The Nis 2 directive will force thousands of companies to invest to better protect themselves

Thousands of companies will be forced by law to increase their IT security. This decision comes from the highest European political level, and in France it is the National Information Security Agency (Anssi) that will be tasked with ensuring compliance.

In January, when he came to power, the President of France in the European Union (PFUE) had ambitions to be ” extremely conscious in terms of digital sovereignty and cybersecurity. Among the key aspects of this political time, France intended to conclude negotiations on the revision of the Network and Information Security Directive (better known as Nis) in late 2021. Done: On 12 May, a political agreement was reached between the Commission, Parliament and the Council on the text, even if some technical details have not yet been agreed. “Welcomes Ivo Verhoeven, Anssi’s Deputy Director for Strategy, at the La Tribune on the occasion of the International Cyber ​​Security Forum (FIC).

Up to 150,000 companies and organizations are involved

The first version of this text, voted in 2016, led to the appointment of dozens of organizations ” basic service operators (OSE), which « provide an important service, the interruption of which would have a significant impact on the functioning of the economy or society “, According to Annecy’s definition. As a result, these bodies have at least 23 additional cybersecurity commitments, both technically and in governance and government relations.

The Niche Directive covered banking, financial markets, energy, healthcare, transport, drinking water management and telecommunications. Its revised version, Nis 2, extends its leanings to administrations, as well as to waste management, large-scale food distribution, Internet access providers, and even postal services.

As a result, after Niche 1, the number of European operators subject to regulation was estimated at 15,000. ” With Nis 2 this number must be multiplied by 8 or 10 warns Yves Verhoeven. And not for nothing: the European Union has planned not only to appoint new NRPs in areas not related to it, but also to establish a second level of requirements, weaker. Thus, Nis 2 distinguishes two categories of operators: significant persons (another name given by OSE) and significant people “.

Additional costs are expected

There will be more major operators and possibly smaller ones. They will be offered a more basic level of safety that reflects basic hygiene “, – says the Deputy Director of Anssi. After the forecast calculations, the agency expects 80% ” important actorss »is an SME. ” If everyone makes a real effort, if every owner of an SME, EVERYTHING or hospital understands that he has a responsibility and that he must allocate a small and uncompressed budget for his cybersecurity, then we will be able to break this momentum and defend ourselves collectively. “Said Anssi CEO Guillaume Poupard at La Tribune last September. For interested companies, effort from now on it will be limited by law.

The problem: even if there is a consensus on increasing the overall security of companies in the face of growing threats, both criminal and public, the issue of costs must arise quickly. And for good reason: creating new procedures, auditing and implementing new tools are quickly becoming expensive, especially in companies that have few skills. The Niche Directive does not provide for budgetary and human resources requirements for the security of information systems, so the compliance bill may differ from one structure to another. For reference, Guillaume Pupar reiterated that the budget for cybersecurity should weigh at least 10% of the IT budget.

Faced with this financial fear looming on the horizon, Yves Verhoeven prefers to reassure: ” We talk about rules, and rules always make people grumble. That is why, within 21 months of the publication of the directive, which corresponds to the time when the text has been transposed into French law, we will discuss as much as possible with the organizations concerned so that they can better understand the subject. We want to build a system together to have an ambitious but realistic level of requirements. We must remember that this is not a matter of entertainment, but of responding to a growing threat. »

Local authorities are forced to improve their cybersecurity

In addition to small and medium-sized businesses, the new security standards will have to be met by some administrations, but so far they have not been concerned. ” The updated Nis allows local authorities to regulate and impose cybersecurity rules on them.Yves Verhoeven rejoices.

Over the last four years, there have been cases where cities, regional councils or departments have been paralyzed by ransomware (especially malicious software): the Grand Est region, Angers, the Eure-et-Loire council, La Rochelle. Although other favorite targets of cybercriminals, medical facilities, for many of them have already been called OSE, for administrations this was not the case. Depending on the characteristics that have not yet been determined, local authorities should be qualified either as SEO specialists or as important actors.

The European Union’s toolkit continues to grow

Nis 1 was the founding text. He has clearly positioned the European Union, with the support of all Member States, as a key player in the security of Europe’s critical infrastructures. Yves Verhoeven recalls. Since then, the EU has multiplied texts and mechanisms to standardize the approach to cyber on a continental scale.

Last year’s Cybersecurity Act immortalized Enisa (the European equivalent of Anssi) in addition to creating tools for cybersecurity certification to have unified standards. At present, differences in certificates from one country to another also create inequality in the markets, often in favor of the largest players able to adapt to each country’s standards. Implementation of the Cybersecurity Act is slow, but the long-term goal is clear: there must be a single level of requirements throughout the EU.

Also in 2021, the EU finally voted to create a European Cyber ​​Competence Center in Bucharest. Its aim will be to support innovation and industrialization of the sector at European level. According to Ivo Verhoeven, he should become ” central center of European cyber-industrial policy “.