RGPD

Cybersecurity & NIS 2: Legal Obligations?

The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.

Contents
Schedule a discussion

Reading time:

2 min

Guide for IT service providers

The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.

Understanding the NIS 2 directive

Building on the first NIS directive of 2016, NIS 2 seeks to bolster cybersecurity. As digital threats intensify, this update extends its scope to a greater number of entities and sectors, thereby promising enhanced protection.

Who is affected by NIS 2?

The directive targets a broad spectrum of entities, ranging from public administrations to SMEs, operating in key sectors. Consequently, if your business falls within one of these sectors or meets certain size and activity criteria, it may have to comply with this directive.

Sectors and applicability criteria

Sectors such as energy, transport, healthcare and digital services are expressly covered. In addition, eligibility rests on criteria such as headcount and turnover. It is therefore crucial to review these criteria to assess whether your entity is concerned.

Your obligations under NIS 2

  • Incident notification: It is essential that entities report any security incident affecting their systems.
  • Adoption of security measures: It is fundamental to implement robust strategies to protect information systems.

Details on the obligations

The obligations are clearly defined, but certain aspects, such as security standards, may differ. Furthermore, supplementary guidance will be provided at the national level.

Oversight and consequences of non-compliance

ANSSI in France, along with other competent authorities within the EU, will ensure compliance with these new obligations. As a result, non-compliant entities face penalties, which will be specified by each Member State.

Preparing for NIS 2

  • Assess your eligibility: Confirm that your entity falls under NIS 2.
  • Review your cybersecurity practices: Identify any gaps relative to the directive's requirements.
  • Plan the necessary adjustments: Ensure that you meet the requirements before the directive comes into force.

Conclusion

NIS 2 represents a notable step towards a more secure digital Europe. By preparing proactively, you will not only meet the legal requirements but also strengthen your entity's resilience against cyber threats. For more information on this regulation and to ensure your compliance, explore cyber.gouv.fr. If you need support, I am at your disposal to assist you as a cybersecurity lawyer.

To learn more

What is the NIS 2 directive?

The NIS 2 directive is the European text that strengthens cybersecurity by broadening the scope of the first NIS directive of 2016. In response to escalating threats, it extends the obligations to a greater number of entities and sectors, in order to raise the level of protection of information systems across the Union.

Who is affected by the NIS 2 directive?

NIS 2 targets a broad spectrum of entities, from public administrations to SMEs, in key sectors such as energy, transport, healthcare and digital services. Eligibility rests on the sector of activity and on size criteria (headcount, turnover). These criteria must be analysed to determine whether you are concerned.

What obligations does the NIS 2 directive impose?

The entities concerned must notify security incidents affecting their systems and adopt robust security measures to protect their information systems. Certain aspects, such as the precise standards, are specified at the national level. Governance and the involvement of management are part of the requirements.

Who oversees compliance with the NIS 2 directive in France?

In France, ANSSI is the competent authority responsible for ensuring compliance with the NIS 2 obligations, alongside the other authorities within the EU. Non-compliant entities face penalties, the terms of which are specified by each Member State when transposing the directive.

How can you prepare for the NIS 2 directive?

Preparation involves three steps: confirming that the entity falls under NIS 2, assessing its cybersecurity practices to identify gaps with the requirements, and then planning the necessary adjustments before the directive comes into force. Anticipating allows you to meet the legal obligations while genuinely strengthening your security.

What penalties apply in the event of non-compliance with NIS 2?

Non-compliant entities face penalties, the terms of which are set by each Member State during transposition. Beyond the fine, the liability of directors may be engaged. Compliance must therefore be steered at the highest level, rather than treated as a mere technical matter.

What is the difference between NIS 2 and the GDPR?

The GDPR protects personal data and already imposes security and notification of breaches to the CNIL. NIS 2 targets, more broadly, the security of networks and information systems, with its own obligations and its own authority, ANSSI. A company may fall under both frameworks, which call for a coordinated approach.

Is an IT service provider affected by NIS 2?

Potentially yes, if its sector and size bring it within scope. Moreover, since supply chain security is one component of NIS 2, providers not directly subject to it may be called upon by their in-scope clients to demonstrate their level of security. It is best to anticipate this requirement.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

8 min

E-commerce: GTC as a Genuine Strategic Tool
General Terms and Conditions of Sale (GTC) are far more than a mere mandatory legal document for your e-commerce website.

6 min

Pornographic websites blocked for minors: what new rules apply in April 2025?
In a context where minors' access to pornography and pornographic websites has become a leading societal concern, the recent blocking rules introduced by the French audiovisual and digital regulatory authority (ARCOM) reflect a strong determination to protect this vul

6 min

Regulation (EU) 2023/988 on product safety: new responsibilities for online marketplace providers
In a world where online selling is becoming increasingly prevalent, product safety is emerging as a major concern for both consumers and industry professionals. Regulation (EU) 2023/988, which came into force on 13 December 2024, represents a significant step forward

1 min

Romain Mirabile recognized by Best Lawyers in information technology law
Romain Mirabile has just been recognized by the prestigious Best Lawyers ranking in the “Ones To Watch” category in information technology law for 2026.

9 min

Cybersecurity and e-commerce: your legal obligations in the event of data breaches
Cybersecurity: this article breaks down your obligations in the event of data breaches and how to effectively secure your online business.

6 min

New return and refund rules: how to stay compliant?
The rules governing product returns and refunds represent a crucial issue for e-merchants, given their impact on customer relations and the need for compliance with applicable legislation.
Prendre rendez-vous
Book an appointment