Faced with the constant rise in cyber threats, the European Union is strengthening its regulatory arsenal with the NIS 2 Directive. This new regulation, which succeeds the first directive on the security of network and information systems (NIS), significantly extends cybersecurity obligations for a wide range of organizations deemed essential or important for the European economy and society. In a world where digital transformation is accelerating, understanding and complying with these new requirements has become a strategic priority for the affected businesses.
The NIS 2 Directive is part of the continuation of European efforts to create a safer and more resilient digital environment, while complementing other regulations such as the GDPR. As cyberattacks become increasingly sophisticated and their impacts intensify, this new directive requires organizations to adopt a proactive approach to managing cyber risks.
Why was the NIS 2 Directive adopted?
The evolving context of cyber threats
The digital transition accelerated by the COVID-19 pandemic has significantly altered the landscape of IT risks. Companies had to quickly adapt their infrastructures to enable remote work, sometimes opening the door to new vulnerabilities. At the same time, cyberattacks have become more sophisticated, now targeting critical infrastructures with potentially devastating consequences.
Faced with this reality, the first NIS Directive, enacted in 2018, proved insufficient. Its limited scope and the disparities in its implementation among Member States led to uneven protection across the European Union. Ransomware attacks and data breaches continued to rise, highlighting the need for a more robust and harmonized framework.
The limitations of the first NIS Directive
The first directive had several shortcomings that motivated this major overhaul:
- A scope that was too narrow, leaving many vulnerable sectors without specific obligations
- A fragmented implementation among Member States, creating disparities in protection
- Insufficient cooperation mechanisms between countries in the face of increasingly transnational threats
- A sanctions regime that lacked deterrence, limiting the regulation’s effectiveness
The NIS 2 Directive specifically aims to address these gaps by establishing a more comprehensive and harmonized framework at the European level, while accounting for new challenges posed by the constant evolution of technologies and associated threats.
Expanded scope: who is affected by NIS 2?
One of the major evolutions of NIS 2 lies in the significant extension of its scope. While the first directive primarily focused on a few specific sectors, NIS 2 adopts a much broader approach, reflecting the growing interconnectedness of our digital economy.
Essential and important entities: a new classification
The directive introduces a fundamental distinction between two categories of organizations:
- Essential entities: organizations whose disruption would have a particularly severe impact on society or the economy
- Important entities: organizations whose interruption would have significant but less extensive consequences
This classification determines the level of obligations and supervision applicable to each organization, with stricter requirements for entities considered essential.
Sectors covered by the directive
NIS 2 significantly extends the list of sectors subject to cybersecurity obligations. Among the newly covered sectors are:
- Public administration
- Waste management
- Manufacturing of critical products
- Postal and courier services
- Food industry
- Research
- Digital services (social media platforms, cloud service providers, data centers)
This expansion reflects the recognition that many sectors, once considered peripheral, now play a crucial role in the functioning of our digitized society.
Size criteria and exemptions
The directive also adopts a proportionate approach by introducing size criteria. All medium and large enterprises in the affected sectors are automatically subject to NIS 2 obligations. Micro and small businesses are generally exempt, except in specific cases where they present a high-risk profile or are the sole service provider in a Member State.
This approach aims to avoid imposing disproportionate burdens on smaller structures while ensuring that organizations with a significant impact on collective security comply with high standards of data protection.
New cybersecurity obligations imposed by NIS 2
The NIS 2 Directive introduces a set of much more precise and demanding obligations regarding cyber risk management and incident reporting. These requirements aim to significantly raise the overall level of cybersecurity in Europe.
Strengthened risk management measures
Affected organizations must now implement a comprehensive set of technical and organizational measures to effectively manage risks related to the security of networks and information systems. These measures include:
- Analysis and classification of cyber risks
- Implementation of information security policies
- Incident management and business continuity
- Supply chain security
- Use of cryptography and encryption
- Staff awareness and training
These obligations are part of a comprehensive approach to security that goes beyond purely technical aspects to also encompass organizational processes and the human dimension.
Incident reporting obligations
NIS 2 significantly strengthens the incident reporting framework with:
- An obligation to report any significant incident to the competent authorities within 24 hours of becoming aware of it
- An obligation to provide an initial report within 72 hours
- A final detailed report within one month
The directive also more precisely defines what constitutes a significant incident that must be reported, providing greater clarity for affected organizations.
