The draft law transposing NIS2 has been submitted to the Senate for its first reading. Called "Resilience", the bill aims to build a comprehensive framework by also transposing two other European directives: the Directive on the Resilience of Critical Entities (REC) and the Directive on Digital Operational Resilience (DORA). Focus on the provisions of the text relating to NIS 2.
Three directives transposed into a single piece of legislation. This is the ambition of the bill presented on 15 October 2024, which aims to put in place a comprehensive and coherent policy on the resilience of vitally important activities, critical infrastructure protection, cybersecurity and the digital operational resilience of the financial sector.
Simplification, harmonisation and proportionality
ANSSI is taking the opportunity presented by this bill to simplify IS security rules, by limiting the stacking of regulatory requirements. It is taking care to ensure that future rules remain proportionate, in terms of the requirements imposed and the penalties.
Extending the scope of entities to resist the cyber threat
In response to the rapid evolution and intensification of the cyber threat, the European NIS 2 directive, which succeeds NIS 1, aims to significantly raise cybersecurity standards across the European Union. It covers a wider range of entities and sectors. In France, 10,000 public and private entities are targeted and at least 18 sectors are affected. The directive includes sectors linked to electrical and digital infrastructures, health and transport, but it also includes sectors that were previously outside the scope, such as education, agri-food, public administration and digital service providers. At the same time, the text broadens the scope of the information systems to be secured, applying to all the IS of the targeted entities, and not just their essential IS.
Essential and important: two levels of regulated entities
The principle of proportionality involves the creation of two categories of entities, classified according to their degree of criticality, their size and - for companies - their turnover. The text distinguishes between "essential entities" and "important entities". The former, which are already familiar with security constraints because of their criticality, are subject to stricter standards, while the latter are subject to basic requirements aimed at improving their digital hygiene without incurring disproportionate costs. ANSSI has set up a portal to enable entities to find out whether they are regulated and, if so, to which category they belong. The portal helps the entities concerned to implement their 3 major obligations: providing information to ANSSI, implementing appropriate risk management measures and reporting any cybersecurity incidents.
Four safety objectives
The entities concerned must implement measures to guarantee a level of security that is appropriate and proportionate to the existing risk. The set of requirements currently being developed is based on security objectives organised around four key areas:
- Set up ad hoc governance to ensure that cyber risk is taken into account at the highest level of the organisation
- Implement IS protection measures
- Defence capabilities to speed up response to incidents and limit their impact
- Develop resilience capabilities to facilitate business continuity and recovery
Highly dissuasive penalties
A system of penalties is also provided for, aligned with high standards similar to those of the RGPD, with fines of up to 2 % of worldwide turnover for essential entities and 1.4 % for important entities. These measures are intended to deter breaches and encourage investment in cybersecurity, thereby reflecting the ever-increasing real cost of cyber attacks. However, public administrations and local authorities will be exempt from penalties.
A gradual, collaborative approach to implementation
Numerous preliminary consultations were held to define the requirements, with professional federations, local authorities and ministries. The timetable for the entry into force of the new obligations will be staggered to give the targeted players time to comply. Lastly, ANSSI will provide regulated entities with a range of services to help them achieve the required level of protection in a gradual approach.
The special case of local authorities
Taking into account the vulnerability of local and regional authorities, which account for 17% of all cyber incidents handled by ANSSI, the bill includes them in the scope of NIS2. The aim is to put in place a proportionate approach, tailored to the maturity and resources of local authorities.
In all, 661 local authorities or groupings should be concerned as essential entities: 22 regions, 97 départements, 263 metropolises and 279 communes with more than 30,000 inhabitants. The 992 communities of communes will also be affected as major entities.
Their need for support and guidance has been taken into account: the cybersecurity pathways set up as part of France Relance will be accelerated. A transition budget will also be envisaged, to finance the estimated average cost of €400,000 required to bring a local authority into cyber compliance.
During his opening speech at the Assises de la Sécurité conference in Monaco, Mr Strubel, Director General of the ANSSI, declared: "On 17 October, nothing will happen", referring to the deadline given to Member States to transpose the NIS2 directive.
Against this backdrop, the bill on the resilience of critical infrastructures and the strengthening of cybersecurity was submitted to the Senate on 15 October 2024 by three ministers: Antoine Armand (Economy, Finance and Industry), Patrick Hetzel (Higher Education and Research) and Clara Chappaz (Secretary of State for Artificial Intelligence and the Digital Economy).
As a result of the accelerated procedure initiated by the government, the examination of this text by Parliament will be limited to a single reading by each chamber, thus increasing the pressure on deadlines.
Article updated on 17 December 2024