The NIS2 Directive (Network and Information Security Directive) is a legislative framework from the European Union aimed at strengthening cybersecurity requirements for critical infrastructure and essential services across Europe. In response to evolving cyber threats, it expands its scope to cover a greater number of sectors and mandates stricter protection measures:
Entities in identified sectors are classified as essential or important entities based on factors such as size, sector, and criticality. Those affected include:
To learn more, you can take the test on:
https://monespacenis2.cyber.gouv.fr
High criticality sectors:
Energy, Digital Infrastructure, Transport, Space, Health, Public Administration, Drinking Water, Banking, Wastewater
Other critical sectors:
Financial market infrastructure, Manufacturing, production, and distribution of chemicals, Manufacturing industry, Research, IT services, Postal and courier services, Waste management (B2B), Production, processing, and distribution of food products, Digital service providers.
Cybersecurity Risk Management (Article 18)
This article requires concerned entities to implement integrated cybersecurity risk management, covering prevention, detection, and response to security incidents.
The directive emphasizes a proactive approach, recommending regular security risk assessments to adapt protective measures.
Cybersecurity Governance Policies (Article 20)
This article requires entities to establish appropriate governance policies, including continuity and recovery plans to ensure resilience in case of a cyber incident.
It also mandates cybersecurity training for personnel and the development of a security culture within the organization.
Specific Cybersecurity Measures (Article 21)
Among the most important, this article lists mandatory technical measures such as access control, secure communications and authentication, vulnerability management, and the security of networks and information systems.
The article is broken down into 10 sub-points.
Incident Monitoring and Detection (Article 22)
The article mandates the implementation of mechanisms for incident detection and monitoring, including log analysis and the implementation of intrusion detection systems.
Notably, it requires a continuous monitoring system to quickly identify cyber threats.
Incident Notification (Article 23)
Article 23 requires prompt notification of incidents with a significant impact on service continuity, with an initial alert within 24 hours and a final report within 30 days.
Cybersecurity Audits and Compliance Evaluation (Article 24)
Finally, entities must undergo regular audits to assess their compliance with security requirements.
