Writing NIS2 Directive into French law
![Image Michel Van Den Berghe takes stock of [Campus Cyber’s] first two years](https://incyber.org//wp-content/uploads/2024/04/incyber-news-cybersecurite-cybersecurity-place-architecture-2024-885x690.jpg)
Revision significantly expands number of critical bodies subject to cybersecurity requirements.
The European directive on network and information security (NIS) dates from July 2016. The European Union passed its revised version, the NIS2, on November 28, 2022. The bill considerably expands the range of organizations subject to security requirements, increasing their number from 300 to 10,000 in France.
The directive outlines two criticality levels: “essential” and “important” areas. The eleven “essential” industries are: energy, transportation, banking, financial markets infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, government, space.
The seven “important” industries are: postal and shipping services, waste management, chemicals, agri-foodstuffs, medical, computer and automotive, digital providers, research. National legislatures can also add or remove industries and entities according to their specific needs.
The NIS2 directive mandates new requirements for businesses in the above industries, in particular:
- reducing the time it takes to report incidents to respective CSIRTs;
- strengthening cybersecurity standards;
- mandatory cyber risk training for employees;
- regular security auditing.
Member States have until October 17, 2024, to write the NIS2 directive into their national laws. France has integrated it at consultation level for the second half of 2023. A transposition project is expected early 2024.