With the advent of new hybrid work models, uses of the cloud, artificial intelligence and mobility, flexibility has become a watchword. However, this much-prized flexibility comes at a price that we cannot ignore: an undeniable increase in cybersecurity risks.
This is nothing new, cyberattacks are constantly evolving, always seeking to take advantage of system flaws. With the proliferation of connection points and endpoints, the attack surface has never been larger, making businesses more vulnerable.
Faced with a changing landscape, the European Union, in close collaboration with ENISA (the European Union Agency for Cybersecurity), has taken firm measures to ensure a common high level of cybersecurity across the board. of the EU, with the vote by the European Parliament on the NIS 2 (Network Information Security 2) directive on November 10, 2022.
An improvement to the NIS directive
This directive is not new in itself, but an improvement of the first directive adopted in July 2016, known as NIS, by imposing stricter rules concerning the reporting of incidents, crisis management, collaboration with the European CERT EU-CyCLONe or awareness.
A major development also concerns the broadening of its scope of application, and in particular of the industrial sectors subject to this regulation. Today, not only technology giants, digital service providers and online platforms are concerned, but also small structures of 50 employees and local authorities, as well as new areas such as postal services, aeronautics, food and even water management. A necessity at a time when these critical sectors are favored targets for cybercriminals, because they play a major role in the economy, the safety of citizens, logistics and services essential to the proper functioning of society.
The implementation of this directive into national law by the Member States is set for October 17, 2024 at the latest.
Are businesses ready to meet the requirements of NIS 2?
The challenge ? Increased preparation for cyber threats. According to Anssi, the directive should apply to thousands of entities belonging to more than 18 sectors and yet, according to a Cisco study, a minimal fraction (7%) of organizations in France seems ready to face these challenges. This finding is alarming, because it is crucial for them to comply now with NIS 2 in order to avoid potential fines and penalties in a year’s time, which will be precise and specific to the laws transposed in the Member States of the Union European. The directive already gives the following maximum indications:
- Fines of up to 10 million euros or 2% of total global annual turnover are provided for essential entities, and fines of up to 7 million euros or 1.4% of turnover Total global annual business for significant entities.
- In addition to financial sanctions (as we see for the GDPR), the directive provides for temporary bans on exercising management functions, in the event of non-compliance with cybersecurity obligations. The management committees and managers will be responsible for implementation.
How should the public and private sectors prepare?
To begin, authorities must create clear and effective regulatory frameworks. Too often, businesses are mired in burdensome bureaucracy that hinders rather than helps. It is necessary to implement simplified processes, without sacrificing rigor.
On the business side, the approach must be pragmatic. New regulations should not be seen as simple boxes to check, but as levers to improve safety. With the advent of the cloud, mobility and hybrid working, even SMEs have the means to strengthen their cybersecurity posture. This may involve more in-depth training for employees in order to promote more general awareness of cybersecurity issues within the company. SMEs can also benefit from diagnostic services, such as that offered by Bbifrance for example, which allows these companies to identify their vulnerabilities to cyber threats and to design a concrete action plan to fill the gaps in their IT security systems. . Businesses also have access to various solutions that cybersecurity service and product providers have gradually unified and simplified, as well as services such as cybermalveillance.gouv.fr to support them throughout this process.
In conclusion, while the NIS 2 directive is a step in the right direction, it also reminds us of the importance of a proactive approach to cybersecurity. It is a collective responsibility: regulators, businesses and users must join forces to create a safe digital environment.