RGPD
The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.
Reading time:
2 min
The NIS 2 directive, driven by the European Union, aims to strengthen cybersecurity. Significantly, it broadens protection against cyber threats. Let us therefore examine the entities concerned and the resulting legal obligations.
Building on the first NIS directive of 2016, NIS 2 seeks to bolster cybersecurity. As digital threats intensify, this update extends its scope to a greater number of entities and sectors, thereby promising enhanced protection.
The directive targets a broad spectrum of entities, ranging from public administrations to SMEs, operating in key sectors. Consequently, if your business falls within one of these sectors or meets certain size and activity criteria, it may have to comply with this directive.
Sectors such as energy, transport, healthcare and digital services are expressly covered. In addition, eligibility rests on criteria such as headcount and turnover. It is therefore crucial to review these criteria to assess whether your entity is concerned.
The obligations are clearly defined, but certain aspects, such as security standards, may differ. Furthermore, supplementary guidance will be provided at the national level.
ANSSI in France, along with other competent authorities within the EU, will ensure compliance with these new obligations. As a result, non-compliant entities face penalties, which will be specified by each Member State.
NIS 2 represents a notable step towards a more secure digital Europe. By preparing proactively, you will not only meet the legal requirements but also strengthen your entity's resilience against cyber threats. For more information on this regulation and to ensure your compliance, explore cyber.gouv.fr. If you need support, I am at your disposal to assist you as a cybersecurity lawyer.
To learn more
The NIS 2 directive is the European text that strengthens cybersecurity by broadening the scope of the first NIS directive of 2016. In response to escalating threats, it extends the obligations to a greater number of entities and sectors, in order to raise the level of protection of information systems across the Union.
NIS 2 targets a broad spectrum of entities, from public administrations to SMEs, in key sectors such as energy, transport, healthcare and digital services. Eligibility rests on the sector of activity and on size criteria (headcount, turnover). These criteria must be analysed to determine whether you are concerned.
The entities concerned must notify security incidents affecting their systems and adopt robust security measures to protect their information systems. Certain aspects, such as the precise standards, are specified at the national level. Governance and the involvement of management are part of the requirements.
In France, ANSSI is the competent authority responsible for ensuring compliance with the NIS 2 obligations, alongside the other authorities within the EU. Non-compliant entities face penalties, the terms of which are specified by each Member State when transposing the directive.
Preparation involves three steps: confirming that the entity falls under NIS 2, assessing its cybersecurity practices to identify gaps with the requirements, and then planning the necessary adjustments before the directive comes into force. Anticipating allows you to meet the legal obligations while genuinely strengthening your security.
Non-compliant entities face penalties, the terms of which are set by each Member State during transposition. Beyond the fine, the liability of directors may be engaged. Compliance must therefore be steered at the highest level, rather than treated as a mere technical matter.
The GDPR protects personal data and already imposes security and notification of breaches to the CNIL. NIS 2 targets, more broadly, the security of networks and information systems, with its own obligations and its own authority, ANSSI. A company may fall under both frameworks, which call for a coordinated approach.
Potentially yes, if its sector and size bring it within scope. Moreover, since supply chain security is one component of NIS 2, providers not directly subject to it may be called upon by their in-scope clients to demonstrate their level of security. It is best to anticipate this requirement.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin