On Tuesday June 18, Semkel organized a breakfast meeting in Paris, bringing together high-level experts to discuss the NIS 2 directive and its legal implications for business leaders. The aim: to raise awareness among executives, CIOs and legal departments of the issues covered by this directive, and of the need to strengthen their cyber protection with key tips to prepare and, above all, anticipate their compliance by October 17, 2024 - the date of transposition of the directive on national territory.
Obligations still uncertain, but a challenge for organizations to plan ahead
Julien Lopizzo, CEO of Semkel and moderator of the breakfast, reminded us in his introductory remarks that the cyberthreat landscape is constantly evolving, forcing companies to constantly adapt their security strategies to meet these new threats. Although the directive has been adopted by all EU member states, each country has some leeway when it comes to transposing it into national law. The French government has published a bill to provide a framework for this transposition, but the bill is still under discussion in the Senate at present.
Christian Daviot, Senior Advisor to Le Cyber Cercle and former strategy advisor to the Director General of ANSSI, raised a number of concerns about the bill, including: the lack of clarity of certain provisions and obligations; the prominent role of the French cybersecurity agency (ANSSI); and the particularly high risk of sanctions under the directive (up to 2% of the company's global annual sales for large entities).
"NIS 1 was about support and minimal regulation. NIS 2 is about sanctions."
- Christian Daviot
The NIS 2 directive aims to respond to the increase in cyber threats and protect critical business sectors. It therefore extends the scope of the NIS 1 directive to a larger number of companies, and imposes new obligations, such as risk analysis (audits) and proactive notification of cyber incidents. These obligations extend to include subcontractors and suppliers of companies considered as partners, and therefore liable in the same way as companies in the event of a cyber risk.
"Compliance doesn't mean safety."
- Julien Lopizzo
Extended personal liability for company directors
Included in the extension of the directive is the legal liability of management bodies. This major change compared with NISI introduces a principle of increased personal liability for directors, who can now be held responsible in the event of non-compliance with the directive's obligations, as pointed out by Julie Jacob, a lawyer specializing in Intellectual Property, technologies and data. This means that managers must ensure that their company implements the necessary security measures, and that they are able to demonstrate that they have taken "reasonable and appropriate measures". Failure to do so can result in severe financial and personal penalties, including suspension or, in the case of essential entities, even a temporary ban on exercising management responsibilities.
"The management bodies of essential and important entities are going to have to assume greater responsibility for risk management."
- Maitre Julie Jacob
In order to prepare as effectively as possible, managers need to ensure that everything is in order from an organizational and regulatory point of view (CIOs, IT charters, contracts with service providers, etc.). Companies then have a number of levers at their disposal to prepare for application of the directive.
Essential steps for compliance
To anticipate and prepare for compliance in the best possible conditions between now and October, companies and organizations can start preparing themselves from a practical point of view:
- By conducting a risk analysis to identify potential cyber threats;
- By implementing appropriate safety measures;
- By training their employees in cybersecurity;
- By implementing an incident response plan ;
- By taking out cyber insurance ;
While it is still difficult to put an exact figure on the cost of compliance, it is certain that the NIS 2 directive will have a significant impact on European businesses. It is therefore essential that companies understand what is at stake and take the necessary steps to prepare now for its application.
This is an opportunity, not a constraint, to speed up cooperation between States on a European scale, and to strengthen protection against cyber-attacks in companies.
"The real lever is risk management."
- Julien Lopizzo