Many companies are convinced they comply with regulations because they have up-to-date legal texts, cookie banners, and data processing agreements. However, when a security incident occurs, they discover that documentary compliance does not equal real protection.
As cyber threats increase and information systems remain partly vulnerable, the NIS2 directive (Network and Information Security), published in the Official Journal of the European Union in December 2022, represents a unique opportunity to strengthen the digital security of European companies and organizations.
Its implementation will allow thousands of entities involved in citizens’ daily lives to protect themselves more effectively against cyberattacks and incidents. Member States were required to transpose it into their national legislation before October 2024, so its obligations are already in the process of being applied and supervised.
The NIS2 directive builds on the achievements of the NIS 1 directive of 2016 but represents a paradigm shift at both national and European levels. Faced with increasingly sophisticated and well-equipped malicious actors affecting often poorly protected entities, NIS2 expands its objectives and scope to provide more comprehensive protection and strengthen operational resilience. This expansion is unprecedented in cybersecurity regulation, including not only major critical infrastructures but also entities considered “essential” and “important” in sectors such as energy, transport, health, digital services, industry, water, waste management, ICT, and technology providers.
Main requirements of NIS2
Does it include small businesses and entrepreneurs?
NIS2 requires organizations to implement robust cybersecurity measures and adequate internal governance. Key requirements include:
- Continuous cybersecurity risk assessment and management
- Technical and organizational protection of networks and information systems
- Business continuity and incident recovery plans
- Mandatory notification of significant incidents within specified timeframes
- Supply chain security and vendor control
- Access control and identity management policies
- Employee training and awareness programs
- Direct supervision and accountability of management
Not in general. NIS2 is primarily aimed at medium and large organizations; however, a microenterprise or entrepreneur may be affected if they:
- Provide critical technological services
- Are suppliers to an entity subject to the directive
- Are part of a strategic supply chain
- Manage sensitive digital services
In practice, failure to comply with this standard can break a business relationship, as many organizations will require their suppliers to implement security measures aligned with NIS2 as a condition for operating or contracting.
European cooperation and the role of ANSSI
European cooperation and the role of ANSSI
NIS2 also promotes enhanced cooperation between Member States for cyber crisis management. It formalizes the CyCLONe network (Cyber Crisis Liaison Organisation Network), which brings together the ANSSI (French National Cybersecurity Agency) and its European counterparts, aiming to improve coordination during major incidents and rapidly share critical information.
ANSSI will regularly communicate about NIS2 throughout the national transposition process, guiding companies and stakeholders in complying with the directive and strengthening operational security.
Non-compliance with NIS2 can have direct consequences: operational interruptions, loss of client trust, or even termination of business relationships. Beyond the legal obligation, NIS2 encourages organizations to integrate cybersecurity into their corporate strategy, anticipate risks, and test their resilience before an incident occurs.
In this sense, NIS2 is not just a legal directive: it is a strategic tool that protects business continuity, reputation, and client trust. Many companies believe they comply… few have truly tested their resilience.
