European NIS2 directive: are you ready?

NIS2 Directive: what it means for french businesses

At the first edition of Lyon Cyber Expo, a panel of experts — Mathieu Delaplace (Regional Delegate for Digital Security, ANSSI), Ahoefa Agbessi-Awussi (Information Security Compliance Manager, Cegid), Alexandre Sahut (Head of Cybersecurity Service Delivery, Visiativ), and Antoine Camus (Director of Cybersecurity, Minalogic)—discussed the implications of the new European NIS2 regulatory framework. They explored key compliance strategies, challenges, and opportunities for businesses.

NIS2: a broader framework for enhanced cybersecurity

The NIS2 Directive (Network and Information Security), which follows NIS1, represents a critical step in strengthening the digital security of businesses across Europe. With its expanded scope, it now covers 18 sectors and applies to medium-sized companies (over 50 employees or €10 million in revenue).

“NIS2 broadens the range of affected entities from 500 critical operators under NIS1 to 15,000 companies in France. This regulation imposes minimum cybersecurity measures to protect the entire economic ecosystem.”
Mathieu Delaplace, Regional Delegate at the National Agency for Information Systems Security (ANSSI)

Challenges and opportunities for SMEs

For businesses, NIS2 presents both a regulatory challenge and a strategic opportunity. Fleur Agbessi from Cegid notes: “It’s an opportunity to improve our security, but also a challenge, as we must anticipate the directive’s transposition and prepare now.” Alexandre Sahut of Visiativ adds: “While large companies are already familiar with these issues, the real challenge lies with SMEs, which are often less aware. The key is to start with simple, pragmatic actions.”

Tools and Resources to Prepare for NIS2

The ANSSI offers practical tools to assist companies:

• • MonEspace-NIS2 Portal: A platform to assess compliance and monitor regulatory developments.
  • Qualified Providers: ANSSI certifies specialists in auditing, consulting, and incident response to help businesses align with the directive.

“The directive emphasizes digital hygiene measures we’ve recommended for years, like risk analysis and incident management.”
Mathieu Delaplace, Regional Delegate at the National Agency for Information Systems Security (ANSSI)

ISO standards and NIS2: clear synergies

Cegid, certified under ISO 27001 for seven years, showcases strong preparation for NIS2. Fleur Agbessi explains: “The ISO 27001 standard is an excellent foundation for NIS2. It addresses requirements such as asset management, business continuity, and risk management. However, NIS2 goes further in areas like authentication and crisis management.” Visiativ, also ISO 27001 certified, focuses on supporting its subsidiaries and clients. Alexandre Sahut points out: “ISO certification isn’t an end goal but a journey. It helps us guide our clients, often industrial SMEs, in improving their maturity.”

SMEs: first to be affected, first to act

SMEs, although often distant from regulatory requirements, must take action. Alexandre Sahut observes: “Maturity levels vary across ecosystems. Airbus subcontractors, for example, are highly advanced. Yet some mid-sized companies remain underprepared despite their size.”

Key Success Factors for SMEs:

1. Leadership support: identify a cybersecurity leader and integrate governance processes.
2. External assistance: hire providers to assess maturity and set priorities.
3. Gradual actions: begin with simple measures like risk analysis or employee awareness campaigns.

Training and awareness: a strategic priority

With 80% of cyberattacks stemming from human error, training is essential. At Cegid, regular awareness campaigns and phishing tests are conducted. Fleur Agbessi elaborates: “We’ve integrated a feature into Outlook for reporting phishing attempts. An external provider analyzes threats and acts quickly.”

A Collective Governance Approach

Mathieu Delaplace emphasizes the importance of external support: “It’s hard for a company to evaluate itself. An outside perspective, able to compare maturity levels within the ecosystem, is essential.” NIS2 isn’t just about technical obligations—it’s a collective effort involving executives, employees, suppliers, and clients.

The NIS2 directive is a vital tool for bolstering cybersecurity across Europe. It calls on organizations, large and small, to rethink their processes and protect themselves effectively against cyber threats.