The first draft of the text transposing NIS2 has been presented by ANSSI. Called "Resilience", the draft law aims to build a comprehensive framework by also transposing two other European directives: the Directive on the Resilience of Critical Entities (REC) and the Directive on Digital Operational Resilience (DORA). Focus on the provisions of the text relating to NIS2.
Three directives transposed into a single piece of legislation. This is the ambition of the bill presented on 15 March 2024 by the ANSSI, which aims to put in place a comprehensive and coherent policy relating to the resilience of activities of vital importance, the protection of critical infrastructures, cybersecurity and the digital operational resilience of the financial sector.
Scaling up to withstand the cyber threat
In response to the rapid evolution and intensification of the cyber threat, the NIS2 European directive, which succeeds NIS1, aims to considerably raise cybersecurity standards across the European Union. It covers a wider range of entities and sectors. In France, the number of regulated players is multiplied by 30 - from 500 to around 15,000 - and the sectors concerned are increased from 6 to 18. The directive includes sectors linked to electrical and digital infrastructures, health and transport, but it also includes sectors that were previously outside the scope, such as education, agri-food, public administration and digital service providers. At the same time, the text broadens the scope of the information systems to be secured, applying to all the IS of the targeted entities, and not just their essential IS.
Simplification, harmonisation and proportionality
ANSSI is seizing the opportunity presented by this bill to simplify IS security rules by limiting the accumulation of regulatory requirements. The Agency is also working with the authorities of other Member States to ensure equivalent treatment throughout the European Union. Finally, it is ensuring that future rules remain proportionate in terms of the requirements imposed and the penalties imposed.
Essential and important: two levels of regulated entities
The principle of proportionality involves the creation of two categories of entities, classified according to their degree of criticality, their size and - for companies - their turnover. The text distinguishes between "essential entities" and "important entities". The former, which are already familiar with security constraints because of their criticality, are subject to stricter standards, while the latter are subject to basic requirements aimed at improving their digital hygiene without incurring disproportionate costs.
Four safety objectives
Tailored to the risks, challenges and specific features of each sector, the set of requirements currently being developed is based on safety objectives organised around four key areas:
- Set up ad hoc governance to ensure that cyber risk is taken into account at the highest level of the organisation
- Implement IS protection measures
- Defence capabilities to speed up response to incidents and limit their impact
- Develop resilience capabilities to facilitate business continuity and recovery
Highly dissuasive penalties
A system of penalties is also provided for, aligned with high standards similar to those of the RGPD, with fines of up to 2 % of worldwide turnover for essential entities and 1.4 % for important entities. These measures are intended to deter breaches and encourage investment in cybersecurity, thereby reflecting the ever-increasing real cost of cyber attacks. However, public administrations and local authorities will be exempt from penalties.
A gradual, collaborative approach to implementation
Numerous preliminary consultations were held to define the requirements, with professional federations, local authorities and ministries. These consultations will continue throughout the transposition process, under the supervision of the representatives of the legislative body.
The timetable for the entry into force of the new obligations will be staggered to give the players concerned time to comply.
Finally, ANSSI will provide regulated entities with a range of services to help them achieve the required level of protection in a progressive approach.
The special case of local authorities
Taking into account the vulnerability of local and regional authorities, which account for 17% of all cyber incidents handled by ANSSI, the bill includes them in the scope of NIS2. The aim is to put in place a proportionate approach, tailored to the maturity and resources of local authorities.
In all, 661 local authorities or groupings should be concerned as essential entities: 22 regions, 97 départements, 263 metropolises and 279 communes with more than 30,000 inhabitants. The 992 communities of communes will also be affected as major entities.
Their need for support and guidance has been taken into account: the cybersecurity pathways set up as part of France Relance will be accelerated. A transition budget will also be envisaged, to finance the estimated average cost of €400,000 required to bring a local authority into cyber compliance.
This first version of the bill is now in the hands of the ministries for arbitration, and will be forwarded to Parliament for an in-depth parliamentary examination, which is all the more essential given the far-reaching consequences of the text for economic players and local authorities. The bill is due to be voted on and come into force in autumn 2024, before the 17 October deadline.