NIS 2 Directive

Our certifications
Standards & Directives NIS2 Directive

The NIS 2 Directive aims to strengthen cybersecurity in the European Union by harmonizing requirements for the security of networks and information systems.

It applies to a wide range of entities, including Essential Service Operators (OSEs) and Digital Service Providers (DSPs). We remind you that OIVs are included in OSEs.

It entered into force on December 27, 2022 and must be transposed into national law by Member States by October 28, 2024 at the latest.

Request a quote

NIS 2 requirements

The NIS 2 directive imposes a set of security requirements on operators of essential services (OSEs) and digital service providers (PSDs). These requirements are designed to improve the cybersecurity of these entities and reduce the risk of cyberattacks.

General requirements

  • Implement a comprehensive information security program (ISP).
  • Appoint an information security manager (CISO).
  • Train staff in cybersecurity.
  • Carry out regular security tests.
  • Implementation of security measures for personal data.

Specific requirements for OSEs

  • Identify critical assets.
  • Define critical risk scenarios.
  • Implement security measures for critical assets.
  • Communicate security incidents to national cybersecurity authorities.

Specific requirements for PSDs

  • Implement security measures for user data.
  • Implementation of vulnerability management.
  • Implementation of an incident management process.

Measures to be put in place

Concretely, to comply with the NIS 2 directive, OSEs and PSDs must implement the following security measures:

Implement an information security program (ISP)

A PSI is a set of measures and procedures aimed at protecting an entity's information systems. It must cover all of the entity's assets, including data, applications, systems and infrastructure.

Appoint a Chief Information Security Officer (CISO)

The CISO is responsible for the implementation and maintenance of the PSI. He must have the skills and experience necessary to ensure the security of the entity's information systems.

Train staff in cybersecurity

Entity staff must be trained in cybersecurity best practices. This training should cover cyber risks, protective measures and procedures to follow in the event of a security incident.

Implementation of security measures for personal data

OSEs and PSDs must put in place security measures to protect the personal data they collect and process. These measures must comply with the requirements of the General Data Protection Regulation (GDPR).

Implementation of vulnerability management

The entity must implement vulnerability management to identify and correct vulnerabilities in its information systems. This management must be adapted to the specific risks of the entity.

Implementation of an incident management process

The entity must implement an incident management process to respond quickly and effectively to security incidents. This process must be adapted to the entity's specific risks.

Carry out regular security tests

The entity must carry out regular security tests to identify vulnerabilities in its information systems. These tests must be adapted to the specific risks of the entity.

Security testing can include security audits, penetration testing, and vulnerability testing.

Who is affected by the NIS 2 directive?

The NIS 2 Directive applies to a wide range of entities, including Essential Service Operators (OSEs) and Digital Service Providers (DSPs).

OSE

OSEs are entities that provide essential services to the economy and society. Entities called OIV, or Operator of Vital Importance, are included here in the OSEs.

They include entities that provide the following services:

  • Electricity, water and gas.
  • Telecommunications services.
  • Financial services.
  • Transportation services.

To be considered as OSEs, entities must meet one of the following criteria:

  • The entity provides an essential service which, if failed, would cause significant disruption to the economy or society.
  • The entity has critical infrastructure that, if attacked, would cause significant disruption to the economy or society.

Here are some examples of entities that are considered OSEs:

  • Electricity suppliers, such as EDF and Engie.
  • Water suppliers, such as Veolia and Suez.
  • Gas suppliers, such as Engie and TotalEnergies.
  • Telecommunications service providers, such as Orange, SFR and Bouygues Telecom.
  • Banks, such as BNP Paribas, Société Générale and Crédit Agricole.
  • Airlines, such as Air France-KLM and Lufthansa.
  • Railway companies, such as SNCF and Deutsche Bahn.

PSD

PSDs are entities that provide digital services of importance to the economy and society. They include entities that provide the following services:

  • Social networks.
  • Search engines.
  • Payment services.
  • Cloud computing services.
  • Online health services.
  • Online education services.

To be considered PSD, entities must meet one of the following criteria:

  • The entity provides a digital service which, if failed, would affect a large number of end users.
  • The entity collects or processes personal data of large quantity or sensitivity.

Here are some examples of entities that are considered PSDs:

  • Social networks, such as Facebook, Twitter and TikTok.
  • Search engines, such as Google and Bing.
  • Payment services, such as PayPal, Visa and Mastercard.
  • Cloud computing services, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.
  • Online health services, such as Doctolib and Qare.
  • Online education services, such as Coursera and Udemy.

NIS 2 Directive Sanctions

The NIS 2 directive strengthens the sanctions that can be imposed on entities that do not comply with its requirements. These penalties are higher than those provided for in the previous NIS directive.

Sanctions for OSEs

OSEs that fail to comply with the NIS 2 Directive may be fined up to €10 million or 2% of their global annual turnover, whichever is greater.

Sanctions for PSDs

PSDs that fail to comply with the NIS 2 Directive may be fined up to €7 million or 1.4% of their global annual turnover, whichever is greater. retained.

Effects of sanctions

Sanctions imposed on entities that fail to comply with NIS 2 may have negative effects on those entities, including:

  • Loss of trust from customers and partners can have a negative impact on the business activities of the entities concerned. Customers and partners may be less likely to do business with entities that are not NIS 2 compliant.
  • A fall in stock market value can also have a negative impact on the entities concerned. Investors may be less likely to invest in entities that are not NIS 2 compliant.
  • An increase in compliance costs can also have a negative impact on the affected entities. Entities must invest financial and human resources to comply with the NIS 2 directive.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
*required