- Home
- Cybersecurity
- From cybersecurity to resilience: at the heart of REC, DORA & NIS 2 transpositions
From cybersecurity to resilience: at the heart of REC, DORA & NIS 2 transpositions
The year 2022 marked a pivotal moment for the harmonization of cybersecurity standards across Europe with the adoption of three major directives: NIS 2, DORA, and REC. Looking ahead to 2025, Arnaud Martin (CESIN) anticipated that it will be “a regulatory year.” These directives, which aim to strengthen the European Union’s cybersecurity, affect tens of thousands of companies and their suppliers. They also impose greater accountability on corporate leadership teams, who are now held responsible for the resilience of their organizations.
The goal: systemic robustness
However, cybersecurity remains “uncharted territory for most executives, whose understanding is far less developed compared to environmental standards,” observed Maxence Demerlé, digital director at MEDEF. This lack of awareness is compounded by widespread shortages in skills and budgets across companies. “Eighty-five percent of organizations have an IT budget below €5,000,” Demerlé continued, pointing to the particularly acute challenges faced by small businesses: “How can we support SMEs?” she asked. “We need clarification and harmonization.” An attendee echoed the sentiment, emphasizing the need for a “one-stop cyber shop.”
In response, Senator Vanina Paoli-Gagin, vice-chair of the special committee on the transposition of cybersecurity directives, sought to reassure the audience. “We are working towards a positive transposition. Our companies need flexibility and timeframes. Let us not forget that the primary objective of these directives is to collectively achieve systemic robustness.”
A potential shortage of qualified providers?
The transposition process has not been undertaken without consultation of the relevant ecosystem. Arnaud Martin, risk director at Caisse des Dépôts and a CESIN board member, noted that “of the 1,000 CISOs in CESIN, 150 participated in the NIS2 working groups. While 90% of them find the directive’s requirements clear, 30% are unable to determine whether they are subject to it. Furthermore, seven out of ten CISOs believe that NIS2 will be difficult to implement, particularly because regulatory budgets compete with other priorities within organizations.”
A similar concern arises over the availability of qualified providers. With many focusing their efforts on DORA, “isn’t there a risk of shortages for NIS2?” Martin queried.
Indeed, the implementation of the DORA directive, which applies to the banking sector, appears to be well underway. This is partly because the sector is highly regulated (notably by the ACPR) and benefits from significant resources. Even so, the cost of compliance with DORA is substantial: “€10 million for a major banking institution,” estimated CESIN’s representative. “DORA involves 148 measures impacting up to six departments within organizations. It sets out a clear and strict framework, requiring the involvement and training of executive committees and employees, resilience testing, and robust third-party management.”
“Legislative mammoths” to fill a regulatory gap
The European Commission has also delved into “an exceptionally high level of detail” with its NIS2 implementing regulation issued on October 18th, directly targeting critical digital service providers (cloud, data centers, DNS). According to Marc-Antoine Ledieu, lawyer at Ledieu Avocats, this regulation establishes “a draconian regime for digital infrastructure.”
In practice, the regulation mirrors the “42 cybersecurity hygiene measures outlined by ANSSI, but in more detail: zero-trust architecture, network segmentation, identity and access management, multi-factor authentication, risk analysis, etc.”
“These measures come with incident notification requirements (reports to regulators within 24 hours, 72 hours, and 30 days) and an obligation to inform B2B clients,” Ledieu added. While these measures might seem burdensome for organizations and their suppliers, Ledieu justified their scope. “For 50 years, there was no cybersecurity legislation. Meanwhile, cybercrime has become extremely profitable and has industrialized on a global scale.”
Most successful attacks exploit basic vulnerabilities
This gap between organizations’ low cybersecurity standards and attackers’ sophistication explains the surge in successful cyberattacks and data breaches, especially against a backdrop of geopolitical tensions. It was this realization that prompted ANSSI to draft its renowned cybersecurity hygiene guide in 2017, outlining 42 measures designed to address the most common vulnerabilities identified during its interventions.
Drawing from his own experience, Thomas Gayet, former CERT lead at Lexsi (Orange Cyberdefense) and Digital.Security (Eviden), and now CEO of cyber rating agency Scovery, explained, “Most intrusions are basic. Across the 300 interventions I’ve handled in my career, 75% exploited vulnerabilities in basic hygiene measures. And 65% of these successful attacks occurred through the supply chain.” This observation inspired Scovery’s creation, offering a solution to “audit an organization’s attack surface and provide an initial assessment to guide further security and compliance audits—while also evaluating supply chain risks.”
Where is law enforcement? Addressing the lack of criminal response
Strengthening the resilience of businesses must not overshadow efforts to address the source of attacks—cybercriminals themselves. This was a key concern raised by an attendee at the Caserne des Célestins: “What are institutions doing? We hear too little from regulators. And what about magistrates? Are they trained on these issues? What kind of criminal response is provided to victims?”
For Marc-Antoine Ledieu, “Prosecutors, like everywhere else, are unfortunately lagging. Unable to apprehend perpetrators, regulators have resorted to penalizing negligence. We will not see effective criminal justice as long as the cybercrime economy continues to thrive in countries like Russia.”
The French cybersecurity community, while still relatively unknown to the general public, includes an ecosystem of actors recognized throughout Europe and often at the forefront, from the CNIL and ANSSI to the gendarmerie and national police. This includes the cybercrime unit at the Paris Police Prefecture, established as early as 1994, the national police’s cybercrime office, and the work of deputy prosecutor Johanna Brousse at the Paris Judicial Court.
So why is cybercrime so difficult to eradicate? General Marc Watin-Augouard, founder of the InCyber Forum and moderator of the roundtable, offered his perspective: “Cybercrime has become the crime of the 21st century.” Large-scale, highly organized, colluding with certain states, and transnational, it demands robust international cooperation. Initiatives such as Interpol’s collaborative efforts have already led to the arrest and dismantling of numerous cybercriminal groups. But could this global approach also be complemented by more… offensive measures?
the newsletter
the newsletter