Increased responsibility of management bodies
A major innovation of NIS 2 concerns the explicit accountability of the management bodies of affected entities. Board members and executives will need to:
- Approve cyber risk management measures
- Oversee their implementation
- Undergo specific training on risks and best practices in cybersecurity
- Be held personally accountable in case of non-compliance
This approach aims to integrate cybersecurity at the highest decision-making level of organizations, recognizing that it is now a strategic issue rather than just a technical one.
Implementation and supervision: the new governance framework
To ensure the effectiveness of these new provisions, NIS 2 establishes a reinforced governance framework, both at the national and European levels, with significantly increased supervision and sanction powers.
Strengthening national authorities
Each Member State must designate one or more competent national authorities responsible for overseeing the implementation of the directive. These authorities will have extensive powers, including the ability to:
- Conduct security audits and on-site inspections
- Issue warnings and injunctions
- Impose corrective measures
- Impose administrative sanctions in case of non-compliance
The directive also specifies that these authorities must have the necessary resources and expertise to effectively carry out their missions, thus avoiding the disparities observed in the implementation of the first NIS Directive.
Enhanced cooperation at the European level
NIS 2 significantly strengthens cross-border cooperation mechanisms with:
- A more integrated network of national CSIRTs (Computer Security Incident Response Teams)
- A new cooperation group with expanded powers
- Regular pan-European cybersecurity exercises
- Mandatory sharing of information on threats and incidents between Member States
This collaborative dimension recognizes the fundamentally transnational nature of modern cyber threats, which can only be effectively countered through a coordinated approach.
A deterrent sanctions regime
One of the most significant changes concerns the sanctions regime, which is now much more deterrent. Organizations that fail to comply with the directive’s essential obligations face fines of up to:
- €10 million or 2% of total global annual turnover for essential entities
- €7 million or 1.4% of total global annual turnover for important entities
These amounts, which approach those provided by the GDPR, reflect the importance given to cybersecurity in the European digital strategy and should strongly encourage organizations to take their responsibilities in this area.
Alignment with other European regulations
The NIS 2 Directive does not operate in isolation but is part of a broader regulatory ecosystem aimed at strengthening Europe’s digital resilience. Understanding these interactions is essential to establishing a coherent and efficient compliance strategy.
Complementarity with the GDPR
Although distinct in their objectives, NIS 2 and the GDPR share common concerns regarding data security. While the GDPR focuses on the protection of personal data, NIS 2 adopts a broader approach aimed at the overall security of networks and information systems.
Organizations already compliant with the GDPR will have a solid foundation to meet some of NIS 2’s requirements, particularly concerning incident management and security measures. However, NIS 2 goes further in many areas, especially in terms of cyber risk governance.
Alignment with the DORA Regulation
The DORA (Digital Operational Resilience Act) regulation, specifically designed for the financial sector, shares many objectives with NIS 2. Financial institutions subject to DORA are generally exempt from NIS 2 obligations to avoid regulatory duplication, in accordance with the “lex specialis” principle.
Nevertheless, an understanding of both frameworks remains valuable for financial organizations, as they are part of the same vision of strengthening digital operational resilience.
Link with the Critical Entities Resilience (CER) Directive
The CER Directive, adopted in parallel with NIS 2, focuses on the physical resilience of critical infrastructures. The two directives share a similar approach in terms of entity classification, and many organizations will be subject to both frameworks simultaneously.
This complementarity reflects a growing recognition of the interconnection between physical and digital security, particularly relevant in the era of the Internet of Things and cyber-physical systems.
Preparing for NIS 2 compliance: strategies and best practices
Compliance with NIS 2 represents a significant challenge for many organizations but also an opportunity to sustainably strengthen their security posture. Here are the key steps to effectively approach this transition.
Assess eligibility and specific obligations
The first step is to determine whether your organization falls within the scope of the directive by asking the following questions:
- Does your organization belong to one of the affected sectors?
- Does it meet the size criteria defined by the directive?
- Is it classified as an “essential” or “important” entity?
This initial clarification will allow you to precisely understand the level of obligations to which you will be subject and allocate resources accordingly.
