NIS 2: how can business leaders gain a clearer understanding?

70% of organisations will suffer a digital attack within the next three years[1]. The proliferation of cyberattacks has made IT security a key strategic priority for businesses and public authorities.

In this context, the European NIS 2 directive reinforces information system security obligations. It aims to harmonise practices and raise the overall level of cybersecurity within Member States. The transposition of the NIS 2 directive into French law is currently underway. However, managers must already be considering and preparing for its impact on their organisation's cyber strategy.

NIS 2, a European directive to anticipate

What is the scope of NIS 2?

Adopted in December 2022, the NIS 2 (Network and Information Security) directive replaces the original version that came into force in 2016. It has a clear objective: to strengthen cybersecurity within the European Union and ensure greater resilience to cybersecurity threats.

The emergence of artificial intelligence, the widespread use of cloud services and the rapid digitisation of business processes have created new areas of cyber risk. This is why the NIS 2 Directive is broadening its scope to cover more European players.

NIS 2: which companies will be affected?

Essential entities

‘Essential entities’, also known as ‘organisations of vital importance’ (OVIs), refer to organisations whose failure would have a direct impact on the continuity of services and economic activity. They include operators in the energy, transport, health, financial services, water distribution and digital infrastructure sectors.

These players will be required to implement strict cybersecurity measures, carry out regular risk analyses and notify the competent authorities of any significant incidents. Their responsibility also extends to their service providers and subcontractors.

Important entities

‘Significant entities’ or Essential Service Operators (ESOs) include large companies which, while not critical, contribute to the smooth functioning of the economy: digital suppliers, IT service providers, technology manufacturers and certain local authorities. Local authorities (https://www.boardofcyber.io/ressources/blog/ conformite-et-reglementation-en-cybersecurite/nis2-et-collectivites-territoriales) with more than 30,000 inhabitants will be directly affected, as will public operators managing digital administrative services. *These structures will have to strengthen their internal policies and document their security plans (PSSI) and prove their compliance in the event of an audit. * The [Île-de-France region](https://www.boardofcyber.io/ressources/blog/ _listing-articles/mutualiser-les-evaluations-fournisseurs-pour-renforcer-la-resilience-collective-bernard-giry-region-ile-de-france) has already begun this process through the mutualised evaluation of suppliers for all municipalities with more than 30,000 inhabitants.

What impacts can be expected and why tackle this now?

Even though the French regulatory framework has not yet been defined, the NIS 2 directive highlights the risks associated with the supply chain. All the links in the chain (direct suppliers, service providers, etc.) increase the potential attack surface. In fact, protecting the networks and information systems of the entire chain can be complex to implement and time-consuming for RSSI teams.

The directive also introduces a shared responsibility approach. An incident involving a third party can impact a company's compliance. This requires increased vigilance in the selection and monitoring of partners, as well as enhanced coordination between the IT department, the legal department and the business units. Cyber risk must therefore be controlled at the national level (parent companies, head offices, ministries, etc.), regional level (branches, warehouses, public establishments for inter-municipal cooperation, etc.) and local level (shops, municipalities, etc.).

Beyond sanctions, NIS 2 encourages managers to be aware of their organisation's cyber governance. Material resources (hardware, cyber software, etc.), human resources and financial resources must enable RSSI teams to strengthen the company's cyber compliance and resilience in the long term.

Finally, the NIS 2 Directive more broadly encompasses public actors (municipalities with more than 30,000 inhabitants, EPCI, etc.). Local authorities will have to comply in two important areas:

• Organisational: smaller municipalities will have to appoint a CISO and integrate cybersecurity into the local authority's strategy.
• Operational: this involves defining a process for managing and handling incidents (with notifications), supervising the supply chain, training staff and carrying out cyber compliance audits.

For all these reasons, organisations must take immediate action to implement the NIS 2 requirements. Achieving compliance (https://www.boardofcyber.io/cas-dusage/ameliorer-sa-conformite) can take time: diagnosis, governance, action plans, skills development, etc.

Preparing for NIS 2: assessing your position and identifying areas for improvement

Assessing your maturity with regard to regulations

The NIS 2 directive is part of a demanding European and French regulatory framework:

• DORA for operational resilience in the financial sector,
• ISO 27001 for information system security,
• GDPR for personal data protection,
• HDS for health data hosting,
• IA Act ****for securing the use of AI in Europe.

For executives, the first step is to analyse the regulations and standards to which their companies are subject. Then, they must take stock of their current security policies and validate compliance points. This gap analysis identifies discrepancies with the requirements of various regulatory texts, particularly NIS 2.

For example, a company may already have a continuity plan that complies with ISO 27001 but may not yet have activated incident notifications within 24 hours, as required by NIS 2.

