How to comply with NIS 2?

Cybersecurity: the European Union is setting a new course with the NIS 2 directive

Summary

• What is the NIS 2 directive?
• Why comply with NIS 2?
• Who is affected by NIS 2?
• Steps to comply with NIS 2
• Safety requirements to be respected
• Risks in the event of non-compliance
• Get support to succeed

What is the NIS 2 directive?

The NIS 2 (Network and Information Security 2) directive is the new European regulatory framework for cybersecurity, adopted in 2022 and transposed into national law in 2024. It succeeds NIS 1 (2016) and significantly expands its scope to include thousands of entities in more than 18 critical sectors.

Its objective: to raise the level of cybersecurity of the entire economic and institutional fabric of the European Union, by imposing strict obligations in terms of governance, risk management and incident response.

Why comply with NIS 2?

Complying with the NIS 2 directive is not an option. It's:

• A legal obligation for thousands of organizations;
• A guarantee of resilience in the face of cyberattacks (ransomware, compromises, leaks...);
• A lever of trust for your customers, partners and users;
• A competitive advantage in a context where security is becoming a key criterion in calls for tenders.

Fines for non-compliance can reach 10 million euros or 2% of global annual turnover.

Who is affected by NIS 2?

The directive distinguishes two types of entities:

• Essential entities (EE): critical infrastructure, health, energy, transport, public services...
• Important entities (EI): digital, commerce, manufacturing, ICT services, research...

Designation criteria include industry, number of employees, revenue, and criticality criteria.

💡 Please note: even SMEs or local authorities may be affected. ANSSI's MonEspaceNIS2 tool allows you to check if you are within the perimeter.

Steps to comply with NIS 2

Here are the 6 key steps to engage in compliance:

1. Identify if you are affected
   Use Annexes I and II of the directive, and compare your activity with the official definitions. Also check the size thresholds (staff, turnover, balance sheet).
2. Register with the national authority
   Any entity entering the scope must register via the MonEspaceNIS2 portal with ANSSI, specifying its sector, its systems, its locations...
3. Appoint an NIS2 manager for cyber compliance
   Like the GDPR DPO, a contact person must manage compliance with NIS 2, coordinate audits, train teams and supervise security measures.
4. Map your critical information systems
   It is essential to identify the assets, networks and systems involved, including digital dependencies (subcontractors, cloud, third-party providers).
5. Assess risks and plan actions
   Carry out a cybersecurity risk analysis for each identified IS. Prioritize corrective actions, including on known vulnerabilities and supply chains.
6. Document and manage compliance
   Maintain an NIS 2 compliance file, with critical IS mapping, technical measures, processes put in place, internal policies, and incidents that have occurred or avoided.

What are the security requirements of NIS 2?

Article 21 of the Directive lists the minimum measures to be implemented, including:

• Cybersecurity risk management policy
• Incident management and alerts
• Business continuity and disaster recovery plan
• Supply chain security
• Encryption of sensitive data
• Training of teams in IT hygiene
• Access control, logging and traceability
• Regular evaluation of security measures

Each entity must demonstrate its ability to anticipate, detect, react and recover from major incidents.

What is the risk of non-compliance with NIS 2?

National authorities (e.g. ANSSI in France) may:

• Conduct audits or inspections;
• Issue injunctions or sanctions;
• Impose fines of up to 10 million € or 2% of global turnover.

In the event of a serious cyberattack, the non-compliant entity is exposed to significant legal, financial and reputational consequences.