Nis 2 directive will force thousands of companies to invest to better protect themselves

Thousands of companies will be required by law to improve their IT security. This decision comes from the highest European political level, and in France the National Information Systems Security Agency (Anssi) will be the enforcement task.

In January, when she came to power, the French Presidency of the European Union (PFUE) set itself the task of becoming ” extremely wayward in terms of digital sovereignty and cybersecurity. Among the key aspects of this political time, France intended to complete the negotiations on the revision of the directive “network and information security” (better known by the acronym Nis), which began at the end of 2021. The deed is done: on May 12, a political agreement was reached between the Commission, Parliament and the Council on the text, although some technical details have yet to be corrected. “, welcomes Yves Verhoeven, Associate Director of Strategy at Anssi, to La Tribune on the occasion of the International Cybersecurity Forum (FIC).

Up to 150,000 interested companies and organizations

The first version of this text, adopted in 2016, resulted in the appointment of dozens of organizations ” basic service operators (OSE), which ” provide essential services, the interruption of which would have a significant impact on the functioning of the economy or society ‘, as defined by Annecy. As a result, these bodies have at least 23 additional cybersecurity obligations, both technically and in their management, and in their relationship with the authorities.

The Nis Directive covered banking, financial markets, energy, healthcare, transport, drinking water management and telecommunications. Its revised version, Nis 2, covers administration as well as areas of waste management, large-scale food distribution, Internet access providers, and even postal services.

As a result, after 1 shekel, the number of European operators subject to this rule is estimated at 15,000 operators. ” For 2 shekels, this number should be multiplied by 8 or 10. warns Yves Verhoeven. And for good reason: the EU has planned not only to appoint new OSEs in sectors that have not yet been touched, but also to establish a second level of requirements, which is weaker. Thus, Nis 2 distinguishes between two categories of operators: essential entities (another name given by OSE) and significant persons “.

Additional costs expected

Large operators will be more numerous and possibly smaller. They will be offered a more basic level of security that reflects basic hygiene. “, – develops the deputy director of Anssi. After forecast calculations, the agency expects 80% ” important objectss » are small and medium enterprises. ” If everyone makes a real effort, if every SMB, VSE or hospital owner understands that they have a responsibility and that they must allocate a significant and incompressible budget for their cybersecurity, then we can break this dynamic and protect ourselves collectively. Anssi CEO Guillaume Poupart told La Tribune last September. For interested companies, an effort will henceforth be limited by law.

Problem: Even if there is consensus on the idea of ​​improving the overall security of companies in the face of growing threats, both criminal and government, the question of costs should quickly surface. And for good reason: creating new procedures, auditing, and deploying new tools quickly become expensive, especially in companies that have few in-house skills. The Nis directive does not provide budgetary and human resource requirements for information systems security, so a compliance bill may vary from one entity to another. For reference, Guillaume Poupart nevertheless reiterated that the cybersecurity budget should weigh at least 10% of the IT budget.

Faced with this financial fear looming on the horizon, Yves Verhoeven prefers to reassure: ” We talk about rules, and rules always make people grumble. That is why, within 21 months after the publication of the directive, which corresponds to the time of the conversion of the text into French law, we will discuss as much as possible with the organizations concerned in order to give them the opportunity to better understand the subject. We want to build a system together to have an ambitious but realistic level of requirements. We must remember that this is not a matter of regulation for fun, but to respond to a growing threat. »

Local authorities are forced to improve their cybersecurity

In addition to small and medium-sized enterprises, some administrations will also have to comply with new security standards, although they have not been affected so far. ” The revised NIS allows you to go and regulate local authorities and impose cyber security rules on them.rejoices Yves Verhoeven.

Over the past four years, cases of paralysis of cities, regional councils or departments by ransomware (a particularly dangerous type of malware) have accumulated: the Grand Est region, Angers, the departmental council of Aire-et-Loire, La Rochelle. While other favorite targets of cybercriminals, medical facilities, for many of them have already been named OSE, this is not the case for administrations. Depending on characteristics that are yet to be defined, local governments should be classified either as SEA or as significant actors.

The European Union toolkit continues to grow

Niche 1 was the founding text. He clearly positioned the European Union, with the support of all Member States, as a key player in securing critical European infrastructures. “Remembers Yves Verhoeven. Since then, the EU has multiplied texts and mechanisms to standardize the approach to cybersecurity on a continental scale.

The Cybersecurity Law passed last year immortalized Enisa (the European equivalent of Anssi) in addition to creating a set of cybersecurity certification tools to have unified standards. Currently, differences in certificates from one country to another also create disparities in the markets, often in favor of the largest players able to adapt to each country’s standards. Implementation of the Cyber ​​Security Act is slow, but the long-term goal is clear: there should be a uniform level of requirements across the EU.

Also in 2021, the EU finally voted to create European Cyber ​​Competence Center in Bucharest. Its aim will be to support innovation and industrialization of the sector at the European level. According to Yves Verhoeven, she should become ” Center for European Cyber ​​Industrial Policy “.