Could NIS2 hinder business competitiveness?

After eight years of loyal service (2016–2024), the Network and Information System Security (NIS1) directive will soon pass the baton to the NIS2 directive. NIS1 was adopted by the European Parliament and the Council of the European Union in July 2016 and transposed into French law in 2018. The NIS2 directive, however, is designed to broaden the scope of NIS1 and provide even greater protection in response to increasingly inventive and effective cybercriminals.

Published in the Official Journal of the European Union on December 27, 2022, NIS2 gives each EU member state 21 months to transpose it into national law. It should come into force in France in the second half of 2024.

Proportionality, new sectors and tougher penalties

New features of NIS2 include a proportionality mechanism that makes a distinction between two categories of regulated entities based on their criticality: essential entities (EEs) and important entities (IEs).

NIS2 also extends the scope to include a wider range of sectors. NIS1 applied to just 19 sectors, while NIS2 will apply to 35. The new sectors include postal and shipping services, industry, agri-food, manufacturing, chemical production and distribution, and waste management. Target companies within these sectors are those with over 50 employees and sales in excess of €1 million.

NIS2 also toughens the sanctions regime, which will apply to all regulated entities. Fines for non-compliance could be as high as €10 million or 2% of worldwide annual sales for EEs, and €7 million or 1.4% of worldwide annual sales for IEs.

Business maturity and resources put compliance at risk

ANSSI has held a number of consultations ahead of the transposition of the NIS2 directive into French law. These included discussions with CESIN (the France-based Information and Digital Security Experts Club) and Hexatrust (a professional association of French and European trusted cybersecurity and cloud specialists, and partner of the InCyber Forum).

“We organized two working groups which conducted two questionnaire-based surveys among our members. This led to some very interesting discussions that gave everyone a chance to express their views. Small businesses were particularly vocal in their concerns about their ability to achieve compliance. For them, scaling up may not be easy, because of either a lack of maturity or a lack of resources,” says Frank Van Caenegem, CESIN board member and Cybersecurity VP and CISO EMEA at Schneider Electric.

For larger organizations, the question is whether they will be able to comply in all member states, given that “there is a non-negligible risk of having to deal with national disparities — in other words, different versions of the directive as a result of ‘localized’ transposition. There is also the question of whether large corporations will be able to use a single portal to report incidents affecting them, or whether they will have 27 different points of contact,” adds Van Caenegem.

Competitiveness at the heart of discussions with the ecosystem

Another topic that came up in discussions with CESIN members was the competitiveness of companies: “With NIS1, we focused on a select group of companies. With NIS2, we’re moving to a model where everyone needs to be involved. Some companies—those never exposed to cybersecurity regulations before—are wondering how they’re going to remain competitive, given the investment NIS2 will entail. Scaling up is not going to be easy for everyone,” says Van Caenegem.

For Jean-Noël de Galzain, Chairman at Hexatrust, ensuring that companies remain competitive is also a concern: “The key question to come out of the discussions that took place within our working group (which includes 50 of our members) and with ANSSI is how we turn adapting to this new directive into a competitive tool for our companies.”

Another facet of the work carried out by Hexatrust and its members is to ensure that the transposition works for certain business sectors. “Some sectors are more sensitive than others, and others are better prepared. ANSSI therefore needs to adapt this directive to what is actually happening on the ground. The advantage for Hexatrust is that we have 130 members, who in turn have hundreds, if not thousands, of customers in many of the sectors impacted by NIS2. We can therefore apply this field knowledge to the transposition, certification and compliance work carried out by ANSSI,” says de Galzain.

Subcontracting chain also impacted

Companies that fall within the scope of NIS2 will also have to check their value chain. “Big companies like Schneider Electric are going to have to contact their subcontractors to find out whether NIS2 applies to them, whether they are essential or important entities, and whether they have a voted budget and a compliance program to ensure they meet the deadlines. We will be contacting regulated third parties in the second quarter of 2024 to find out how much progress they have made. In any case, managing third parties is going to be an important part of the process,” points out Van Caenegem.

He goes on to conclude: “Some service businesses—including installers of electrical, electrotechnical, or IoT equipment—could claim that NIS2 does not apply to them. This could mean that end-to-end chains of trust are broken. It would then be up to the company selling the equipment to carry out audits or provide even more training.”