“The NIS 2 Directive will considerably widen its scope of action, and increase the number of OSE-ranked actors by 10.” – Guillaume Poupard, formerly general manager of the French National Cybersecurity Agency (ANSSI).
Published in December 2022, the Network and Information Security (or NIS 2) Directive replaces directive NIS 1 and strengthens the harmonization of cybersecurity standards in various Member States.
Furthermore, it increases not only the number of private and public operators concerned, but also their corresponding cybersecurity obligations.
In fact, NIS 2 shall apply to all organizations (whether private or public) with over 50 employees, or generating a turnover of over 10 million euros and that operate in any one of the 11 sectors of activity considered critical or highly critical by the directive.
The Operator of Essential Services and Digital Service Provider categories under NIS 1 have now been replaced with the Essential Entity and Important Entity categories subject to similar obligations but different supervisory frameworks.
Under French law, the transposition is not expected to radically change neither the institutional cybersecurity structure managed by the French National Cybersecurity Agency (ANSSI) nor the various obligations already imposed on vital or essential operators.
All operators, whether private or public, should from now on seek to know whether they are governed by the new directive. If the answer is yes, the relevant organization should prepare for the new obligations that will now apply to how its information systems (IS) are managed.Part of French cybersecurity law is expected to change in the coming months, with the adoption of the directive on measures for a high common level of cybersecurity across the Union (known as Network and Information Security 2 directive or NIS 2), published in December 2022. This directive replaces an earlier version (known as Network and Information Security directive 1 or NIS 1) and strengthens the harmonization of cybersecurity standards in various Member States.
Directive (EU) 2022/2555 of 14 December 2022 concerning measures for a high common level of security of network and information systems
Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
1) Changes in the Cybersecurity Framework since 2006 in France
It’s been over two decades now since France started contemplating the concept of critical infrastructure. This awareness arose following the 11 September 2001 terrorist attacks. The first step in this general discussion on operators of vital importance took place in 2006 while the second discussion, which took place in 2013, included the cybersecurity threat.
General interministerial instruction No. 6600 relating to the security of activities of vital importance of 7 January 2014
The decree of 23 February 2006 defines activities of vital importance (SAIV) as a “set of essential activities that contribute to produce indispensable goods or services.” These activities are divided into 12 sectors of activity tied to a supervisory ministry. This mechanism has made it possible to spell out both private and public Operators of Vital Importance (OIV), whose list is confidential but whose number is currently estimated at 300.
Decree No. 2006-212 of 23 February 2006 Relating to the Security of Activities of Vital Importance
Food, Water Management, Health, State Civil Registry Activities, State Military Activities, Energy, Finance, Transportation, Communications (electronic, audio-visual and information), Industry, Space and Research
1.2 Extension of the OIV Protection Mechanism to cybersecurity (2013)
To address new cyber threats, article 22 of the French 2013 Military Programming Law created a special legal framework for the security of the information systems of OIVs. France became the first country in Europe to implement a mandatory cybersecurity mechanism for its critical infrastructure.
OIVs are obliged among other things to design and implement a security policy for their information systems subject to approval, submit a map of their information systems (IS) to the National Cybersecurity Agency (ANSSI), partition various parts of their ISs, and immediately inform ANSSI about incidents that affect the functioning or security of their ISs. Breach of these rules is subject to a €150, 000 fine.
To ensure their digital security, OIVs must use products and services that meet ANSSI-certified security and trust requirements.
The OIV framework is not affected by the NIS 2 framework and should therefore remain the same.
The French National Cybersecurity Agency (ANSSI) was created through decree No. 2009-834 of 7 July 2009. It exists under the supervisory authority of the Prime Minister and falls under the French General Secretariat for Defence and National Security (SGDSN)
1.3 Strengthening the Cybersecurity of Essential Operators at European Level
The NIS 1 directive framework created a reference European legislative cybersecurity framework built around a mechanism for minimal harmonization and subjecting two categories of actors to special obligations: Operators of Essential Services (OES) and Digital Service Providers (DSP).
Transposed to French law through the law of 26 February 2018, the NIS 1 directive provided a general framework for the security of information systems, alongside obligations largely drawn from those applicable to OIV, and still in force. However, this framework is expected to change with the transposition of the NIS 2 directive. Security rules spelled out in the order of 14 September 2018 are also expected to change.
