The hybrid era and the NIS 2 Directive: a call for enhanced cybersecurity
With the advent of new hybrid work models, cloud uses, artificial intelligence as well as mobility, flexibility has become a watchword. However, this much-prized flexibility comes at a price that we cannot ignore: an undeniable increase in cybersecurity risks.
This is not a novelty, cyber attacks are constantly evolving, always seeking to take advantage of system flaws. With the multiplication of connection points and terminals, the attack surface has never been wider, making companies more vulnerable.
Faced with a changing landscape, the European Union, in close collaboration with ENISA (the European Union agency for cybersecurity), has taken firm measures to ensure a common high level of cybersecurity throughout the EU, with the European Parliament voting on the NIS 2 directive (Network Information Security 2) on November 10, 2022.
An improvement of the NIS directive
This directive is not a novelty in itself, but an improvement on the first directive adopted in July 2016, called NIS, by imposing stricter rules concerning incident reporting, crisis management, collaboration with the European CERT EU-CyCLONe or awareness raising.
A major development also concerns the expansion of its scope of application, and in particular of the industrial sectors subject to this regulation. Today, not only technology giants, digital service providers and online platforms are concerned, but also small structures with 50 employees and local authorities, as well as new fields such as postal services, aeronautics, food or water management. A necessity at a time when these critical sectors are privileged targets of cybercriminals, because they play a major role in the economy, the safety of citizens, logistics and essential services for the proper functioning of society.
The implementation of this Directive in national law by the Member States is fixed no later than October 17, 2024.
Are companies ready to meet the requirements of NIS 2?
What’s at stake? Increased preparedness for cyber threats. According to Anssi, the directive should apply to thousands of entities belonging to more than 18 sectors and yet, according to a Cisco study, a small fraction (7%) of organizations in France seems ready to face these challenges. This observation is alarming, because it is crucial for them to comply with NIS 2 now in order to avoid potential fines and penalties in a year, which will be precise and specific to the laws transposed in the Member States of the European Union. Already, the directive gives the maximum indications below :
- Fines of up to 10 million euros or 2% of the total global annual turnover are foreseen for essential entities, and fines of up to 7 million euros or 1.4% of the total global annual turnover for significant entities.
- In addition to financial sanctions (as we see for the GDPR), the directive provides for temporary bans on exercising management functions, in case of non-compliance with cybersecurity obligations. The management committees and managers will be responsible for the implementation.
How should the public and private sectors prepare?
To begin with, the authorities must create clear and effective regulatory frameworks. Too often, companies are mired in a restrictive bureaucracy that hinders rather than helps. It is necessary to set up simplified processes, without sacrificing rigor.
On the business side, the approach must be pragmatic. The new regulations should not be perceived as simple checkboxes, but as levers to improve safety. With the advent of the cloud, mobility and hybrid work, even SMEs have the means to strengthen their cybersecurity posture. This can involve more in-depth training of employees in order to promote a more global awareness of the issues of cybersecurity within the company. SMEs can also take advantage of diagnostic services, such as the one offered by Bbifrance, for example, which allows these companies to identify their vulnerabilities to cyber threats and to design a concrete action plan to close the flaws in their IT security systems. Companies also have access to various solutions that cybersecurity service providers and products have gradually unified and simplified, as well as services such as cybermalveillance.gouv.fr to accompany them throughout this process.
In conclusion, if the NIS 2 Directive is a step in the right direction, it also reminds us of the importance of a proactive approach to cybersecurity. It is a collective responsibility: regulators, companies and users must join forces to create a safe digital environment.