After eight years (2016-2024), the Network and Information System Security (NIS1) Directive is handing over to the NIS2 Directive which widens its scope and requires organizations to provide more protection.

In line with NIS1, the NIS2 directive strengthens the security standards that certain private companies or public organizations (of which the interruption of business would have a significant impact on society) must meet, failing which they will be sanctioned.

The first significant difference between the two versions of the directive is their scope: NIS1 covered 19 sectors of activity, NIS2 now covers 35.

The new sectors include:

Another change is the addition of a family of target businesses/organizations. Whereas the NIS1 directive only covered one category of strategic organizations (OESs, operators of essential services), NIS2 now makes the difference between two key players: essential entities and important entities.

What are the differences between them?

The scope has therefore been extended from 300 to around 15,000 businesses in France.

The NIS2 directive also takes into account the entire supply chain in response to “supply chain” type attacks that target the subcontractors of software publishers, integrators or any other key players in the value chain. That means that the subcontractors of essential or important entities will also need to comply with the NIS2 obligations.

This taking into account of supply chain-related risks follows a number of high-profile cyber attacks, such as the one that hit Solarwinds in 2020. For several months, the IT infrastructure management software publisher was compromised, unknowingly distributing a software component of its Orion platform containing a back door. According to Solarwinds, up to 18,000 of its customers downloaded the compromised updates. Those organizations included several CAC 40 companies and US government departments.

NIS2 also differs from NIS1 in that its sanctions regime has been strengthened. A sanction covering a percentage of the worldwide sales of the entity in question will now be applicable for non-compliance with the directive:

The NIS2 Directive approach is to encourage essential and important entities to take appropriate and proportionate technical, operational and organizational measures to manage security-related network risks and those of the information systems they use.

The measures are based on an “all-risk” approach to protecting networks and information systems as well as their physical environment from incidents.

They include the following elements:

Essential and important entities must also implement procedures to:

The directive recommends enhanced security, in particular through the use of cryptography and data encryption technologies. For example, the use of multi-factor or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems inside the entity is also strongly encouraged.

Another important point to note is that the NIS2 directive encourages the entities concerned to use certified products. Article 24 states that: “To demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881 (Cybersecurity Act). Furthermore, Member States shall encourage essential and important entities to use qualified trust services”.

As part of NIS2, the use of more encryption and certified products implies calling on specialist players. Certification is at the heart of PRIM’X’s strategy: certificates are maintained and reissued for different versions and platforms to keep pace with developments in technology, the state of the art in cryptography, and threats. In addition to certifications, our encryption solutions pass national, trans-national or market-specific counter-assessments.

The purpose of the NIS2 directive is to strengthen the resilience of French and European organizations. Even though the level of cyber maturity of French companies is rising (49%, compared to 46% a year ago), it is still insufficient to provide lasting protection from the multitude of cyber threats according to the latest  benchmark edition by consulting firm Wavestone