After the deadline of 17 October 2024, the transposition of the NIS2 directive continues to mobilise the ANSSI. Essential and important entities must already comply with articles 20 and 21, which require structured IT security governance, robust technical measures and an incident management system.
The NIS2 Directive represents a major step forward for European cybersecurity, replacing and strengthening the first version of 2016. It considerably broadens the scope of the organisations concerned and imposes stricter security measures: reinforced governance, robust technical protection and incident management.
The aim is to establish a high, harmonised level of cyber security within the European Union.
| THE PILLARS | WHAT IMPACT? |
|---|---|
| Security governance | Information security governance requires a number of initiatives cross-functional: defining roles with a safety manager, establishing of a PSSI, mapping of IS and service providers, risk management with regular analyses, compliance audits and the integration of the safety in HR management, in particular through employee training. |
| Technical protection measures | Technical protection measures complement the organisational aspect by maintenance of security conditions, physical access control, management of the securing the IS architecture and remote access, deploying anti-malware solutions, hardening of configurations, strict management and the implementation of business continuity systems. |
| Handling incidents | Security incidents are inevitable, so the organisation needs to have a comprehensive response system. This is based on three pillars: a system of SIEM detection supervised by a SOC, a response capability via a CERT or outsourced, and crisis management procedures that have been tried and tested periodic exercises. |
The NIS 2 Directive affirms Europe's geopolitical ambitions in cybersecurity. By extending its scope and harmonising requirements between Member States, Europe is strengthening its collective resilience in the face of cyber threats. This regulatory framework establishes demanding standards enabling the continent to develop strategic autonomy in an area hitherto dominated by the American and Chinese powers.
The NIS2 directive applies to a wide range of organisations, which fall into two categories:
essential entities (energy, transport, health, digital infrastructure) and important entities (food industry, waste management, postal services, manufacturing).
It concerns thousands of entities in more than eighteen sectors, from public administrations to private companies, from SMEs to major groups.