NIS2 and Local Authorities: Towards concrete and shared compliance

The NIS2 directive, expected to be transposed into French law in September 2025, would impose new obligations on local and regional authorities, particularly those with more than 30,000 inhabitants. It would involve strong measures in terms of cyber governance, risk management, and supply chain security.

However, the reality on the ground is mixed: limited resources, a lack of qualified personnel, and difficulty in mobilizing decision-makers.

During a webinar organized by Board of Cyber in June 2025, three speakers shared their experiences to help local authorities take action in the face of these major challenges:

• Anne-Sophie Colléaux, Coordinator of the CYBIAH - Campus Cyber program,
• Justine Terzi, Cybersecurity Project Manager for the Greater Paris Metropolitan Area,
• Vincent Thau, Public Sector Manager at Board of Cyber.

This article highlights the key points of the discussion and the practical advice shared on how to comply with the NIS2 directive, particularly with regard to the critical aspect of cyber assessment of suppliers.

Why NIS2 is an opportunity for local authorities

30% of local authorities were victims of ransomware in 2024. However, too many CIOs/CISOs are still struggling to make their voices heard by elected officials. "We must stop seeing cybersecurity as a cost center. It enables us to offer more resilient and innovative services to citizens," insists Anne-Sophie Colléaux.

The NIS2 directive requires local authorities to:

• Appoint a CISO or cyber security officer
• Integrate cybersecurity into their overall strategy
• Detect, notify, and respond quickly in the event of an incident
• Manage the supply chain, an often overlooked weak link
• Raise awareness among staff (80% of risks are human)

It establishes "essential entity" status (municipalities with more than 30,000 inhabitants) and strengthens legal liability in the event of non-compliance.

" It's better to anticipate than to suffer », adds Anne-Sophie Colléaux. "Old tools, such as a municipal swimming pool website, can remain connected and expose the community."

Feedback from the Greater Paris Metropolitan Area: a model to follow

It is in this context that the CYBIAH program—led by Campus Cyber—is supporting the most vulnerable economic players in the Paris region (very small businesses, SMEs, social and solidarity economy structures) in their cyber maturity. This program is fully funded by the Île-de-France Region and the European Union.

Building on the CYBIAH program led by Campus Cyber, the Greater Paris Metropolitan Area offers 100% free support to its 130 municipalities. This initiative demonstrates CYBIAH's ability to be replicated and adapted to the specificities of the local public sector.

The program is based on three stages:

1. External analysis via the Board of Cyber to identify the most vulnerable municipalities
2. Personalized diagnosis conducted by experts
3. Security plan with support until measures are implemented

A specific NIS2 component has been added:

"We go through 250 checkpoints with the municipalities concerned," explains Justine Terzi. "The aim is to demystify the directive and explain it clearly in order to remove any obstacles."

Some key figures:

• 100% of places on the program filled in 20 days
• 20 municipalities supported since February 2025
• 15 municipalities on the waiting list

The conclusion is clear: demand is high. But only 14% of local authorities feel ready to face the cyber threat.

Building on this momentum, a new phase of the program, "CYBIAH 2.0," will soon include support on artificial intelligence (AI) issues.

How Board of Cyber supports local authorities: focus on supplier risk management

"In a context of limited resources, pooling is the key to accelerating compliance," emphasizes Vincent Thau.

Board of Cyber is involved in the first stage of the program: assessing cyber maturity using its Security Rating platform. This enables:

• Map a local authority's public exposure
• Identify sensitive interfaces and vulnerabilities (phishing, impersonation, exposed admin accounts, etc.)
• Provide a clear and understandable score for dialogue with elected officials
• Monitor progress over time
• Create a shared observatory for an entire region

"We don't just take a snapshot at a given moment. The platform allows us to monitor progress over time and continuously update the remediation plan."

Board of Cyber also allows critical suppliers to be evaluated:

"The Greater Nancy Metropolitan Area uses our solution to check the cyber risks of its subcontractors during the referencing process. This is becoming a key requirement of NIS2."

This aspect is too often overlooked, even though it is at the heart of Article 21 of NIS2, which requires supply chain security.

Key takeaways: practical advice for local authorities

• Don't wait for transposition to take action
• Rely on existing mechanisms such as Cybiah
• Start with a simple assessment with Board of Cyber
• Don't neglect suppliers: they can be the gateway to an attack
• Pool resources across the region: it's more effective and less expensive

"Cybersecurity is not a burden, it is a lever for innovation and trust."

Next steps for local authorities

Do you represent a municipality, urban community, or metropolitan area? Would you like to replicate the Greater Paris model and take action?

Board of Cyber can help you:

• Assess the cyber maturity of your entities
• Build an observatory for your territory
• Assess your critical suppliers and anticipate NIS2

Contact our specialist Vincent Thau using this form

To discuss the conditions for deployment in your region, make an appointment with the CYBIAH team, led by Campus Cyber : [email protected]