Growing trends in remote transactions and teleworking are creating ideal conditions for a surge in cyber threats. In its ”Cyber Threat Overview” (2022 edition), ANSSI reported a 37% increase in proven information system intrusions between 2020 and 2021. In response to this increasing risk, the European Commission decided to revise the 2016 NIS directive – the first EU-wide regulation on cybersecurity – in order to expand the range of organisations concerned and to further harmonise the regulatory framework for member states. This revision is the NIS2 directive, approved in June 2022.
NIS1, a founding text in cybersecurity and regulation
The NIS (Network and Information System Security) directive has been part of the cybersecurity landscape since it came into force in 2018. For this reason, we tend to forget how innovative it actually is. This directive was the first attempt to strengthen the overall level of cybersecurity within the 27 member states and to set out a number of core guarantees in order to develop a trusted ecosystem. To achieve this, the directive focuses on Essential Service Operators. These are companies that ANSSI defines as “providing an essential service whose interruption would have a significant impact on the functioning of the economy or society”.
In other words, the first NIS established an EU-wide standard as a defence against cyber threats. Transposed into the national law of member states, the directive paved the way for the emergence of regulatory tools and a clear improvement in security levels for key market players.
Nevertheless, given the growing threat, it was clearly time to update the text and, in particular, to widen its scope and prepare companies for the cybersecurity challenges of the present and the future. For this reason, the Commission submitted a proposal for the revision of the directive, under the name NIS2.
NIS2, a legislative base more closely reflecting the new cyberthreats
The purpose of revising the directive is to update the regulatory measures set out in the first version of the text, drawing upon the knowledge acquired, and addressing the new cyberthreats emerging in an increasingly interconnected world.
This is why the scope of the NIS2 directive has been extended to cover over 150,000 entities (compared to around 100 for NIS1),encompassing sectors such as digital providers, data centre services, retail, research, postal services and waste management. Until now, measures focused on the sectors of telecommunications, food, transport, health, energy, water treatment and financial services.
NIS2 also streamlines reporting obligations , in cases where incidents (cyber attacks, data loss, etc.) involve significant operational or financial risks. Finally, any entities failing to comply with organisational and technical measures will face penalties, including a fine of up to 2% of their annual global turnover.
A stricter regulatory framework for greater cooperation
By forcing more companies to introduce cybersecurity measures, the new NIS2 directive aims to strengthen the regulatory framework established by NIS1 in order to take account of the expanding domestic market and the diversification of cyberthreats. The objective is to increase cyber resilience within the European Union by making sure that key players are aware of the risks and have the necessary measures in place to deal with cyberthreats.
And that’s not all. Alongside the “regulatory” aspect, NIS2 also aims to consolidate cooperation within the EU. This is the ambition of CyCLONe (Cyber Crisis Liaison Organisation Network), set up to encourage operational cooperation between the national agencies in charge of crisis management in each EU member state. Founded in 2020, the network supports the implementation of an action plan in the event of a cyberattack or cross-border crisis, enabling companies to share information on threats more effectively.
The NIS2 directive is therefore another step towards a harmonised regulatory framework for all European countries in the field of cybersecurity. However, this legislative progress continues to be limited to large organisations. In other words, the process does not include small and medium-sized companies, even though these are the entities most vulnerable to cyber threats. In Europe, one in every two companies targeted by ransomware is small or medium-sized, according to the Anozr Way barometer. It is therefore the role of the national authorities to raise awareness of cyber risks among small businesses and to show them how to protect themselves through the implementation of best practices.