Solutions such as Trust HQ® (https://www.boardofcyber.io/nos-solutions/gouvernance-et-tpcrm) enable the monitoring and analysis of NIS 2 requirements using automatic indicators (compliance percentages) (governance, detection, remediation, etc.). This overview provides a clear view of the priorities that need to be addressed in order to achieve compliance without overburdening the RSSI teams.**

Assessing systemic risk related to third parties

The NIS 2 directive reinforces the consideration of third-party risk. Companies must demonstrate their ability to assess, monitor and control cyber risk and the impact of a failure by their partners and suppliers.

In fact, 98% of companies work with a third party that has suffered a data breach. Despite robust security policies, an inadequately protected service provider can introduce a critical vulnerability into the information system. This residual risk blinds CISOs to the actual level of security.

This is why implementing a [Third-Party Cyber Risk Management (TPCRM)] (https://www.boardofcyber.io/ressources/blog/gestion-des-fournisseurs-et-des-risques-tiers-tprm-tpcrm/third-party-risk-management-maitriser-les-risques-lies-a-vos-fournisseurs) is essential. ** Thanks to non-intrusive automated third-party rating solutions, companies can analyse their suppliers en masse, classify them according to their level of criticality and monitor cyber risk over time.

In the same vein, local authorities and public bodies must adopt a cyber governance approach (https://www.boardofcyber.io/nos-solutions/gouvernance-et-tpcrm). In concrete terms, this means integrating both their suppliers and the public entities attached to them (regional agencies, municipalities, etc.), even if they are not directly affected by NIS 2 requirements. Ultimately, the aim is to support local entities as they mature and to ensure consistency of practices across the entire territory. The Île-de-France region is funding the assessment of 500 third parties. This pooling of resources with local authorities in the Île-de-France region makes it possible to produce reports on third-party risk with three objectives in mind: reducing costs, improving collective operational resilience and preparing public entities for NIS 2.

Controlling your external attack surface

Controlling cyber risk across the entire supply chain requires accurate mapping of the external attack surface. To better protect yourself, you must first identify areas of exposure and vulnerabilities. This involves analysing all assets accessible from the Internet – websites, IP addresses, servers, APIs, cloud applications, etc. – which can represent potential entry points for an attacker.

External Attack Surface Management (EASM) tools (https://www.boardofcyber.io/ressources/blog/gestion%20des%20vuln%C3%A9rabilit%C3%A9s%20et%20surveillance%20des%20menaces/external-attack-surface-management-evaluer-prioriser-remedier) * tools automate this mapping and detect new vulnerabilities (exposed services, vulnerable configurations, forgotten domains, etc.). Controlling the cyber attack surface reduces the risk of intrusion and prioritises remediation actions, as required by the NIS 2 directive.

Board of Cyber helps executives anticipate NIS 2

Faced with regulatory complexity, business leaders and elected officials must combine compliance requirements, cyber risk management and performance management.

A toolkit for managing cyber resilience

Board of Cyber provides a suite of technological tools designed to help executives and CISOs better understand their own cyber performance. The goal: to give them a clear, measurable and continuous view of their risk exposure.

Board of Cyber tools enable automated and structured assessment of cyber maturity, both internally and externally. The aim is to quickly identify critical vulnerabilities, prioritise risks and track remediation actions.

The Board of Cyber method for structuring your TPRM approach

With NIS 2 on the horizon, third-party risk management (TPRM) is becoming a key component. Board of Cyber helps organisations implement a systematic approach based on three steps:

1. Define classification criteria

When faced with a large number of suppliers (several dozen or even hundreds), a critical third party must be given special attention. To do this, classification criteria are used to assess the level of risk for each supplier.

Is the supplier interconnected with your IT system? Does it manage personal or strategic data? Does it create dependency (no alternative)?

These criteria are used to rank suppliers according to their level of exposure and impact in the event of failure.

1. Establish a criticality matrix

Based on these criteria, each supplier is positioned according to its importance to the organisation and the associated level of risk. This tiering must be scalable in order to take into account the changes brought about by NIS 2. This continuous supplier assessment process allows controls and improvement actions to be prioritised.

1. Adapt the assessment system to the identified criticality

This final step consists of identifying the systems for collecting information according to the level of criticality. Many organisations have already implemented questionnaires with proof of compliance, consolidated within tools such as Trust HQ® (particularly during the tendering phase). Companies also include audit clauses in their contracts, mainly for suppliers or services deemed critical.

However, these systems become time-consuming when they have to be activated for several hundred suppliers. This is why an initial cross-functional diagnosis allows the cyber risk assessment of hundreds of service providers to be automated. This leads to the identification of third parties that could be subject to a security questionnaire or audit. This automatic assessment is based on a non-intrusive cyber rating system such as Security Rating®, which evaluates an organisation's cyber performance.

[1] ANSSI 2024 threat report