The NIS 2 Directive aims to strengthen cybersecurity in the European Union by harmonizing requirements for the security of networks and information systems.
It applies to a wide range of entities, including Essential Service Operators (OSEs) and Digital Service Providers (DSPs). We remind you that OIVs are included in OSEs.
It entered into force on December 27, 2022 and must be transposed into national law by Member States by October 28, 2024 at the latest.
The NIS 2 directive imposes a set of security requirements on operators of essential services (OSEs) and digital service providers (PSDs). These requirements are designed to improve the cybersecurity of these entities and reduce the risk of cyberattacks.
Concretely, to comply with the NIS 2 directive, OSEs and PSDs must implement the following security measures:
A PSI is a set of measures and procedures aimed at protecting an entity's information systems. It must cover all of the entity's assets, including data, applications, systems and infrastructure.
The CISO is responsible for the implementation and maintenance of the PSI. He must have the skills and experience necessary to ensure the security of the entity's information systems.
Entity staff must be trained in cybersecurity best practices. This training should cover cyber risks, protective measures and procedures to follow in the event of a security incident.
OSEs and PSDs must put in place security measures to protect the personal data they collect and process. These measures must comply with the requirements of the General Data Protection Regulation (GDPR).
The entity must implement vulnerability management to identify and correct vulnerabilities in its information systems. This management must be adapted to the specific risks of the entity.
The entity must implement an incident management process to respond quickly and effectively to security incidents. This process must be adapted to the entity's specific risks.
The entity must carry out regular security tests to identify vulnerabilities in its information systems. These tests must be adapted to the specific risks of the entity.
Security testing can include security audits, penetration testing, and vulnerability testing.
The NIS 2 Directive applies to a wide range of entities, including Essential Service Operators (OSEs) and Digital Service Providers (DSPs).
OSEs are entities that provide essential services to the economy and society. Entities called OIV, or Operator of Vital Importance, are included here in the OSEs.
They include entities that provide the following services:
To be considered as OSEs, entities must meet one of the following criteria:
Here are some examples of entities that are considered OSEs:
PSDs are entities that provide digital services of importance to the economy and society. They include entities that provide the following services:
To be considered PSD, entities must meet one of the following criteria:
Here are some examples of entities that are considered PSDs:
The NIS 2 directive strengthens the sanctions that can be imposed on entities that do not comply with its requirements. These penalties are higher than those provided for in the previous NIS directive.
OSEs that fail to comply with the NIS 2 Directive may be fined up to €10 million or 2% of their global annual turnover, whichever is greater.
PSDs that fail to comply with the NIS 2 Directive may be fined up to €7 million or 1.4% of their global annual turnover, whichever is greater. retained.
Sanctions imposed on entities that fail to comply with NIS 2 may have negative effects on those entities, including:
Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.