NIS 2 Directive – What are the new requirements and why is it a game-changer?

NIS 2 Directive – What new requirements and why it’s a game-changer

The NIS 2 (Network and Information Security 2) Directive marks a major turning point in cybersecurity regulation in Europe. Adopted at the end of 2022 and due to be transposed into national law by October 2024(NIS2 Directive: 5 Key takeaways), it considerably expands the scope of the first NIS Directive of 2016. Its ambition: to strengthen the cyber resilience of vital sectors in the face of rising digital threats. In concrete terms, NIS 2 imposes new requirements on companies deemed essential or important in 18 business sectors (energy, transport, healthcare, finance, water, digital infrastructures, agrifood, administration, etc.), compared with only around 7 sectors covered by NIS 1. In France, for example, the number of entities subject to these obligations will rise from around 300 (under NIS 1) to almost 10,000 with NIS 2(Enjeux et points clés de la Directive NIS 2 pour votre organisation – Onet France). At European level, an estimated 160,000 organizations will be affected, not counting their supplier ecosystems(NIS2 Directive: 5 Key takeaways) – a tenfold increase in scope(French companies and administrations at the heart of the NIS 2 Directive | Archimag). Any medium-sized or large company (from 50 employees and €10 million in revenues) operating in one of these critical sectors may therefore be subject to NIS 2(NIS 2 Directive: Impact on SMEs and suppliers)(NIS 2 Directive: Impact on SMEs and suppliers).

Increased cyberthreats, a stronger regulatory response

Why such a tightening of regulations? In recent years, cyberattacks have continued to multiply and increase in impact. In 2022, 45% of French companies said they had been the victim of a cyber attack, i.e. almost one in two(French companies and administrations at the heart of the NIS 2 Directive | Archimag). Ransomware, data theft and digital sabotage affect hospitals, factories, local authorities, energy and transport operators indiscriminately, jeopardizing essential services to citizens. Faced with this growing threat, the European Union has deemed it necessary toharmonize and tighten cybersecurity rules. The NIS 2 directive thus aims to correct the weaknesses of NIS 1 by extending its scope (new industries covered, inclusion of numerous strategic SMEs) and specifying minimum common obligations for all entities concerned.

The key requirements of NIS 2 are structured around four pillars: risk analysis and security measures, management accountability, incident management and reporting, and business continuity(NIS2 Requirements | 10 Minimum Measures to Address)(NIS2 Requirements | 10 Minimum Measures to Address). In practice, this means that every organization falling within the scope of NIS 2 must, among other things :

• Adopt a global approach to cyber risk management: conduct regular risk analyses, define security policies for information systems and deploy protective measures commensurate with the threats (access control, enhanced network security, etc.)(NIS2 Requirements | 10 Minimum Measures to Address).

• Implement “basic” technical and organizational cybersecurity measures: incident response plan, backup and disaster recovery policy, vulnerability management, encryption of sensitive data, multi-factor authentication for critical access, IT hygiene and staff training(NIS2 Requirements | 10 Minimum Measures toAddress). The European Commission will specify the technical standards applicable by the end of 2024 to harmonize these measures.

• Oversee the security of its supply chain (suppliers): ensure that critical service providers themselves apply an appropriate level of security, assess third-party risks and have visibility over all its suppliers and subcontractors from a cybersecurity point of view(NIS2 Requirements | 10 Minimum Measures to Address).

• Detect and notify incidents quickly: have an internal process for identifying incidents with a significant impact, and inform the authorities within strict deadlines (initial notification within 24 hours, full report within 72 hours)(NIS 2 Directive: Impact on SMEs and suppliers).

• Prepare for business continuity: draw up plans to keep services running in the event of a major cyber attack – for example, via a regularly tested Disaster Recovery Plan (DRP), back-up systems and a crisis management team(NIS 2 Directive: Impact on SMEs and suppliers).

What’s the impact on CIOs and CISOs?

