NIS2: Who stands to gain?

Even though the transposition of NIS2 is not yet effective in France, companies – especially SMEs – are gearing up to comply with the European directive. Among the main beneficiaries of this financial windfall: cybersecurity service providers, none of which are European.

While the deadline for transposing the NIS2 directive was set for October 17, 2024, by the European Commission, EU countries are progressing at different speeds. Taking the lead before this deadline, Belgium, Italy, Latvia, Lithuania, Hungary, and Croatia are among the front-runners, as highlighted in an analysis by Wavestone on the subject.

In France, the transposition of NIS2 is expected to be incorporated into a resilience bill that also covers the REC (Resilience of Critical Entities) and DORA directives. However, due to the dissolution of the National Assembly in June 2024, the process has been significantly “disrupted” and, for now, no precise date has been announced (most likely mid-2025).

Compliance with NIS2: Significant differences between large corporations and SMEs

Within the affected companies, compliance with NIS2 is being experienced differently. “Among the 500 largest French groups, NIS2 will cause very little disruption. Already compliant with ISO 27001 and – for some – with DORA, large corporations are already highly advanced in regulatory matters. And most importantly, these entities have been addressing their security needs for a very long time.

As for mid-sized companies (ETIs), they are already covered by NIS2 and will therefore be forced to spend a little more. However, the big unknown concerns SMEs, because in the absence of transposition, we do not yet know precisely where and how the rules will apply,” explains Éric Domage, cybersecurity analyst at PAC France.

During Cybermoi/s 2024, the website Cybermalveillance.gouv.fr commissioned OpinionWay to conduct a study on the level of cyber protection among French SMEs and VSEs. The study reveals that 61% of French companies with fewer than 250 employees consider themselves poorly protected in terms of cybersecurity. Additionally, 72% have no employees dedicated to this task, and for 68% of them, the IT security budget is less than €2,000 per year.

“Most of the time, SMEs consider themselves ‘somewhat equipped’ for cybersecurity. They have either an updated antivirus or firewall, some automated defense software, or a security suite sold by their telecom operator. To meet NIS2 requirements, these companies will not have the means to hire a Chief Information Security Officer (CISO). They will, in most cases, turn to a consulting firm or managed services provider as close to them as possible.

The funds spent by all SMEs will generate an increase in overall expenditures, and it is likely that service companies (consulting first and managed services later) will benefit,” notes Éric Domage.

Who profits from the NIS2 financial windfall?

Among the players already benefiting from this financial windfall from SMEs is Orange Cyberdefense. “This company has been positioning itself for a year in this market, selling service bundles with integrated consulting. Thanks to its regional distribution network (regional agencies), it is advancing rapidly, particularly with its Micro-SOC offers (a managed solution for endpoint and server detection and protection) and the Orange Cybersecure pack. But we must keep in mind that Orange Cyberdefense primarily sells services, so if there is growth, the service segment will benefit,” adds Éric Domage.

Another champion of service is Hub One, a digital technology operator for businesses and a subsidiary of the ADP Group. “Hub One provides Level 1 defense (N1). It outsources Levels 2 and 3 to specialized providers. However, with automation and AI, Level 1 is gradually disappearing,” comments Éric Domage.

Among the specialized providers are Microsoft and its security suite, Palo Alto and Fortinet with their respective specialties, as well as Cato Networks and its SASE platform. “In the SME market, which is a sustainable market, we see highly capable and reputable providers taking the lead in the second tier, but none of them are European. So, ultimately, raising everyone’s security level through NIS2 for the benefit of all, within a European bloc logic, is perfect, but we just missed one thing: channeling these funds toward the European cybersecurity industry,” analyzes Éric Domage.

Fortinet, one of the actors mentioned by Éric Domage, provides its perspective through its EMEA CISO, Alain Sanchez: “Regarding NIS2, the players who will come out on top are those who understand the three facets of the issue: technical, business, and legal aspects. Companies’ demands no longer allow for siloed approaches today. Increasing collaboration between these three facets is now necessary. Fortinet’s vision has always been to merge networking and security within a ‘security-driven networking’ approach, which positions us on the first two pillars. Regarding compliance, we operate on the following assumption: ‘Whoever sees the network sees the company.’ We are therefore capable of extracting the necessary information and ensuring it is useful to decision-makers,” concludes Alain Sanchez.