OESs fall under 7 strategic sectors of activity (energy, transport, bank, stock market infrastructure, health, water distribution, digital infrastructure) and provide at least one of the services set out in the annexe to decree No. 2018-384 of 23 May 2018 relating to the security of the networks and information systems of operators of essential services and digital service providers
Implementing Regulation 2018/151 of 30 January 2018 laying down measures applicable to digital service providers
Law No. 2018-133 of 26 February 2018 on various provisions to adapt to EU law in the domain of security
Order of 14 September 2018 setting out security rules and deadlines relating to the networks and information systems of operators of essential services and digital service providersCreated in 2018, the Digital Service Provider category is mainly made up of providers of cloud, search engines, as well as marketplaces generating a turnover of over 10 million euros, or employing at least 50 workers. Their label will disappear, becoming part of the new categories created under NIS 2.
Law No. 2018-133 of 26 February 2018 on various provisions to adapt to European Union law in the domain of security
2) NIS 2: A New Step for European Harmonization of Cybersecurity
Given the number, scale, sophistication and impact of cyber-attacks, the European Union has decided to increase the minimum requirement level demanded of Member States for the security of their respective information systems. Published on 27 December 2022, it will be transposed by the French General Secretariat for Defense and National Security (SGDSN) and ANSSI in 2023, for planned implementation before the end of 2024.
2.1 Definition of “Essential and Important Entities”
In a bid to harmonize across the European Union, the “Operator of Essential Services” qualification has been removed from the NIS 2 directive, the NIS 1 directive giving States the freedom to label the relevant entities. The NIS 2 directive has created two new categories: Essential Entities and Important Entities. Furthermore, it spells out the mandatory criteria for qualification applicable to all Member States.
Consequently, this directive governs all private or public entities with over 50 people or a turnover of over 10 million euros, which operate in the sectors of activities listed by the directive. The only exceptions are entities that fall under defense, national security, public security, law enforcement, the judiciary, parliaments or central banks that are governed by special frameworks.
Each Member State must list the entities that quality as an essential entity no later than 17 April 2025. Other entities that meet the activity or turnover criteria will by default be considered important.
The sectors of activity set out in the NIS 2 directive are:
- “highly critical sectors”: energy, transport, banking, stock market infrastructure, health, water (potable and waste), digital infrastructure, ICT service management, public administrations, space;
- “other critical sectors”: postal services, waste management, chemical products, some industries (medical, I.T., electronics, optical, electrical, etc.), digital service providers (marketplace, search engine, social media), research organizations.
The directive also applies to cloud services (IaaS, PaaS, SaaS and NaaS) and facilities devoted to centralized hosting, interconnection and centralized data management.
Some sectors of activity are subject to specific cybersecurity regulations, which may be supplemented or replaced with the NIS 2 directive (for example: energy, transportation, networks and electronic telecommunication services, financial sector).
2.2 Wider and more constraining obligations
The NIS 2 Directive defines a minimal cybersecurity requirement level and tasks Member States with ensuring that essential and important entities respect it. The obligations that fall on these entities are not quite different from those spelled out by the NIS 1 directive. The main difference between these two directives is rather the level of supervision provided for. Under the NIS 2 directive, essential entities will be subject to ex ante and ex post supervision while important entities will only be subject to an ex post, lighter supervision.
Member States may modulate these obligations to respect the principle of proportionality between the imposed constraints and the criticality of the entity. ANSSI has already started discussions with professional associations, to jointly create future regulated entities, and corresponding obligations that will apply to them. The objective is to make sure they are relevant and sustainable.
NIS 2 Directive notably provides for the following:
- Obligation to report to the supervisory authority incidents that could considerably disrupt service operations, within a 72-hour deadline;
- Possibility for the Member State to advise relevant entities, to use products or services certified by ANSSI or by a European authority recognized as equivalent (SecNumCloud of ANSSI in France, C5 of the BSI in Germany, or European Cybersecurity Certification Scheme at European level);
Possibility, for the supervisory authority, to subject (directly or through a certified service provider) essential entities to a certain number of additional obligations (on-site inspections, remote inspections, evidence of implementation of a cybersecurity policy, etc.).
2.3 Increased Power to Sanction
Member States must levy effective, proportionate and dissuasive fines for failure to fulfill obligations set out in the directive. Essential entities could face administrative fines, not higher than 10 million euros or equivalent to 2% of the entity’s global annual turnover. Important entities could face administrative fines, as high as 7 million euros or equivalent to 1.4% of the entity’ s global annual turnover.
National authorities could suspend from practice managers of relevant entities who do not fulfill obligations set out in the directive.
Although the foundations of the cyberdefense and cybersecurity policy have not changed, awareness of all possible gateways of cyberattacks now warrants the creation of the obligation of vigilance and cybersecurity measures extended to a larger number of actors, at national and European level. Other regulations are being discussed in Brussels and they will supplement the NIS 2 directive in the coming months. Consequently, this is the onset of a period for transition and skills development for economic and institutional managers.