NIS 2 represents a strategic and operational challenge for information systems directors (ISDs) and security managers (CISOs). On the one hand, it’s important to realize that compliance with this directive is now mandatory for a wide range of companies – including players with little experience of cybersecurity regulation, such as certain manufacturing industries, waste management or research. The first step is therefore to identify whether your organization falls within the scope(essential or important entity). If this is the case, the CISO will have to steer a cross-functional compliance program, mobilizing not only IT teams, but also senior management, business lines, risk management and external partners.

The message for senior management is clear: cybersecurity is no longer just a technical issue, it’s a corporate responsibility at the highest level. NIS 2 also makes management bodies more accountable in this area. In the event of a serious breach, executives can be held personally liable in the event of proven negligence(Issues and key points of the NIS 2 Directive for your organization – Onet France). Penalties include heavy fines (up to €10 million or 2% of worldwide annual sales for essential entities)(NIS2 Directive: 5 Key takeaways)(Enjeux et points clés de la Directive NIS 2 pour votre organisation – Onet France), and potentially temporary bans on managerial functions(NIS2 Directive: 5 Key takeaways). In other words, NIS 2 compliance needs to be on the agenda of CEOs and boards of directors, alongside financial and legal obligations.

What’s more, the work involved in complying with the requirements is substantial, and requires sufficient foresight. An audit of the current state of security will have to be carried out to identify any gaps in relation to NIS 2 requirements: formalized policies, process documentation, detection tools, response plans, etc. Investments may also be required (e.g. in incident detection solutions, encryption, staff training). Some companies underestimate the task: a recent study shows that 80% of IT managers are confident of being compliant on time, but only one in two feel that their teams fully understand the requirements of NIS 2, and that senior management has a good grasp of them ([Infographic] NIS2 : les entreprises entre confiance et défis). This gap indicates a risk of delay if all stakeholders are not sufficiently mobilized now.

Solutions and best practices for tackling NIS 2

For CIOs, the key is toapproach NIS 2 as a cross-functional enterprise project, rather than as a simple checkbox. Here are a few best practices for managing this transition:

• Assess eligibility and scope: First check whether your organization is concerned, and in what capacity (major or essential entity). Online simulators, such as ANSSI’s(Directive NIS 2: Impact sur les PME et les fournisseurs), can help you do this. Identify which subsidiaries, departments or types of activity fall within the scope.

• Get management support: Present the challenges of NIS 2 to your top management (CIO, CEO, executive committee). Explain the risks (sanctions, impact in the event of an incident) as well as the opportunities (boosting resilience, customer confidence). The aim is to appoint an executive-level sponsor and, if possible, formalize project governance (steering committee including business, legal, etc.). The corporate culture must evolve towards greater cyber awareness at board level.

• Draw up an inventory and a roadmap: Carry out a complete diagnosis of your cybersecurity posture in relation to NIS 2 requirements. For example, do you have an up-to-date mapping of your critical assets and systems? A formal security policy approved by management? A tested incident response plan? For each requirement, assess the level of compliance and the gaps to be filled. Then prioritize actions: certain technical measures may take time (deployment of strong authentication, network segmentation, etc.), as may the implementation of a complete DRP or the negotiation of security clauses with your suppliers.

• Gradually reinforce security measures: Based on your risk analysis, deploy or improve the necessary controls. For example, if backup and disaster recovery are inadequate (which is often the case: only 20% of companies have a fully operational and tested DRP(Resilience: 80% of companies have no real DRP!)), this is a priority. Ifmulti-factor authentication is not generalized on sensitive accesses, it is a measure to be implemented without delay (compromised passwords remain a major vector of attack). Strengthen threat monitoring and detection too: NIS 2 goes hand in hand with the ability to detect incidents quickly, via an internal or outsourced SOC for example.

• Formalize procedures and documentation: Part of compliance will be being able to document your actions. Draw up the required policies (IS security policy, vulnerability management policy, incident notification procedure, etc.). Set up registers or tools to monitor the application of these policies (e.g. security incident log, critical asset register, cyber monitoring committee minutes, etc.). This documentation will be useful in the event of an audit by the competent authority.

