NIS 2 – a European directive with a vast scope
Article written by Evolucare for the APSSIS 2025 white paper
Since the early 2010s*, the question of how to protect information systems that are essential to the functioning of nations has become increasingly acute, following the rise of cybercrime and the use of ‘cyber warfare’ capabilities in geopolitical conflicts.
*2009, creation of the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) in France
By Lauranne Peyron, CISO-DPO, Evolucare Group
In France, these concerns were enshrined in law as early as 2014, via the 2014-2019 Military Programming Law, which defined “Organisations of Vital Importance” that had to comply with a number of measures aimed at ensuring the security and resilience of their information systems.
This law was followed in 2016 by a European directive, known as “NIS”, which applied a similar logic to “Essential Service Operators”.
In 2022, based on feedback from the implementation of the NIS directive, a new directive, known as “NIS 2”, was passed by the European Parliament. It defines a more precise framework of rules to encourage the harmonisation of security measures on a European scale. Above all, it drastically extends the scope of application by identifying 11 highly critical business sectors and 7 critical business sectors.
The directive applies to all European entities operating in one of the 18 targeted sectors, with annual sales and balance sheets in excess of €10 million, or employing at least 50 people, depending on their sector of activity.
The timetable for implementation in France is unclear, but getting ever closer
As NIS 2 is a European directive, it can only be applied in a Member State once it has been transposed into local law. Following its publication in the OJEU (Official Journal of the European Union) in December 2022, European countries had until mid-October 2024 to vote on their transpositions.
In France, the ‘Resilience’ bill, which contains the said transposition, was tabled in parliament on 14 October 2024, passed its first reading in the Senate on 13 March 2025 and, at the time of writing, is being examined by the National Assembly. Following the vote on the law, a final phase of consultation has been announced on the elements to be specified by decree. The estimated date of application of the NIS 2 directive in France is therefore still unknown, but should be in the second half of 2025.
The European directive itself, as a legal text, sets out security objectives rather than concrete and intelligible security measures for the structures concerned. The same will apply to the French bill – the detailed requirements will be contained in a set of rules that will form part of the implementing decree.
This reference framework has been drawn up by the ANSSI (Agence nationale de la sécurité des systèmes d’information), taking into account feedback from compliance with the LPM (Loi de Programmation Militaire) and the first NIS directive, as well as successive consultations with interested stakeholders: professional federations and associations, associations of elected representatives and representatives of local authorities, qualified product and service providers.
This joint development demonstrates ANSSI’s determination to propose a set of rules that are pragmatic and adapted to the organisations that have to implement them.
Harmonisation of the structures of the various reference systems
Ever since the emergence of IT security – now information systems security, information security, then cybersecurity – as a specific field, normative guidelines and standards have emerged to help structure it. Over the years, even if each standard retains its own specific features, they tend to consolidate around the same pillars, making it easier to comply with multiple standards.
For example, the future security requirements of the French transposition of NIS 2 will be aligned with the ANSSI’s 4-pillar framework (Governance, Protection, Detection, Resilience).
Evolucare, ISO 27001 certified since 2023, is confident in its compliance with NIS 2
To date, our sources of information are the text of article 21 of the directive, the elements contained in the “Resilience” bill, as well as the elements shared by the ANSSI during the consultation phases on the construction of the reference framework. From these sources, we know that the French entities covered by the directive will have to comply with twenty rules, which will propose different procedures depending on the categorisation (important or essential) of the entity.
Although certain details have yet to be specified, we can already cross-reference the themes of the rules with the ISO 27001:2022 requirements, and anticipate future compliance.
Some elements are already covered by an ISMS: systems inventory, IS governance, risk mapping, supplier management, human resources, physical security, security incident management, audit, etc.
There will still be a few heavier projects, but the time saved thanks to our ISMS will enable us to devote the necessary efforts to ensuring compliance on time.
Conclusion
The continuing lack of clarity surrounding the transposition of the NIS 2 Directive in France may lead organisations to wait until the last moment before planning their compliance projects. It is also possible that some organisations will only be able to see at the last moment whether they are included in the scope of the directive, or whether they qualify as an important or essential entity.
In this context, initiating an ISO 27001 compliance project, even without the objective of certification, can only be beneficial for the organisation. Regardless of the future impact of the NIS 2 directive (or other regulations), the reflection guided by the ISO 27001 standard will have enabled the company’s management bodies to take a step back from their information system, to consider the risks they need to be able to cope with, and ideally, to initiate projects to increase security maturity.
Protecting our organisations against the ever-increasing number of attacks can often seem like an insurmountable mountain, but step by step, we’re getting to the top of Everest.
Sources
- (french) The space made available to future essential and important entities by ANSSI: https://monespacenis2.cyber.gouv.fr/
- (french) The French legislative dossier on the Assemblée Nationale website: https://www.assemblee-nationale.fr/dyn/17/dossiers/DLR5L17N50731
- The NIS 2 Directive: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555