Numerique
Are you subject to the NIS2 Directive? Identify your obligations, structure your cyber governance and secure your supply chain before the deadlines.
Context
The NIS2 Directive considerably broadens the scope of companies subject to cybersecurity obligations. Whereas the first NIS Directive targeted a limited number of operators, NIS2 affects thousands of entities classified as essential or important, across a great many sectors: energy, healthcare, transport, digital, food and agriculture, and many others.
The entities concerned must implement risk management measures, notify significant incidents and involve their management in cyber governance. The transposition into French law clarifies the scope of these obligations, non-compliance with which exposes companies to penalties and their executives to liability.
Problem
The first challenge of NIS2 is knowing whether you are concerned. Many companies are unaware that they fall within the broadened scope of the Directive, having failed to analyse their sector and size precisely. Others discover their obligations late, even though achieving compliance takes time and requires the involvement of management.
The risk is real: penalties, executive liability, and increased exposure in the event of an incident. Added to this is the pressure of the supply chain, where companies not directly subject to the Directive are asked by their regulated clients to demonstrate their level of security. Navigating these obligations without support exposes companies to classification errors and incomplete compliance.
Solutions
I support you in achieving NIS2 compliance, from classifying your situation to operational follow-up.
I first determine whether you are concerned and on what basis, as an essential or important entity, by analysing your sector and your size. I then carry out an assessment of your level of security and governance, and identify the gaps to be closed.
I help you deploy the required measures: risk management, incident notification procedures, governance involving management, securing the supply chain. Finally, I provide ongoing follow-up, to maintain your compliance and support you in the event of a reportable incident.
I determine whether your company falls within the scope of NIS2 and on what basis, as an essential or important entity, according to your sector and size. This classification determines the exact extent of your obligations and the competent authority.
I carry out an assessment of your level of security and governance against the NIS2 requirements. This gap between what exists and what is required prioritises the work to be carried out to achieve compliance.
I support you in the deployment: risk management measures, incident notification procedures, governance involving management, contractual securing of your supply chain. Each obligation is translated into concrete, documented actions.
I provide ongoing follow-up: maintaining documentation, support in the event of a reportable incident, adaptation to regulatory clarifications. Your NIS2 compliance remains operational and up to date in the face of developments.
FAQ
NIS2 is the European directive on the security of network and information systems, which succeeds the first NIS Directive. It aims to raise the level of cybersecurity across the Union by requiring the entities concerned to adopt risk management measures, incident notification obligations and the involvement of their executives. It significantly broadens the number of sectors and companies subject to these obligations.
NIS2 distinguishes between essential entities and important entities, according to their sector and size. A great many sectors are covered: energy, transport, healthcare, water, digital infrastructure, ICT services, public administration, space, but also food and agriculture, manufacturing, waste management and others. A precise analysis of your activity and size is necessary to determine whether you are concerned and on what basis.
The entities concerned must implement technical and organisational risk management measures (risk analysis, systems security, incident handling, business continuity, supply chain security), notify significant incidents within short deadlines, and involve their management body, which must approve the measures and may incur liability.
NIS2 provides for significant penalties, with differentiated caps depending on whether the entity is essential or important. Beyond fines, the authorities have injunction and oversight powers, and executive liability may be incurred. Compliance is therefore not optional: it must be steered at the highest level of the company.
The process begins by determining whether you are concerned and on what basis, then by an assessment of your level of security against the requirements. This is followed by an action plan: technical and organisational measures, notification procedures, governance, securing the supply chain. Documentation and the involvement of management are key elements of compliance.
Yes. Supply chain security is an important component of NIS2: the entities concerned must take into account the risks associated with their suppliers and service providers. This requires assessing these risks and contractually framing security requirements with subcontractors. Even companies not directly subject to the Directive may be asked to comply by their regulated clients.
NIS2 and the GDPR are complementary but distinct. The GDPR protects personal data and already imposes an obligation of security and of notifying breaches to the CNIL. NIS2 more broadly targets the security of network and information systems, with its own obligations and authorities. A company may be subject to both, which calls for a coordinated approach to compliance and incident management.
Right now. Achieving compliance takes time: classifying your situation, assessment, deploying measures, structuring governance and documentation. Companies that plan ahead avoid facing the deadline in a rush and turn the constraint into an asset for security and credibility with their clients and partners.
Nous accompagnons les entreprises de la tech et du commerce avec une double compétence juridique et technique, de l'analyse à la mise en œuvre.

Ressources
Need to secure a contract, manage compliance, or anticipate a dispute? Our first meeting is designed to understand your needs and clearly explain how we can help.