Conduct a cybersecurity maturity assessment
A comprehensive cybersecurity audit is a fundamental step to identify gaps between your current practices and NIS 2 requirements. This assessment should cover:
- Inventory of your critical IT assets
- Analysis of your technical vulnerabilities
- Review of your security policies and procedures
- Assessment of your ability to detect and respond to incidents
Specialized providers like My Data Solution in Paris or Lyon can support you in this process with expertise tailored to the specifics of your sector.
Establish appropriate governance
The NIS 2 Directive places governance at the heart of compliance requirements. To effectively meet these, organizations will need to:
- Clearly designate cybersecurity responsibilities
- Integrate cybersecurity into strategic decision-making processes
- Train board members and executives
- Implement regular cyber risk reporting mechanisms
This organizational dimension is often the most complex to implement as it requires profound cultural changes and commitment at the highest level of the company.
Adopt a risk-based approach
NIS 2 encourages the adoption of systematic and proportionate risk management. This approach involves:
- Identifying and regularly assessing cyber risks specific to your activity
- Prioritizing protective measures based on their potential impact
- Formally documenting your risk analysis and resulting decisions
- Periodically reviewing this analysis to account for evolving threats
This structured methodology not only meets regulatory requirements but also optimizes security investments by directing them toward the most critical areas.
Prepare for incident management
The ability to detect and effectively respond to security incidents is a central requirement of NIS 2. To prepare for this, it is recommended to:
- Implement detection tools suited to your environment
- Develop formalized incident response procedures
- Train relevant teams on these procedures
- Conduct regular incident simulation exercises
- Prepare notification templates compliant with the directive’s requirements
These preparations are essential to meet the tight reporting deadlines imposed by the directive and limit the impact of incidents when they occur.
Impact on ethics and corporate responsibility
Beyond its purely technical and legal aspects, the NIS 2 Directive raises important questions regarding corporate social responsibility and digital ethics. These dimensions, often overlooked in the analysis of technical regulations, deserve particular attention.
Toward greater organizational accountability
By imposing obligations of means and results, NIS 2 contributes to a major shift in the perception of cybersecurity: it is no longer considered a technical option but a fundamental responsibility of organizations toward their stakeholders.
This approach is part of a broader trend of strengthening corporate ethics, where the protection of digital infrastructures becomes a key element of societal responsibility on par with environmental protection or respect for human rights.
Cybersecurity as a common good
The directive implicitly recognizes that cyber resilience has become a common good whose protection cannot rely solely on voluntary initiatives. By establishing a minimum set of requirements, it affirms that the security of digital infrastructures is a collective issue that transcends individual interests.
This community vision of cybersecurity encourages organizations to move beyond a purely defensive approach centered on their own assets to adopt a broader perspective incorporating their responsibility in the global digital ecosystem.
Transparency and trust in the digital economy
The notification and reporting obligations introduced by NIS 2 contribute to creating a more transparent digital environment, an essential condition for establishing the trust needed for the development of the digital economy.
By making incidents and remedial measures visible, the directive participates in the emergence of a culture of shared accountability in the face of cyber threats, beneficial for both organizations and their users and partners.
Conclusion: preparing for the future of European cybersecurity
The NIS 2 Directive marks a decisive step in building a safer and more resilient European digital space. By significantly expanding its scope and strengthening the obligations of affected organizations, it responds to the constant evolution of cyber threats facing our economy and society.
Far from being just an additional regulatory constraint, NIS 2 offers the opportunity for a more mature and integrated approach to cybersecurity, placing it at the heart of organizations’ strategic concerns. Businesses that anticipate these changes and turn this obligation into a competitive advantage will position themselves favorably in an environment where digital trust is becoming a differentiating asset.
For affected organizations, the time has come for active preparation. Informing and seeking support from experts is essential to transform this regulatory requirement into an opportunity to sustainably strengthen security posture. Solutions exist for all situations, whether it’s support in Toulouse, in French Guiana, or anywhere in France.
Cybersecurity is no longer just the concern of technical specialists but has become a shared responsibility involving all organizational actors, from top management to operational teams. This holistic vision, at the heart of the NIS 2 Directive, foreshadows what cybersecurity will be tomorrow: a fundamental pillar of organizational strategy and a determining factor in their longevity in an increasingly digitized world.
Ultimately, beyond regulatory compliance, it is a cultural transformation where the security of information systems becomes an integral part of the DNA of European organizations, thereby contributing to the continent’s digital sovereignty in the face of contemporary geopolitical challenges.
