Glossary
NIS2
NIS2 (EU Directive 2022/2555) is the new European directive on cybersecurity for essential and important entities. It imposes governance, risk-management and incident-notification obligations on around 160 000 organisations across the EU.
Definition of NIS2
NIS2 stands for Network and Information Security 2, the suffix 2 indicating it is the second iteration of a European directive (the first dating back to 2016). Adopted on 14 December 2022 under the reference Directive (EU) 2022/2555, NIS2 was transposed into French law on 30 October 2024 by law no. 2024-983.
The goal is to raise the level of cybersecurity uniformly across the European Union by imposing a baseline of technical, organisational and procedural requirements on critical organisations. Where NIS1 covered roughly 500 entities in France, NIS2 now covers about 35 000.
Who is concerned by NIS2?
The scope of NIS2 rests on two cumulative criteria: sector of activity and company size.
On the sector side, eighteen sectors are covered, split into two categories. The "highly critical" sectors include energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructures, ICT service management, public administration and space. The "critical" sectors cover postal services, waste management, chemicals, food production, manufacturing, digital providers and research.
On the size side, two thresholds trigger the directive: essential entities (over 250 employees or €50M revenue) and important entities (50 to 250 employees or €10M to €50M revenue). Some organisations are automatically essential regardless of size, notably central public administrations and operators of critical infrastructure.
What obligations does NIS2 impose?
The directive structures its requirements around four pillars: governance, risk management, incident management and continuity.
Governance requires that management bodies approve cyber risk-management measures, monitor their implementation and receive regular training. Personal liability of executives may be engaged in case of failure, a particularly structuring point.
Risk management requires a documented analysis per critical information system, security policies approved at the highest level, control of the ecosystem (suppliers, providers, third-party access), a cryptography policy and an authentication and access-control policy including multi-factor authentication for sensitive accounts.
Incident management mandates detection, qualification procedures and notably a notification obligation to the CSIRT (in France, ANSSI) within strict deadlines: early warning within 24 hours of detection, incident notification within 72 hours with an initial impact assessment, final report within one month.
Business continuity requires the identification of critical systems, documentation of dependencies and regular testing of business-continuity (BCP) and disaster-recovery (DRP) plans.
What are the sanctions for non-compliance?
NIS2 introduces a harmonised financial-sanctions regime across Europe, modelled on GDPR. Essential entities face an administrative fine of up to €10 million or 2% of global annual revenue, whichever is higher. For important entities, the cap is €7 million or 1.4% of global revenue.
Beyond financial sanctions, the directive empowers the competent authority to temporarily ban an executive from holding management functions. This individual liability of executives is a paradigm shift from NIS1 and explains the rising attention paid by audit committees and boards to cyber.
The French transposition further clarifies the role of ANSSI, designated as the national authority for information system security, granting it on-site and on-document inspection powers and administrative sanction authority.
How to become NIS2-compliant?
NIS2 compliance is not a one-off audit project. It assumes a continuous approach resting on three foundations.
The first foundation is precise knowledge of your IT system: inventory of essential activities, supporting systems, dependencies and data flows. Without an up-to-date map, it is mechanically impossible to respond within the 24-72-hour window required in case of incident.
The second foundation is the formalisation of practices: information security policy, risk-management plan per critical asset, incident notification procedure, tested continuity plan. The directive does not prescribe a single framework, but in France ANSSI has published the Référentiel Cybersécurité France (ReCyF), now the reference for demonstrating compliance.
The third foundation is proof. NIS2 introduces the notion of audit, and the ability to demonstrate compliance on documents becomes decisive. This requires a living architecture repository, records of risk analyses, security committee minutes, and incident-handling histories.
Frequently asked questions
What is the difference between NIS1 and NIS2?
NIS1 (2016) only covered operators of essential services and digital service providers, around 500 entities in France. NIS2 dramatically expands the scope to 35 000 entities, hardens sanctions, introduces personal liability for executives and harmonises incident notification deadlines.
When did NIS2 come into force in France?
NIS2 was transposed into French law by law no. 2024-983 of 30 October 2024. Obligations apply from that date, with progressive ramp-up of ANSSI controls from 2025.
How do I know if my company is subject to NIS2?
First check your sector of activity: if you are in one of the 18 listed sectors, you are potentially concerned. Then check your size: 50 employees or €10M revenue are enough to enter the scope. ANSSI provides a public self-assessment tool.
Do I need a consulting firm to become NIS2-compliant?
Not necessarily. NIS2 requirements assume good knowledge of your IT system and formalisation of security practices. A tooled platform like Uncia automates mapping, ReCyF-objective compliance analysis and report generation, reducing the need for external intervention.