EN
  • Cyber stability
  • Secops
  • Risks management
  • Digital transformation
  • Digital Sovereignty
  • Cybercrime
  • Industry and OT
  • Fraud
  • Digital identity
  • Cyber +
    • NIS2: The challenge of scaling up

    NIS2: The challenge of scaling up

    Written by
    Yrieix Denis
    04.11.25
    Cybersecurity Digital transformation
    04
    MIN
    NIS2: The challenge of scaling up
    NIS2: The challenge of scaling up
    NIS2: The challenge of scaling up
    Image Zero Trust: A pragmatic approach beyond the buzzword
    Cybersecurity
    04.09.25 Cybersecurity
    Next article
    Zero Trust: A pragmatic approach beyond the buzzword
    Read
    10
    MIN
    Image BAROMETER OF EUROPEAN INVESTMENT IN CYBERSECURITY
    Cybersecurity
    03.20.25 Cybersecurity
    Next article
    BAROMETER OF EUROPEAN INVESTMENT IN CYBERSECURITY
    Read
    01
    MIN
    Image DevSecOps and AI: how machine learning transforms the security approach
    Cybersecurity
    03.19.25 Cybersecurity
    Next article
    DevSecOps and AI: how machine learning transforms the security approach
    Read
    05
    MIN
    Image 2025, a decisive year for French cybersecurity
    Cybersecurity
    03.14.25 Cybersecurity
    Next article
    2025, a decisive year for French cybersecurity
    Read
    05
    MIN
    As the NIS2 Directive now applies to all EU member states, how can all regulated organizations scale up and contribute to collective resilience? This was the focus of a roundtable discussion on April 2nd, moderated by Charlotte Kan during the 2025 InCyber Forum, with the participation of Véronica Gaffey (EU), Vincent Loriot (ANSSI), Véronique Torner (Numeum), and Frank Van Caeneghem (CESIN).

    Cybercrime has seen exponential growth since the late 2000s. So much so that its impact on economic activity in France amounted to more than 110 billion euros in 2024, according to the Statistica Institute. It is precisely to address this “intensification of cyberattacks in Europe” that the European Union adopted the NIS2 Directive in December 2022. This goal of collective resilience is all the more crucial in “the current geopolitical context, which increases the dual necessity of strategic autonomy and a digital sovereignty strategy within the European Union,” said Véronica Gaffey, Director-General for Digital Services of the European Commission, on April 2nd.

    Currently being transposed into French law through the “Resilience” bill adopted by the Senate in March, the NIS2 Directive represents “a paradigm shift,” in the words of ANSSI Director-General Vincent Strubel. Indeed, the law expands the number of organizations regulated by public authorities from 500 to more than 15,000—and likely even more when considering all stakeholders in the supply chains of the 18 critical sectors identified by the European text. But will all of these public and private organizations—with such varied levels of maturity and budgets—be able to “scale up” and improve their level of cybersecurity?

    How to integrate the economic fabric of small businesses?

    “SMEs, VSEs, and mid-size companies are the entities most affected by ransomware compromises,” noted ANSSI in its latest Cyberthreat Panorama. Among them, VSEs and SMEs have less than 2,000 euros to devote to cybersecurity, observed Cybermalveillance.gouv.fr, and 68% of them do not consider themselves ready to face a cyberattack. This explains why “60% of SMEs attacked file for bankruptcy within 18 months,” according to the CESIN 2024 report cited by Véronique Torner (Numeum). These challenges are even greater when considering that “15,000 cybersecurity positions remain unfilled in France,” added the Numeum representative, who advocates for increased gender diversity in the sector to address the shortage.

    The issue is all the more critical as “the rise of private offensive cyber companies (LIOP)” has made available to a wide range of cybercriminals “capabilities that were previously the preserve of the most advanced states in cyber matters,” warned ANSSI in its Panorama. To confront this, the agency recommends that organizations implement a strategy of “defense in depth,” often going beyond the 42 basic cybersecurity hygiene measures identified by the agency since 2017. However, have all public and private organizations been adequately informed about these complex issues, particularly in regional areas? In a context of deteriorating international relations, the question of securing regulated SMEs is even more critical given that these include the majority of the 4,500 SMEs with fewer than 50 employees that form our defense industrial and technological base (BITD).

    A framework adapted to regional needs

    Nevertheless, VSEs and SMEs affected by NIS2 can already rely on support from the Cybermalveillance.gouv.fr platform to implement security, monitoring, or incident response policies. Indeed, “85% of victims seeking to be connected with a local service provider for technical remediation are matched with a provider in under an hour, 24/7,” said Jérôme Notin in the pages of Cyberleaders magazine, 2025 edition. For its part, ANSSI has provided NIS2 organizations with the “My Cyber Services” initiative, announced Vincent Loriot, Deputy Director of the Strategy Sub-Directorate of the agency, adding that “a simplified framework will be offered to SMEs to help them take an essential first step, with an economically sustainable level of security.”

    However, all of these measures could be undermined if senior management teams fail to fully grasp the reality of cyber risks. Some may be tempted to be “compliant for compliance’s sake, at the risk of turning compliance into bureaucracy, to the detriment of concrete protection actions,” warned CESIN representative Frank Van Caeneghem. On the contrary, only through shared responsibility can “CISOs co-construct clear governance by working hand in hand with finance, communication, and technical teams within their organizations.” The CISO must indeed be “a conductor and a guide, capable of mastering regulations and certifications, and of rallying the necessary financial and human resources,” said Frank Van Caeneghem.

    Yrieix Denis
    04.11.25
    Articles by the same author:
    1
    12.03.24 Cybersecurity
    From cybersecurity to resilience: at the heart of REC, DORA & NIS 2 transpositions
    Read
    05
    MIN
    2
    09.05.24 Digital Sovereignty
    Is the indictment of Telegram’s CEO an attack on freedom of expression?
    Read
    06
    MIN
    Image Zero Trust: A pragmatic approach beyond the buzzword
    Cybersecurity
    04.09.25 Cybersecurity
    Next article
    Zero Trust: A pragmatic approach beyond the buzzword
    Read
    10
    MIN
    Image BAROMETER OF EUROPEAN INVESTMENT IN CYBERSECURITY
    Cybersecurity
    03.20.25 Cybersecurity
    Next article
    BAROMETER OF EUROPEAN INVESTMENT IN CYBERSECURITY
    Read
    01
    MIN
    Image DevSecOps and AI: how machine learning transforms the security approach
    Cybersecurity
    03.19.25 Cybersecurity
    Next article
    DevSecOps and AI: how machine learning transforms the security approach
    Read
    05
    MIN
    Image 2025, a decisive year for French cybersecurity
    Cybersecurity
    03.14.25 Cybersecurity
    Next article
    2025, a decisive year for French cybersecurity
    Read
    05
    MIN
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.