The NIS 2 Directive : Impacts and Challenges for Cybersecurity in France

Cybersecurity sits at the heart of the evolving global digital landscape. In an increasingly interconnected world, where technological advances open doors to innovation, they simultaneously create vulnerabilities that can be exploited by malicious actors. Faced with this constant dynamic, the need to regulate and strengthen digital resilience has become more than necessary.

In this context, the NIS 1 Directive (Network and Information System) played a pioneering role by establishing the first milestones for the protection of critical infrastructures and digital services within the European Union. This directive marked the beginning of a regulatory era in cybersecurity, requiring EU Member States to take measures to guarantee a high level of security.

While the NIS 1 directive laid the foundations, the European Union is taking a new crucial step with the introduction of the NIS 2 Directive, adopted and published in late December 2022. This legislative evolution aims to strengthen existing protection mechanisms, anticipating emerging challenges and consolidating existing achievements to better respond to constantly evolving cyber threats. The announcement of the NIS 2 Directive, and its entry into force on 17 October 2024, naturally raises a series of questions and major strategic issues, both for players in the cybersecurity sector and for the digital ecosystem as a whole.

The NIS 2 Directive vs the NIS 1 Directive

Overview of the NIS 1 Directive

Adopted in July 2016 and transposed by Member States in July 2018, the NIS 1 Directive forms the initial foundation of European cybersecurity regulation. Its implementation focused on the protection of critical infrastructures and sensitive digital services (OSEs and OIVs), establishing mechanisms aimed at strengthening the security of networks and information systems. Through its provisions, the NIS 1 Directive laid the groundwork for a proactive and collaborative approach to digital threats.

The NIS 1 Directive implies the need to implement robust security measures to protect networks and information systems. This includes identifying and managing security risks, detecting and responding to incidents, and implementing security best practices.

Analysis of the key new features introduced by the NIS 2 Directive

The NIS 2 Directive represents a significant evolution, adapting the regulation to the changing realities of cyberspace. The major changes include an extension of the scope to encompass new categories of entities, as well as a redefinition of the obligations and responsibilities of digital sector players.

Comparison of the key differences between the two directives

1. Broadening of scope:

• NIS 1 : The NIS 1 Directive focused on protecting operators of essential services (e.g. EDF, Crédit Agricole, SNCF…) and digital service providers (e.g. Orange, Capgemini, Cdiscount…). These entities were considered essential pillars of the European digital landscape due to their significant impact on the continuity of essential services and the stability of digital networks.
• NIS 2 : The NIS 2 Directive marks a significant shift by greatly expanding the regulatory scope. In addition to operators of essential services and digital service providers, the NIS 2 Directive now includes online platforms and other players that were not initially taken into account. This means that a more diverse range of digital services — including online platforms providing services such as e-commerce, social networks, and cloud computing services — now fall within the scope of the regulation.

Concretely, and according to ANSSI, 300 operators of essential services were covered by the NIS 1 Directive; 10,000 entities will be covered by NIS 2 — 30 times more!

Highly critical sectors – 11 sectors:

• Public administrations
• Drinking water
• Wastewater
• Energy
• Space
• Management of ICT services (business-to-business)
• Financial market infrastructures
• Digital infrastructures
• Health
• Banking sector
• Transport

Critical sectors – 7 sectors:

• Manufacturing, production and distribution of chemical products
• Digital providers
• Waste management
• Manufacturing industries
• Production, processing and distribution of food products
• Research
• Postal and courier services

This extension of scope aims to ensure adequate protection against emerging threats across the entire digital landscape, reflecting the changing reality of cyberspace and the growing importance of new players in the provision of digital services.

The 3 criteria required to be covered by the NIS 2 Directive:

1. More than 50 employees
2. Annual turnover of more than €10 million
3. Operating in one of the critical sectors listed above

Strengthened obligations and responsibilities:

• NIS 1 : This directive established mechanisms for incident prevention and management, emphasising the need for the entities concerned to put in place security measures to prevent cybersecurity incidents as far as possible. However, these obligations were often less specific, leaving entities a degree of latitude in implementing security measures.
• NIS 2 : The NIS 2 Directive goes further by strengthening these obligations through cyber risk assessment for each entity concerned, introducing more precise criteria that require entities to adopt security measures proportionate to their level of risk:
  • Implementation of tools to improve data encryption
  • Advanced detection mechanisms
  • Regular testing to assess the effectiveness of deployed measures and solutions
  • Rapid incident notification and supply chain security
  • Strengthened access control with more robust identification solutions: IAM (Identity Access Management) – PAM (Privileged Access Management)

The NIS 2 Directive also places responsibility on management: executives are accountable for the implementation of these measures within their organisation, and their personal liability may be engaged in the event of non-compliance.

Security Incident Notification

Regarding major security incidents, all entities concerned must report them promptly following a harmonised procedure:

• Notification to the competent national authorities (ANSSI in France — already possible via Club.SSI.gouv.fr) within a maximum of 24 hours of discovering the incident.
• A detailed report must be submitted within 72 hours to supplement the incident notification.
• A final analysis report, including the root cause and corrective measures put in place, must be provided within one month of the incident.

Dissuasive Sanctions

In the event of a major breach, essential entities face a maximum fine of €10 million or 2% of their annual global turnover, while important entities may be sanctioned up to €7 million or 1.4% of their global turnover.

In summary: what are the impacts on businesses and organisations ?