• Raise awareness and provide training: deploy a cybersecurity training plan for your employees, tailored to their role. The directive stresses the importance of raising team awareness(cyber hygiene)(NIS2 Requirements | 10 Minimum Measures to Address) and even includes training for management bodies among the obligations(NIS2 Requirements | 10 Minimum Measures to Address). So make sure that top management receives a minimum briefing on their new responsibilities, and that all staff receive regular training (sessions, e-learning, simulated phishing exercises, etc.).

• Test and improve continuously: Think of NIS 2 compliance as an iterative process. Regularly test your systems (cyber crisis exercises, back-up restoration tests, pentest-type technical audits of your critical systems, etc.). Each test will help identify areas for improvement. Track cybersecurity KPIs over time, and report periodically to management on progress and areas of concern.

By following these steps, companies can turn the NIS 2 obligation into an opportunity to increase their security maturity. Admittedly, ANSSI has indicated that it intends to support organizations gradually (providing up to 3 years’ tolerance before strictly applying sanctions(Directive NIS 2: Impact on SMEs and suppliers)), but this does not mean that we should wait. On the contrary, taking advantage of this delay to get ahead of the game will strengthen your resilience. What’s more, achieving NIS 2 compliance can bring tangible benefits: reduced risk of a major cyber incident, improved reputation with customers/partners, alignment with other standards (ISO 27001, PCI-DSS, etc.), and even a competitive edge if your competitors are slow to catch up.

How Smart Global Governance solutions meet these challenges

Smart Global Governance offers an integrated governance, risk management and compliance (GRC) platform that can greatly facilitate your NIS 2 compliance. Faced with the complexity of this new regulation (one of 950 new regulations to appear in the business world in five years ), it is crucial to equip yourself with effective tools to manage compliance across the board. Smart Global Governance’s modular solution helps you centralize and orchestrate the entire NIS 2 program:

• Risk mapping and assessment: thanks to its specialized modules (Risk Manager Suite, Information Security Officer Suite, etc.), the platform guides you in identifying your cyber risks, assessing your security arrangements and monitoring treatment plans. You get a consolidated view of your security posture and the gaps to be closed with regard to NIS 2 requirements, all through clear dashboards for IT/IS departments and management.
• Policies and compliance: Smart Global Governance integrates control repositories aligned with NIS 2 obligations. This means you can formalize your policies (SSI charter, incident procedures, BCP, etc.) in the tool, and continuously verify their application via automated checklists and audits. The platform ensures full traceability of actions taken: an asset in the event of ANSSI inspection or for your internal reports.
• Document management and workflow: No more scattered spreadsheets and untracked Word documents. The solution provides a centralized space for storing your security documents and proof of compliance (incident logs, audit reports, proof of training, etc.). Collaborative workflows enable tasks to be assigned to managers (e.g.: “update incident response plan” to such-and-such a manager, with automatic follow-up). This ensures that nothing is forgotten, and that every NIS 2 requirement is covered by an action plan.
• Reporting and dashboards for management: The platform offers dynamic dashboards that summarize the company’s compliance status and cyber risk level. These educational views are ideal for informing senior management or the audit committee of the progress of the NIS 2 program. At a glance, decision-makers can visualize the strengths/weaknesses and progress made, encouragingmanagement involvement and informed decision-making (prioritization of investments, trade-offs, etc.).
• Modular, scalable approach: Smart Global Governance solutions cover not only NIS 2, but also other regulations and standards (RGPD, ISO 27001, PCI, etc.). This means your NIS 2 approach can be part of a unified compliance strategy. You avoid duplication of effort by reusing, for example, a common risk analysis or generic controls. What’s more, as the platform is modular, you can gradually activate new functionalities as your needs change. This agility enables you to keep pace with evolving threats and standards, even beyond NIS 2.

In short, Smart Global Governance acts as a true co-pilot for CIOs and CISOs in implementing NIS 2. By automating time-consuming GRC tasks, making compliance monitoring more reliable and involving the right people via clear workflows, the platform saves you time and operational efficiency. According to a Smart Global Governance study, automating GRC processes can deliver 40% efficiency gains, freeing up teams for higher value-added projects. In this way, you can turn the NIS 2 constraint into a performance driver: not only avoid penalties, but above all reinforce your organization’s long-term security.