A new directive (Network and Information Security, version 2), more ambitious than the first measure, was adopted in January 2023 by the Parliament & Council of the European Union to further protect companies against cyber threats. It will come into force in France in the second half of 2024 at the latest.
Faced with the increase in cyber threats resulting from digital transformation and the interconnection of EU countries, in 2016 the European Parliament and Council adopted a first set of measures to strengthen cybersecurity in the European market. This directive is known as NIS 1. It imposed an obligation on major players in ten business sectors - a few hundred entities in France - to report their security incidents to ANSSI and implement security measures to reduce cyber risks.
The NIS v2 Directive expands its objectives and scope of application for greater protection. It now includes SMEs, VSEs, IT companies and local authorities, following a report by ANSSI (France's national agency for information systems security), which found that 60% of cyber-attacks concern these structures. The new directive also aims to encourage the companies concerned to strengthen their cooperation in cyber crisis management.
In France, NIS 2 will apply to essential entities (EE) and thousands of important entities (EI) in more than eighteen different sectors:
Source: ANSSI Webinar of 16/05/2023: https://www.ssi.gouv.fr/actualite/webinaire-nis-2-presentation-de-la-directive-et-de-sa-transposition-nationale/
Essential Entities (EE) correspond to all entities of intermediate or large size, included in the activity sector of appendix 1. Corresponding to the following threshold criteria:
Significant entities (SE) correspond to all entities within the scope of consolidation which are not essential in terms of the criteria and cases set out, and which are by default significant.
The directive also allows ANSSI to designate specific entities.
For non-compliance with the NIS v2 directive, essential entities risk a fine of €10 million or at least 2% of sales. For large entities, the amount is €7M or at least 1.4% of sales.
DATIVE's cybersecurity teams will keep you up to date on the progress of this measure and its implementation.