NIS 2: A new directive to strengthen cybersecurity on the European market
Strengthening Industrial Cybersecurity: Impact of the NIS2 Directive on Critical Infrastructure Protection
A new directive (Network and Information Security, version 2), more ambitious than the first measure, was adopted in January 2023 by the Parliament & Council of the European Union to further protect companies against cyber threats. It will come into force in France in the second half of 2024 at the latest.
What's new with NIS v2?
Faced with the increase in cyber threats resulting from digital transformation and the interconnection of EU countries, in 2016 the European Parliament and Council adopted a first set of measures to strengthen cybersecurity in the European market. This directive is known as NIS 1. It imposed an obligation on major players in ten business sectors - a few hundred entities in France - to report their security incidents to ANSSI and implement security measures to reduce cyber risks.
The NIS v2 Directive expands its objectives and scope of application for greater protection. It now includes SMEs, VSEs, IT companies and local authorities, following a report by ANSSI (France's national agency for information systems security), which found that 60% of cyber-attacks concern these structures. The new directive also aims to encourage the companies concerned to strengthen their cooperation in cyber crisis management.
Who is affected by NIS V2?
In France, NIS 2 will apply to essential entities (EE) and thousands of important entities (EI) in more than eighteen different sectors:
Source: ANSSI Webinar of 16/05/2023: https://www.ssi.gouv.fr/actualite/webinaire-nis-2-presentation-de-la-directive-et-de-sa-transposition-nationale/
Essential Entities (EE) correspond to all entities of intermediate or large size, included in the activity sector of appendix 1. Corresponding to the following threshold criteria:
Significant entities (SE) correspond to all entities within the scope of consolidation which are not essential in terms of the criteria and cases set out, and which are by default significant.
The directive also allows ANSSI to designate specific entities.
What does my company risk if it fails to comply with this directive?
For non-compliance with the NIS v2 directive, essential entities risk a fine of €10 million or at least 2% of sales. For large entities, the amount is €7M or at least 1.4% of sales.
DATIVE's cybersecurity teams will keep you up to date on the progress of this measure and its implementation.
News
A major food industry company engaged DATIVE to regain control over its OT network. Through a full asset inventory and both logical and physical mapping, the site was able to rediscover its true industrial architecture, secure its operations, and strengthen its cybersecurity posture.
Industrial projects involving hydrogen impose particularly high standards. Safety, reliability and operational continuity are inseparable. DATIVE supports an industrial client specialising in the development of carbon-free hydrogen solutions. Its business relies on sensitive industrial infrastructure subject to stringent technical and regulatory constraints. In this context, industrial cybersecurity cannot be limited to a theoretical or generic approach. It must be finely integrated into the actual operation of the facilities and support operational performance. We are currently supporting this client on key OT cybersecurity issues. Our objective is to provide visibility, secure exchanges and enable informed technical decisions.
In the pharmaceutical sector, industrial cybersecurity is no longer just about protecting sensitive data. It now underpins the reliability of every medicine produced, the continuity of production, and the trust placed by health authorities. Faced with interconnected OT infrastructures, strict regulatory obligations and critical public health stakes, DATIVE supports manufacturers in securing their critical environments and sustainably improving their operational performance.
When an industrial network becomes unstable, pharmaceutical production feels the impact immediately. We were engaged to understand, diagnose, and stabilize an environment where each interruption could jeopardize the production of a vital drug. Here is how our team conducted the network audit for a global pharmaceutical leader to restore performance, stability, and cybersecurity.
A local authority in Savoie operating around twenty wastewater treatment plants (WWTPs) tasked our DATIVE experts with an industrial cybersecurity assessment. Objective: identify OT vulnerabilities, secure the infrastructure, and build a robust action plan to reinforce resilience against cyber threats.