By increasing the number of entities supervised by ANSSI in France by a factor of 40 or even 50, the Resilience Bill takes cyber security into a new dimension. NIS2 represents a major step forward in terms of increasing the level of security of entities deemed essential, but also in terms of disseminating a genuine cyber culture throughout the economic fabric. In this way, the directive is helping to create a virtuous circle towards a more secure digital environment, an essential lever for innovation. However, this reform raises a number of questions, which Cloud Temple set out in detail at its hearing before the Commission Supérieure du Numérique et des Postes.
One of the first pitfalls of the transposition of NIS2 in French law lies in the risk of regulatory stacking, which would be a factor of inertia for the players targeted by the text. Faced with a multitude of regulations, it becomes difficult to understand, and organisations may be tempted to put the brakes on their initiatives in the absence of a clear understanding of the requirements to be met. The issue of certifications and qualifications mentioned in the Resilience Bill adds a further layer of complexity. How will these new requirements fit in with existing regulations such as the Military Planning Act, the RGPD, SecNumCloud and the PCI, HDS and ISO 27001 standards?
Facilitating proof of compliance
A reform on the scale of NIS2 will have an impact on the entire relationship between the customer and the digital service provider. The administrative process for proving compliance is crucial in this development, as increased pressure on providers could complicate their task. The need to ensure the security of the supply chain could lead to an overload of regulatory compliance, with contract reviews, audit requests and security questionnaires. However, it is in everyone's interest for digital players to devote their time to increasing the level of security of their services rather than demonstrating that they are secure. To avoid these pitfalls, establishing criteria for presuming compliance would help to streamline the process for both service providers and customers. An effective approach would be to build a compliance matrix with recognised benchmarks and indisputable presumptions of compliance, backed up by audits and certification labels.
Making digital players facilitators of reform
Another question concerns the special status of digital players, who will be the subject of a European implementing act that has yet to see the light of day. It is therefore difficult at this stage to see how they will fit into the scheme. And this is all the more important given that it is essential for the success of this reform to make digital players vectors and facilitators of cyber progress, and not regulated entities like the others. Otherwise, the ANSSI will be on its own to carry out its mission for the 12,000 to 15,000 entities in France. The ability of cloud players to comply with NIS2 and provide effective support for their customers will depend on the final content of the performance contract. Will the rules be adapted to the specific characteristics of the cloud, which involves sharing responsibilities and pooling resources? Rapid publication of all the texts is key to ensuring a smooth transition.
Incident notification: who does what?
The notification of security incidents is another critical aspect of the Resilience Bill: defining clear severity thresholds, clear deadlines and determining the competent authority for notification are central elements of the system. In the emergency context of a cyber incident, it is crucial to have a notification framework that leaves no room for interpretation. Notifying too early or too late can have a real impact on the ability to resolve the crisis, particularly in the event of a cyber attack. The principle of "notification as soon as possible" must be clarified to avoid any uncertainty in crisis situations. The forthcoming decree on the procedures for reporting incidents should therefore be the subject of consultation with the sector, in order to establish rules that are pragmatic, realistic and easy to implement by the players concerned.
Supporting efforts to upgrade skills
Finally, talent remains the sinews of cyber warfare. With the change in scale brought about by the Resilience Bill, a large number of companies and local authorities that are new to the field will be starting their cybersecurity process, at a time when recruiting specialist talent is difficult and expensive. Ensuring that the cybersecurity ecosystem is able to support them is fundamental. The time it takes for service providers to carry out audits or provide services can also be an obstacle. The State must play a crucial role in helping companies and organisations to comply, while supporting the cyber ecosystem and efforts to train talent. The funding arrangements put in place will be key, particularly for the 1,653 local authorities affected by the reform.
ANSSI understands that listening to stakeholders - and in particular digital players - is essential to the success of NIS2 in France. The collection of needs and comments is a pragmatic contribution to the bill, to make it an unprecedented lever for cybersecurity in France and Europe. The hearings held by the Commission Supérieure du Numérique et des Postes will feed into this iterative consultation process. At a time when the parliamentary agenda is being disrupted by the new electoral deadlines, and the 17 October deadline is approaching, it is crucial not to sacrifice this co-construction effort on the altar of legislative efficiency. A law and implementing decrees adopted in haste would be a bad start for this structuring reform.