NIS2 Directive: a small step for mankind, a giant leap for cybersecurity

Cybersecurity risks are on the rise (phishing continues to be the most widespread threat : with around 562.4 million phishing emails recorded, it is becoming necessary to strengthen security standards. Within organizations, security needs to be strengthened both technically and organizationally. With this in mind, the NIS Directive, or Network and Information Systems Directive, has been an important milestone in the European Union's efforts in recent years to strengthen cybersecurity and the resilience of critical infrastructure. Now it is NIS2's turn to revolutionize EU cybersecurity standards.

The first iteration of this directive, commonly referred to as NIS1, was adopted in 2016 and entered into force in May 2018. Its main objective was to establish a common legal framework for the security of networks and information systems within the European Union.

This directive was developed in the context of the growing threat of cyberattacks and cybercrime. These can have serious consequences for national security, the economy, and public services. Recognizing the critical importance of essential infrastructure, the directive aimed to create a secure and resilient environment for networks and information systems within the EU.

What about its big sister, NIS 2? What's new compared to NIS 1? Who is affected? Let's take a look at all of this.

NIS2 Directive: a small step for mankind, a giant leap for cybersecurity

The NIS2 directive, like its predecessor NIS1, still aims to unify and consolidate cybersecurity standards across the European Union, with one significant difference: this time, it will greatly expand its scope.

The main objective of NIS2

The aim of this new version of the directive is to extend its scope to include new sectors. As a reminder, NIS 1 only concerned entities designated as essential by Member States, i.e. Operators of Essential Services, or "OES."
Now that we know the main change in NIS 2 compared to NIS 1, the question is: who is affected?

Who is affected by the NIS2 Directive?

The NIS2 directive covers various critical sectors such as energy, transportation, healthcare, banking and financial services, and digital services. Initially, NIS 1 covered 19 sectors, and by expanding its scope, the NIS2 directive now applies to a larger number of companies. Approximately 160,000 companies are affected. This new scope includes 16 additional sectors, bringing the total to 35. This affects thousands of entities with more than 50 employees and a turnover of more than €1 million.

Key issues in the directive

• Expansion of scope. As mentioned above , NIS2 expands the scope of the directive to include new digital sectors and services. These include online platforms, search engines, and online marketplaces, which are playing an increasingly crucial role in the digital economy.
• Strengthening security obligations.Like its predecessor, NIS2 imposes stricter security obligations on digital service providers and operators of critical infrastructure.
• Enhanced international cooperation. Given the transnational nature of cyber threats, NIS2 strengthens international cooperation between EU Member States and with other partners.
• Incident and risk management.The directive included strengthened provisions for incident and risk management, including increased requirements for incident reporting and cooperation with competent authorities.
• Focus on emerging technologies. Given the rapid pace of technological change, NIS 2 was likely focused on addressing challenges related to AI, the Internet of Things (IoT), and other technological innovations.
• Penalties and corrective measures. NIS2 stipulates stricter penalties for non-compliance and defines specific corrective measures to ensure effective implementation of cybersecurity measures.

How can you comply?

What should be done to comply with this new directive?

There are many ways to comply with this new directive, but at a minimum it is necessary to:

• Know the maturity level of your information system. It is important to remember that being aware of your exposure to risks is essential. The more you know about your system, whether organizational or technical, the better equipped you will be to develop the necessary action plan to address any gaps.
• Raise awareness and prepare. Awareness and prevention are your two best allies in achieving compliance. By implementing organizational measures such as the Avant de Cliquer program, you are committing to improving your employees' cyber hygiene and, in turn, protecting your organization from cyberattacks.
• Adopt best practices. There are many best practices you can adopt within your organization to improve its cybersecurity. Multi-factor authentication (MFA), secure password managers, using encryption protocols for data exchanges between users and servers, etc.
• Establish a business continuity plan (BCP).To anticipate unforeseen events, it is strongly recommended that you create a BCP to limit damage in the event of a cyberattack.

When will NIS2 come into effect in France?

The NIS2 Directive was adopted by the European Parliament on November 10, 2022, and published on December 27, 2022. It continues to spread throughout the European Union and is expected to be implemented in France by October 2024 at the latest.

How can Avant de Cliquer comply with this directive?

Before Clicking, acculturate your organization to phishing. This SAAS cybersecurity awareness tool enables your organization to comply with this directive.
As a reminder, Before Clicking consists of three essential phases:

 

Learning by doing	Automated phishing campaigns tailored to each individual's level of knowledge. Training on the spot following the simulation. No user receives the same email at the same time. Over 1,000 different templates.
Theoretical Learning	Video modules divided into short videos lasting 2 to 4 minutes. Various topics related to cybersecurity; Quizzes to complete and certificates of completion.
Support	Followed up by an account manager. Implementation of action plans specific to a group or department. Custom templates, purchasing domain names similar to yours...

 

Avant de Cliquer complies with this directive and allows, among other things:

• • Raise your users' awareness of cybersecurity. Also , teach them about the various techniques used by hackers and the best practices to adopt to limit the risk of intrusion.
  • Assess the maturity of your employees in real time thanks to a dedicated space
  • Help your users develop their skills and become self-sufficient in any situation.
  • Create a climate of cyber vigilance within your organization.

Map out your risks now

Avant de Cliquer provides you with a map of your organization. Over a period of five days, we carry out an initial phishing campaign using between 50 and 100 different email templates, sending between one and four emails per user.

The purpose of this audit is to assess your users' level of vigilance by taking into account three main criteria:

• The number of emails received;
• The email open rate;
• The click-through rate of emails.

At the end of this audit, an expert will present you with a comprehensive report detailing all the data obtained over five days via videoconference. This report will then be sent to you, along with an infographic to help you share the results with all your employees.

So, what are you waiting for to map out your organization's risks?

CIOs, CISOs, and DPOs, request a free demonstration of the fully automated phishing and QRiching awareness solution: