NIS 2 Regulation (Network and Information Systems Security): Everything You Need to Know

The NIS 2 Directive, which succeeds NIS 1, aims to strengthen cybersecurity within the European Union. It was approved by the European Parliament on November 10, 2022, and by the Council of the European Union on November 28, 2022. EU member states have until October 17, 2024, to transpose the directive into their national legislation and begin implementing it.

What is its goal?

Its goal is to establish a high common level of security for networks and information systems, to ensure better resilience of the European internal market against digital threats. How? By creating a common framework for cybersecurity within the EU, requiring member states to define obligations for preventing and managing cybersecurity risks.

Which sectors are affected by NIS 2?

The NIS 2 Directive distinguishes between several critical sectors.

Highly critical sectors, numbering 11, include energy, transportation, banking, financial market infrastructures, drinking water and wastewater services, digital infrastructures, business-to-business services, public administration, and space.

Other critical sectors include postal and courier services, waste management, chemical product manufacturing and distribution, food processing, medical device and in vitro diagnostic manufacturers, as well as manufacturers of IT products, electronics, and machinery, equipment for automotive vehicle construction, and providers of e-commerce platforms and search engines.

Which actors are affected by NIS 2?

The NIS 2 Directive primarily applies to medium, intermediate, or large entities, provided they belong to one of the critical sectors mentioned. This includes companies with at least 50 employees or an annual turnover exceeding 10 million euros.

An exception is made for specific service providers, such as public electronic communications network providers, trusted service providers, and top-level domain registries.

However, France reserves the right to include or exclude certain entities on a case-by-case basis, depending on a national risk analysis.

Distinction between Important Entities (IE) and Essential Entities (EE)

NIS 2 differentiates between Essential Entities (EE) and Important Entities (IE) based on their size and sector of activity. Essential Entities include those operating in highly critical sectors AND that are of medium size (more than 250 employees, or an annual turnover exceeding 50 million euros, or a balance sheet exceeding 43 million euros).

Also classified as Essential Entities, regardless of their size, are qualified trust service providers, top-level domain registries, DNS service providers, as well as public electronic communications network providers or public service providers.

All other entities not classified as Essential are considered Important Entities.

What are the concrete obligations for affected companies?

Companies regulated by the NIS 2 Directive will need to comply with several obligations, including:

• Risk analysis

• Incident management

• Business continuity

• Supply chain security

• Development and maintenance of information systems

• Regular evaluation of cybersecurity measures' effectiveness

• Application of cybersecurity best practices

• Use of cryptography

• Access management, human resources, as well as authentication and communication security

In particular, France will set up a mechanism allowing concerned entities to notify the French National Agency for Information System Security (ANSSI), which is the authority responsible for cybersecurity in France.

Entities must provide certain minimum information, such as their name, address, updated contact details, sector of activity, and the member states where their services are provided. They must also report any major incidents to ANSSI, including an initial notification, progress report, and a final report.

Which law is applicable to these entities?

By default, entities fall under the jurisdiction of the member state where they are established. However, providers of public electronic communications networks and digital actors are subject to the jurisdiction of the state where the decision-making centers for cybersecurity are located.

What are the exceptions for digital actors?

Digital actors (such as DNS service providers, cloud services, data centers, search engines, and social networks) will not be subject to the national security measures defined by member states. They must comply with an implementing act from the European Commission, expected by October 17, 2024, which will detail the specific measures they need to follow.

What are the deadlines for implementation?

Certain deadlines are directly set by the directive, such as updating contact information (15 days) or notifying incidents within 24 hours. Others will be defined at the national level, such as the notification deadline to ANSSI and the implementation of security measures. These deadlines will be specified during consultations with regulated entities.