Cybersecurity: the essentials of the NIS 2 directive

Adopted in January 2023, from October 2024 the European NIS 2 directive will require many companies, including those in the finance sector, to improve their security measures in order to combat all forms of cyber attack. The aim of NIS 2 is to establish a uniform level of cyber maturity throughout the European Union.   

What does the NIS2 directive change? 

The NIS 2 directive extends the scope of the previous regulation (NIS 1) by including sectors already covered (healthcare, banking, transport) and extending to new areas such as public administrations, telecommunications, social networks, postal services and the space sector. It also includes private companies, impacting thousands of businesses, from SMEs to major CAC40 corporations.  

A key innovation of NIS 2 is the introduction of a proportionality mechanism, creating two categories of regulated entities according to their level of criticality: essential entities and important entities. ANSSI will use this criterion to define specific requirements for each category. 

What are the objectives of the NIS2 directive?  

The directive has 4 main objectives:   

  1. Improving the resilience of critical infrastructures: the directive imposes enhanced security measures for essential service operators (ESOs) and digital service providers (DSOs) to guarantee the availability, integrity, confidentiality and continuity of essential services. 
  2. Strengthening cooperation and coordination: this encourages cooperation between EU Member States to ensure a coordinated response to cybersecurity incidents, notably by establishing cooperation mechanisms and competence networks. 
  3. Promoting incident reporting: the directive requires ESOs and DSFs to report cybersecurity incidents to the competent authorities and relevant stakeholders, enabling a rapid and effective response in the event of an incident. 
  4. Strengthening the security of digital service providers: DSFs are required to put in place appropriate security measures to protect their digital services against cyber threats. 

Who is covered by the NIS2 directive?  

The NIS2 directive targets companies with more than 50 employees and annual revenues of over €1 million in the relevant sectors. These companies vary in size, including SMEs, large corporations, and sometimes even some local authorities. 

The NIS1 directive originally regulated 19 sectors, but with NIS2 the number of regulated sectors has risen to 35. 

The 19 sectors initially covered by NIS1 included areas such as healthcare, energy, transport, banking, financial market infrastructures, drinking water distribution, wastewater treatment, digital infrastructures, digital service providers, public administrations and the aerospace industry. 

In addition to these, NIS2 extends regulation to additional sectors, such as postal and courier services, waste management, the chemical industry, manufacturing, chemical distribution, the industrial sector, agri-food, and additional digital service providers(full list at bottom of article). 

What are the differences between essential and important entities?  

Within the 35 sectors targeted by the directive, companies are classified as essential or important entities if they manage infrastructures whose disruption would have a major impact on the country's economy or functioning. Typically, intermediate-sized companies (ETIs) and large enterprises classified as essential service operators (ESOs) are considered essential entities.  

These companies will be officially identified when the national decree transposing this directive is published, by October 17, 2024 at the latest.  

Why is the inclusion of subcontractors in the NIS 2 directive essential? 

The inclusion of subcontractors in the NIS 2 directive follows on from attacks targeting supply chains. 

Subcontractors may have access to sensitive data or critical systems. If these subcontractors are not properly secured against cyber-attacks, they become vulnerable to malicious activity. By including subcontractors in the cybersecurity standards imposed by the Directive, organizations employing them can ensure that they apply adequate security measures to protect the data and systems under their responsibility. 

This helps reduce the risk of vulnerabilities spreading throughout the supply chain, and prevents potential damage to partner companies. 

How do you prepare for NIS2 implementation?  

The NIS 2 directive will not be effectively implemented until the end of 2024. Until it is transposed into French law, essential service operators (ESOs) and digital service providers must continue to comply with NIS1 standards and existing information systems security regulations. 

Furthermore, entities already subject to NIS1 should maintain their efforts to comply with this first version of the directive. The progress already made will be useful, as NIS2 builds on the principles established by NIS1. In addition, companies potentially affected by NIS2 should already start actively reinforcing their IT security. 

Faced with constant cyber threats and the vulnerability of information systems, NIS2 represents an opportunity for organizations to invest in improving their security. It is crucial for affected companies to quickly assess their level of cybersecurity preparedness. 

For impacted sectors looking for support in their IT security compliance, Semkel supports you with both cyber and dark web monitoring to detect potential data leaks in real time, in order to comply with the NIS 2 directive, as well as raising awareness among your staff. 

Here is the list of the 35 sectors covered by the NIS Directive2 : 

  1. Energy (including electricity, gas and oil) 
  2. Transportation (including road, rail, sea and air) 
  3. Banks 
  4. Financial infrastructures (including stock exchanges and payment systems) 
  5. Health services (hospitals and health care services) 
  6. Water supply 
  7. Food supply 
  8. Digital provisioning (DNS, Internet services) 
  9. Digital services for the public sector 
  10. Digital online services (social media, online marketplaces, search engines) 
  11. Telecommunications 
  12. Water (wastewater and surface water management) 
  13. Water (drinking water management) 
  14. Water (flood management) 
  15. Essential elements of business and industrial production 
  16. Waste management 
  17. Chemical supply 
  18. Drug supply 
  19. Medical device procurement 
  20. Gas production and distribution 
  21. Electricity generation and distribution 
  22. Oil production and distribution 
  23. Biofuel production and distribution 
  24. Production and distribution of liquid fuels
  25. Production and distribution of gaseous fuels 
  26. Production and distribution of solid fuels 
  27. Heat production and distribution 
  28. Postal services 
  29. Seaports 
  30. Air traffic management 
  31. Railway infrastructure 
  32. Road transport 
  33. Digital service providers 
  34. Cloud computing services 
  35. Operating system suppliers