• Strengthened security obligations: Companies are subject to stricter security obligations, requiring investment in advanced protective measures for their networks and information systems: access control procedures (IAM – Identity Access Management / PAM – Privileged Access Management), IS and data protection, incident detection and response protocols, risk and crisis management…
• Broadening of scope: The NIS 2 Directive expands the scope to include new sectors or digital services, requiring more companies to comply with the cybersecurity standards of this directive.
• Enhanced reporting requirements: The directive strengthens security incident reporting requirements, obliging companies to report incidents promptly and to cooperate with the competent authorities (ANSSI for France).
• Cooperation and information sharing: Cooperation between companies and competent authorities should be strengthened, promoting the sharing of information on cybersecurity threats and incidents.
• Increased sanctions: Supervisory powers will be enhanced to authorise audits of essential operators. Important operators will also be subject to controls. Sanctions are provided for, with fines of up to 2% of the targeted entity's turnover or €10 million.
• Continuous adaptation: Companies will be required to adopt a continuous approach to adapting to emerging threats, thereby encouraging a dynamic cybersecurity culture.

The cost assessment of implementing the NIS 2 Directive may vary depending on several factors, such as the size and complexity of the companies or states involved, the current level of cybersecurity preparedness, and the nature of the digital services provided.

The costs:

• "Technological" investments: Companies will need to invest in advanced cybersecurity technologies, such as intrusion detection solutions, next-generation firewalls, privileged account management solutions, IT bastion solutions (such as our PROVE IT software appliance), incident management tools…
• Training and awareness: Training programmes will be necessary to raise staff awareness (both administrators and users) of the new cybersecurity measures, ensuring adequate use of technologies and an effective response to incidents.
• Regulatory compliance: Costs related to adapting policies, procedures and processes to comply with the new regulatory requirements.
• Audit and certification: Some sectors will require independent security audits to ensure compliance, generating additional costs.

The potential benefits for organisations:

• Improved resilience: The implementation of enhanced cybersecurity measures will increase organisations' resilience against cyber attackers, minimising business disruptions.
• Customer and partner trust: Organisations compliant with the NIS 2 Directive strengthen the confidence of their customers and partners, demonstrating their commitment to data protection and digital security.
• Reduced financial risk: By minimising the risk of security incidents, organisations will reduce the financial costs associated with a cyberattack.
• Market positioning: Complying with stricter cybersecurity standards and holding certifications such as the ANSSI CSPN Security Visa can become a competitive advantage in the market, enhancing the company's reputation.
• Cross-border collaboration: For Member States, the implementation of the NIS 2 Directive will foster cross-border cybersecurity collaboration, thereby strengthening security at the European level.

Legislative Commitments for Cybersecurity in Europe

The NIS 2 Directive coordinates with other projects and directives, including:

Draft Directive on the Resilience of Critical Entities : This project addresses the resilience of critical entities, not only against digital threats but also physical ones, ensuring the continuity of essential services in the face of various threats, including those of a physical nature.

DORA Regulation Project (Digital Operational Resilience Act) : This focuses specifically on the cybersecurity of financial services players, imposing digital security requirements to guarantee the operational robustness and resilience of digital financial services.

Cybersecurity Act : Entered into force on 27 June 2019, it focuses on 2 main subjects:

• Strengthening the role of ENISA (the European Union Agency for Cybersecurity, established in 2014), which holds a permanent mandate for the establishment and maintenance of a European cybersecurity certification framework.
• Defining a European cybersecurity certification framework and setting rules for the development of certification schemes for different categories of ICT products, services and processes. These certifications aim to ensure and verify robustness against cyber risks, following an assessment conducted by a recognised and sworn third party.

On 31 January, the European Commission announced the adoption of the first European certification scheme: EUCC (EU Common Criteria).

Cyber Resilience Act : This will aim to promote cyber resilience as a whole, by adopting comprehensive measures to strengthen the security of hardware and software placed on the European market. Formal approval by the European Parliament and the Council was expected in 2024, with concrete implementation from 2027.

Coordination between these initiatives is crucial to ensure a coherent approach to cybersecurity, avoiding overlaps and enabling effective collaboration between competent authorities, relevant stakeholders and affected sectors.

Next Steps

In the first quarter of 2025, Member States informed the European Commission of the rules and measures adopted and established the list of Essential Entities and Important Entities. The law is almost finalised and will be fully enforced once all implementing texts (decrees, orders) have been published. ANSSI nevertheless anticipates a compliance deadline for organisations of up to 2027.

In December 2025, ANSSI opened a pre-registration service to help the entities concerned anticipate their compliance with the NIS 2 Directive. This first step aims to simplify the forthcoming mandatory registration, facilitate access to security information and alerts, and initiate security work.

Conclusion

The NIS 2 Directive represents a major step forward in the European cybersecurity regulatory landscape, establishing new standards to strengthen digital resilience. While NIS 1 laid the foundations, the NIS 2 Directive responds to the constantly evolving digital threat landscape by broadening its scope and strengthening the obligations of digital players.

The comparison between NIS 1 and NIS 2 reveals a significant transformation. The broadening of scope, notably to include online platforms, reflects the recognition of new players in the digital landscape and the need to subject them to rigorous cybersecurity standards. The strengthened obligations and responsibilities, with more precise criteria, demonstrate a commitment to a proactive and tailored approach.

The impacts on businesses and organisations are significant, with stricter security obligations, a broader scope of application, enhanced reporting requirements and increased sanctions. However, the potential benefits include greater resilience, increased trust from customers and partners, reduced financial risk and a favourable market positioning.

Finally, we will be returning shortly with a new article presenting how the NIS 2 Directive promotes PAM solutions, such as the one offered by Rubycat : PROVE IT. Indeed, our software solution enables strengthened control and traceability of privileged users within organisations' information systems: identification, authentication, authorisation, in line with the principle of least privilege.