building a strong Europe in the face of increasing cyber attacks.
To apply in each Member State, this directive is transposed nationally. The notion of Essential Service Operators (OSE) is emerging and allows each country to establish a list of critical sectors. The companies concerned are, in particular, part of the energy sectors, transport, the banking sector, insurance, the food sector, the water sector, health or even administrations… In this first version, OSE-categorized companies and digital service providers (DSPs) are subject to high network and information systems security (SSI) requirements.
The necessary evolution towards a directive adapted to current issues
But the challenges that our organizations must face currently are no longer those of 2016. Increase in cyber threats and professionalization of attacker groups, increase in social tensions (energy crisis, climate upheaval, war at the gates of Europe, etc.), increased digitalization whatever the sector of activity… Faced with this new security context, Europe had to revise this directive to strengthen its level of cybersecurity.
Supported during the French Presidency of the European Union (PFEU), the revision of the NIS directive was the subject of a political agreement between the Commission, the Parliament and the European Council in May 2022. The objective of the NIS 2 directive, as was the case in its initial version, is to raise the level of cybersecurity of European organizations, while harmonizing the rules and obligations between players regardless of the size of the company.
The major changes brought about by the NIS 2 directive
While the new version of the directive has not yet been adopted, it is already raising many questions. Who will be affected by this new directive? What changes are expected? What actions can be anticipated within your organization? What are the risks of non-compliance? Detailed answer in 4 points!
A wider scope of organizations concerned
In addition to the sectors described a little earlier in this article, the list is enriched and goes from 19 to 35 sectors concerned by the NIS 2 directive. Postal services, agri-food sector, production and distribution of chemical products , waste management, appear in the list of sectors concerned. Local authorities will now also be affected by the revision of this directive. Other criteria such as the size of the company and turnover will be taken into account. Companies with more than 50 employees and a turnover of more than one million euros would be affected by the new directive.
Thus, Guillaume Poupard, Director General of ANSSI, estimates that the number of stakeholders concerned will be multiplied by 10! During his opening speech at the Security Conference in Monaco in October 2022, he insisted on the need to “
change scale to collectively raise the level of cybersecurity » and took as an example the lever represented by the NIS 2 directive. For his part, Pierre Dartout, the Minister of State of the Principality of Monaco, recalled the importance of demanding to increase its level of cybersecurity “
Cybercriminal groups attack poorly armed intermediary companies and also essential services. We need to raise awareness, help secure information systems and maintain efficient infrastructures over time.
».
Subcontractors, suppliers and service providers working for an infrastructure listed above will have to comply with the requirements of version NIS 2. Indeed, supply chain actors are a gateway of choice for cyber- attackers. Let’s take example with Solarwinds in 2020, Codecov in April 2021,
Kaseya in July 2021. These attacks, which affected the customers of these publishers, demonstrate that the software supply chain has become a weak link in the cybersecurity of end customers.
In recent months the number of supply chain attacks has continued to grow and it is becoming inevitable to demand the same level of cybersecurity for everyone. The NIS 2 directive should correct this oversight.
The creation of two typologies of actors: essential entity and important entity
The NIS directive led to the creation of the OSE status, imagined as an extension of the OIV (Operators of Vital Importance) developed by the Military Programming Law of 2013. During the future adoption of the NIS 2 directive, this status will disappear in favor of so-called essential entities (EE) and important entities (EI). The distinction will be made according to the degree of criticality in the event of an operational shutdown, according to the sector concerned and the size of the company. For the moment, categorization will be done by self-designation by the company itself.
What does a concerned company risk if it does not comply with the requirements described by this European directive? On this point, the directive provides for fines that can range from 1.4% to 2% of the company’s turnover! But that’s not all, the European Commission also indicates that it wants to hold managers accountable. Enough to move the lines.
In conclusion, this new version aims to respond to the numerous cyberattacks that have targeted subcontracting chains. With an expansion of the sectors and organizations concerned and an increase in information system security requirements, a harmonization of the level of overall cybersecurity should automatically emerge. The timetable announced by the national information systems security agency (ANSSI) provides for validation of the directive by the end of 2022. Then, transposition into French law (as well as in each Member State) will make the directive applicable in the first half of 2024. It now remains to monitor developments and decipher the announcement effects to translate them into real requirements.