The introduction of the NIS 2 Directive represents an essential response to the growing cyber threat. Published in December 2022, it offers a unique opportunity for entities that influence citizens' daily lives to strengthen their ability to protect themselves against cyber-attacks. By imposing preventive measures and assessing potential risks, this directive aims to secure infrastructures and minimize the impact of attacks.
Summary
- What is the NIS 2 Directive?
- Who is affected by NIS 2?
- What are the obligations related to this directive?
- What are the consequences and fines for non-compliance with the NIS 2 directive?
- How can our DOT Anonymizer solution for anonymizing personal and identifying data help you comply with NIS 2?
- Conclusion
1. What is the NIS 2 Directive?
The NIS 2 Directive, resulting from the previous NIS 1 Directive, constitutes a major change in the national and European cybersecurity landscape. This development stems from the European Union's cybersecurity strategy, announced in December 2020, calling for the revision of the NIS Directive and the adoption of a new directive on the resilience of critical entities. It aims to unify cybersecurity practices across the European Union and broaden its scope to include a greater number of entities, covering a wider range of business sectors.
In the face of rapidly evolving cyber threats, this transition to NIS 2 is necessary to guarantee the EU's collective digital security. The directive imposes obligations on operators of essential services and providers of digital services, and member states must identify operators subject to enhanced requirements. Transposing NIS 2 into member states' national law by October 2024 represents a major challenge, but essential to strengthening resilience in the face of growing cyber threats. On January 17, 2025, member states must inform the European Commission of the rules and measures they have adopted.
2. Who is affected by NIS 2?
The NIS 2 directive defines more than 18 sectors concerned, separated into critical and highly critical sectors. It will affect around 600 distinct types of entity, including a variety of administrations of all sizes, as well as businesses ranging from SMEs to CAC40 groups.
It introduces several significant changes, including the expansion of the number of highly critical sectors from seven to eleven. These sectors now include energy, transport, banking, financial market infrastructures, digital infrastructures, drinking water, wastewater, food (from production to delivery), healthcare, public administration, and space.
Digital infrastructures, with their growing importance, cover a wide range of activities, including Internet service providers, DNS services, cloud solutions, data centers, content delivery services, trust services and public electronic communications networks.
Size criteria, such as number of employees or turnover, also determine the inclusion of entities in the directive. In addition, the directive covers almost all medium-sized and large companies operating in the EU internal market, including those located outside the EU but essential to its market.
3. What are the obligations related to this directive?
The NIS 2 directive, in line with the GDPR, focuses on securing information systems while preserving the protection of personal data, creating an integrated compliance challenge for the entities concerned.
NIS 2 also imposes various obligations on entities with the aim of strengthening resilience in the face of cyber threats. These entities are required to:
- Report major IT security incidents to the relevant authorities and affected individuals within 24 hours of their occurrence.
- Submit security audits to receive recommendations and meet strict security standards. These obligations include risk analysis, information systems security, incident management, business continuity, supply chain security, information systems acquisition, development and maintenance, and the use of multi-factor authentication solutions.
- Compliance with minimum security measures, such as the implementation of policies relating to risk analysis, incident management, business continuity plans, human resources security, the use of secure communication tools, and much more.
NIS2 establishes a distinction between certain mid-sized companies (ETI), which will be classified as important entities (EI), while others will be considered essential entities (EE). Depending on their classification (EE or EI), and in accordance with the principle of proportionality, they will not be subject to the same requirements, and will be subject to consultation with the parties concerned in order to take account of their specific characteristics.
Each EU member state must communicate a list of its essential and important entities by April 17, 2025, and this list must be regularly reviewed.
4. What are the consequences and fines for non-compliance with the NIS 2 directive?
The ANSSI (in France) has enhanced supervisory authority, depending on whether the controlled entity is essential or important. Essential entities may be subject to ex ante control, even in the absence of security incidents, as well as ex post control. On the other hand, important entities are only subject to ex-post control, triggered by a security incident or indications of non-compliance. ANSSI is empowered to carry out on-site or remote inspections, including targeted security audits, security scans and requests for information on the security measures adopted by the entity.
Fines for non-compliance:
NIS 2 also provides for administrative fines in the event of non-compliance, with ceilings set in national law, including 10 million euros or 2% of worldwide annual sales for essential entities, and 7 million euros or 1.4% of worldwide annual sales for important entities.
These fines may be imposed by competent authorities, such as ANSSI, and may be accompanied by additional penalties in the event of non-cooperation by the entity concerned.
5. How can our DOT Anonymizer solution for anonymizing personal and identifying data help you comply with NIS 2?
DOT Anonymizer is a major tool for compliance with the NIS 2 directive, offering a high-performance solution for the anonymization of personal and identifying data.
Although it does not explicitly specify data anonymization obligations, the NIS 2 directive nevertheless encourages IT security strategies that may encompass this practice. It imposes high standards for digital risk prevention, incident reporting and supply chain security, thus indirectly suggesting the adoption of anonymization to improve data security.
DOT Anonymizer eliminates the possibility of exploiting data in the event of a security breach. This helps strengthen the resilience of information systems against cyberthreats and bring companies into line with NIS 2 security requirements.
6. Conclusion
The NIS 2 Directive represents a significant step forward in strengthening cybersecurity within the European Union. By extending security obligations and introducing enhanced monitoring mechanisms, it aims to harmonize data protection practices across different sectors. Ultimately, the NIS 2 Directive is essential to preserve citizens' confidence in a safe and secure European cyberspace.