🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

NIS 2: What businesses need to know about the new cybersecurity directive

Home FAQ NIS 2: What businesses need to know about the new cybersecurity directive

1. What is the NIS 2 directive?

The NIS 2 (Network and Information Security 2) directive is a European text adopted to strengthen the cybersecurity of public and private entities in Europe. It replaces the NIS 1 directive of 2016 and considerably broadens the scope of the entities concerned, while imposing stricter requirements in terms of information systems security.

2. What are the differences between NIS 1 and NIS 2?

Criteria NIS 1 NIS 2
Number of entities involved A few hundred Several thousand
Sectors covered 10 critical sectors 18 sectors + supply chains
Obligations Incident reporting Cybersecurity measures + training + governance
Sanctions Little specified Strengthened legal accountability

3. Why is the NIS 2 directive strategic for the EU?

  • Increase in cyberattacks targeting SMEs and subcontracting chains
  • Standardization of cybersecurity in all Member States
  • Creation of a European crisis management network (CyCLONe)
  • Securing the economic fabric and essential services

4. Is my business affected by NIS 2?

✔️ You are concerned if:

  • You belong to one of the 18 sectors listed in Appendices I and II (e.g.: health, energy, digital, telecoms, water, finance, public administration, etc.)
  • Your business exceeds the following thresholds:
    • ≥ 50 employees
    • OR > 10 million € turnover or annual balance sheet
  • You provide a critical service (even below thresholds, upon designation by the State)

5. What if my company is multinational or has multiple legal entities?

Each entity is evaluated separately according to:

  • Its place of establishment (subsidiary, branch, office)
  • Its cybersecurity governance (main establishment)
  • The sector concerned
  • The country in which it provides services

The group is not legally considered a single entity.

6. Are local authorities affected by NIS 2?

Yes, potentially. Each Member State can choose to include certain communities in the NIS 2 scope. In France, this scope is currently being defined, but ANSSI strongly recommends that communities prepare now.

7. How to register as an NIS 2 regulated entity?

  • Go to the portal My NIS 2 Space (ANSSI)
  • Provide the mandatory information:
    • Name, contact details, IP addresses exposed
    • Sector and sub-sector of activity
    • Member States served
  • Report any changes within 2 weeks to 3 months depending on your status

8. What are the new cybersecurity obligations imposed by NIS 2?

Essential and important entities must apply the following 10 pillars (article 21):

  1. Risk analysis and IT security
  2. Incident management
  3. Continuity of activities (backups, recovery)
  4. Supply chain security
  5. Software development security
  6. Evaluation of the effectiveness of the measures
  7. Cyberhygiene and employee training
  8. Use of cryptography
  9. Human resources security
  10. Strong authentication and secure communication systems

Leaders are legally responsible for implementation.

9. Which information systems are affected by NIS 2?

All ISs in the entity are affected, not just those linked to critical services. Partial exclusion is possible if a risk analysis demonstrates that certain systems have no potential impact on activities.

10. How do you know if an incident is "significant" and needs to be reported?

An incident is considered significant if it:

  • Seriously disrupts services
  • Cause of major financial losses
  • Affects third parties (customers, partners...)

ANSSI will publish a decree specifying the criteria and the declaration procedure.

11. Can you freely choose your service provider to comply?

Yes. Regulated entities are free to choose their cybersecurity service provider. It is recommended to choose a service provider with expertise in NIS 2 regulations, risk management and IT security audits.

12. How does NIS 2 relate to GDPR, DORA and CRA?

  • NIS 2 & GDPR: additional obligations (data protection vs system security)
  • NIS 2 & DORA: DORA premium for financial entities (lex specialis)
  • NIS 2 & CRA: NIS 2 targets service operators, the CRA concerns digital products sold on the market

13. What are the financial and workforce thresholds to remember?

Criteria Small business Medium business (min. NIS 2)
Workforce < 50 employees ≥ 50 employees
Turnover < 10M€ ≥ 10M€
Annual review < 10M€ ≥ 10M€

Companies exceeding one of the three thresholds are potentially regulated by NIS 2.

14. Which sectors are affected by NIS 2?

Annex I – Essential entities (highly critical sectors)

  1. Energy:
    • Electricity (production, transport, distribution)
    • District heating and cooling
    • Oil (production, refining, storage, transport)
    • Gas (supply, transport, distribution, storage)
    • Hydrogen
  2. Transportation:
    • Aerial
    • Rail
    • Maritime and river
    • Road
  3. Bank: Credit institutions
  4. Financial market infrastructures:
    • Trading platform operators
    • Central counterparties
  5. Health :
    • Care providers
    • EU reference laboratories
    • Manufacturers of essential devices and medicines
  6. Drinking water
  7. Wastewater
  8. Digital infrastructure:
    • Internet, DNS, cloud, etc. exchange point providers.
  9. ICT service management: MSP, MSSP
  10. Central public administration
  11. Space: Space-related service operators

Annex II – Important entities (critical sectors)

  1. Postal and shipping services
  2. Waste management
  3. Chemicals
  4. Agri-food
  5. Manufacturing (medical equipment, IT, vehicles, etc.)
  6. Digital providers (marketplaces, search engines, social networks)
  7. Research organizations
Other articles
on the same subject