Numerique

NIS2 Lawyer

Are you subject to the NIS2 Directive? Identify your obligations, structure your cyber governance and secure your supply chain before the deadlines.

Schedule a call

Context

NIS2, a step change for digital security

The NIS2 Directive considerably broadens the scope of companies subject to cybersecurity obligations. Whereas the first NIS Directive targeted a limited number of operators, NIS2 affects thousands of entities classified as essential or important, across a great many sectors: energy, healthcare, transport, digital, food and agriculture, and many others.

The entities concerned must implement risk management measures, notify significant incidents and involve their management in cyber governance. The transposition into French law clarifies the scope of these obligations, non-compliance with which exposes companies to penalties and their executives to liability.

Problem

Thousands of companies concerned, often without knowing it

The first challenge of NIS2 is knowing whether you are concerned. Many companies are unaware that they fall within the broadened scope of the Directive, having failed to analyse their sector and size precisely. Others discover their obligations late, even though achieving compliance takes time and requires the involvement of management.

The risk is real: penalties, executive liability, and increased exposure in the event of an incident. Added to this is the pressure of the supply chain, where companies not directly subject to the Directive are asked by their regulated clients to demonstrate their level of security. Navigating these obligations without support exposes companies to classification errors and incomplete compliance.

Solutions

A clear path to NIS2 compliance

I support you in achieving NIS2 compliance, from classifying your situation to operational follow-up.

I first determine whether you are concerned and on what basis, as an essential or important entity, by analysing your sector and your size. I then carry out an assessment of your level of security and governance, and identify the gaps to be closed.

I help you deploy the required measures: risk management, incident notification procedures, governance involving management, securing the supply chain. Finally, I provide ongoing follow-up, to maintain your compliance and support you in the event of a reportable incident.

Méthode

Notre méthode

Classification of your entity

I determine whether your company falls within the scope of NIS2 and on what basis, as an essential or important entity, according to your sector and size. This classification determines the exact extent of your obligations and the competent authority.

Assessment and gap analysis

I carry out an assessment of your level of security and governance against the NIS2 requirements. This gap between what exists and what is required prioritises the work to be carried out to achieve compliance.

Compliance and governance

I support you in the deployment: risk management measures, incident notification procedures, governance involving management, contractual securing of your supply chain. Each obligation is translated into concrete, documented actions.

Follow-up and incident management

I provide ongoing follow-up: maintaining documentation, support in the event of a reportable incident, adaptation to regulatory clarifications. Your NIS2 compliance remains operational and up to date in the face of developments.

FAQ

Questions?

What is the NIS2 Directive?

NIS2 is the European directive on the security of network and information systems, which succeeds the first NIS Directive. It aims to raise the level of cybersecurity across the Union by requiring the entities concerned to adopt risk management measures, incident notification obligations and the involvement of their executives. It significantly broadens the number of sectors and companies subject to these obligations.

Is my company subject to NIS2?

NIS2 distinguishes between essential entities and important entities, according to their sector and size. A great many sectors are covered: energy, transport, healthcare, water, digital infrastructure, ICT services, public administration, space, but also food and agriculture, manufacturing, waste management and others. A precise analysis of your activity and size is necessary to determine whether you are concerned and on what basis.

What obligations does NIS2 impose?

The entities concerned must implement technical and organisational risk management measures (risk analysis, systems security, incident handling, business continuity, supply chain security), notify significant incidents within short deadlines, and involve their management body, which must approve the measures and may incur liability.

What penalties apply in the event of non-compliance with NIS2?

NIS2 provides for significant penalties, with differentiated caps depending on whether the entity is essential or important. Beyond fines, the authorities have injunction and oversight powers, and executive liability may be incurred. Compliance is therefore not optional: it must be steered at the highest level of the company.

How do you achieve compliance with NIS2?

The process begins by determining whether you are concerned and on what basis, then by an assessment of your level of security against the requirements. This is followed by an action plan: technical and organisational measures, notification procedures, governance, securing the supply chain. Documentation and the involvement of management are key elements of compliance.

Does NIS2 concern the supply chain?

Yes. Supply chain security is an important component of NIS2: the entities concerned must take into account the risks associated with their suppliers and service providers. This requires assessing these risks and contractually framing security requirements with subcontractors. Even companies not directly subject to the Directive may be asked to comply by their regulated clients.

What is the relationship between NIS2 and the GDPR?

NIS2 and the GDPR are complementary but distinct. The GDPR protects personal data and already imposes an obligation of security and of notifying breaches to the CNIL. NIS2 more broadly targets the security of network and information systems, with its own obligations and authorities. A company may be subject to both, which calls for a coordinated approach to compliance and incident management.

When should you prepare for NIS2?

Right now. Achieving compliance takes time: classifying your situation, assessment, deploying measures, structuring governance and documentation. Companies that plan ahead avoid facing the deadline in a rush and turn the constraint into an asset for security and credibility with their clients and partners.

Are you subject to the NIS2 Directive? Identify your obligations, structure your cyber governance and secure your supply chain before the deadlines.

Nous accompagnons les entreprises de la tech et du commerce avec une double compétence juridique et technique, de l'analyse à la mise en œuvre.

Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Nos contenus & guides

00
article(s) affiché(s) sur
00

4 min

Website creation contract by an attorney - Romain Mirabile
The website creation contract is an essential document for web agencies and e-commerce sites. It establishes the working basis between the service provider and the client, and defines the commitments of each party. In this article, we will address the different phases of this contract, e

8 min

Practical Guide for Professionals: Right of Withdrawal and Withdrawal Form Explained
As a professional, it is crucial to understand the right of withdrawal and to fill out the withdrawal form.

4 min

Commercial agent: a key player in software sales
The commercial agent is a key player in software sales. In the world of digital commerce, the commercial agent plays a crucial role. They represent a company that sells software and act as the link with potential clients. This role takes on particular importance in France, where regulation and the leg

Let's discuss your project

Need to secure a contract, manage compliance, or anticipate a dispute? Our first meeting is designed to understand your needs and clearly explain how we can help.

Book an appointment
Prendre rendez-vous
Book an appointment