NIS2: are you ready?
The European directive that is a game-changer for corporate cybersecurity.
Understand your obligations in 5 minutes.
CYBERESIST is here to support you:
NIS2 SELF-ASSESSMENT: quickly check whether you are affected, so that you can determine what action to take for the organisations concerned.
AUTOMATED CYBERSECURITY AUDITS AND COMPROMISED ACCESS DETECTION: carry out regular cybersecurity audits to document your actions and resolve security vulnerabilities before an attacker exploits them.
THE NIS2 DIRECTIVE IN 3 POINTS
WHAT?
A European directive that imposes cybersecurity obligations on critical businesses and their suppliers, amounting to around 18,000 entities in France.
WHY?
Because a cyberattack on a critical business can bring an entire economic sector to a standstill. The EU wants to standardise the cyber resilience of its Member States.
WHEN?
The French "Resilience" Act is due to be passed in 2026, but the threats won’t wait. You have three years to comply once it has been enacted.
WHO IS AFFECTED?
Appendix 1: Key Entities
Highly critical sectors
Energy
Transport
Banks
Financial markets
Health
Drinking waterClassification criteria
Key entities (KE)
Large companies in the sectors listed in Annex 1
> 250 employees or
> €50 million turnover and > €43 million balance sheet total
Maximum obligations 20 safety objectives -> requires regular audits
Appendix 2: Significant Entities
Other critical sectors
Postal services
Waste management
Chemicals
Food
Research
Digital service providersClassification criteria
Significant Entities (SE)
Medium-sized enterprises in the sectors listed in Annexes 1 & 2
> 50 employees or
> €10 million turnover
Appropriate requirements 15 safety objectives -> requires regular audits
Subcontractors
Even if you are not directly affected, your regulated clients will demand assurances. Even if you are not directly affected, your regulated clients will demand assurances.
SELF-ASSESSMENT
Answer 5 questions to find out whether your business falls within the scope of NIS2.
NIS2 COMPLIANCE
In practical terms, what needs to be done?
01
Your management team must approve the cybersecurity strategy and undergo training. Responsibility lies with the Executive Committee.
02
Identify what might bring you down and how to protect yourself from it. Assessment, evaluation, treatment plan.
03
20 objectives for Core Entities (CE), 15 for Significant Entities (SE). Please note: ISO 27001 alone covers only 2 of these.
05
24 hours for the initial alert, 72 hours for notification, and one month for the final report.
06
Your service providers become your responsibility.
- Contractual clauses,
- Audits,
- Plan B.
07
Mandatory declaration on MonEspaceNIS2, including details of your systems and contact information.
ISO 27001 ≠ NIS2
According to ANSSI, ISO 27001 certification covers only 2 of the 20 NIS2 objectives.
It’s a good start, but far from sufficient. We need to bridge the gap between what is already covered and what is missing.
Even if you fall outside the direct scope, your regulated clients will demand assurances.
NIS2 requires organisations to secure their supply chain.
THE RISKS
What happens if you don't comply
KEY ENTITIES
€10 million or 2% of global turnover. The higher of the two amounts applies
KEY ENTITIES
€7 million or 1.4% of global turnover. The higher of the two amounts applies
Beyond fines
LIABILITY
Managers may be held personally liable
SUSPENSION OF OPERATIONS
Temporary suspension from performing certain duties.
DEFAMATION
Publication of breaches and sanctions.
"The average cost of a cyberattack amounts to 5–10% of annual turnover, regardless of the size of the company."
French Administration (Cour des Comptes) — June 2025
DEMYSTIFYING NIS2
Common mistakes
It doesn't affect us
Reality: Many more organisations fall within the scope, and even outside it, the knock-on effect via your clients and partners is quick to materialise.
Action: Check sector / size / role in the value chain / dependencies.
We're too small
Fact: Thinking that “SMEs = LOW RISK” is a trap (exceptions + critical role + supply chain).
Action: Consider the question in terms of impact and dependencies.
We’ll see in 2027
Fact: In France, the transposition process is underway; its entry into force depends on the enactment of the legislation, and the bill has already passed several stages.
Action: Get started now on the things that are useful anyway: mapping, risk assessment, incident management, backups.
We have purchased an EDR / SIEM / Firewall
Fact: Buying ≠ owning.
Action: Prove that it works: use cases, useful alerts, runbooks, ownership, metrics.
We already have a SOC
Action: Take a look at what actually goes wrong: identities, backups, disaster recovery plans, third parties, vulnerabilities.
ISO 27001 = NIS2
We're in the cloud; it's the provider's problem
Fact: You are outsourcing a service, not your responsibility (particularly when it comes to risk and incident management).
Action: Clarify “shared responsibilities” + clauses + Plan B.
This is an IT matter, not a COMEX matter
Fact: NIS2 brings management into the loop: validation of measures, oversight, and potential accountability.
Action: 1 COMEX slide: business risks + 3 priorities + budget + evidence.
We’ll carry out an audit and sort it out
Fact: NIS2 = continuous capacity, not an annual PDF.
Action: Convert the audit into a backlog: owner, date, success criteria, evidence.
Fines are just a bluff
Fact: The text sets clear limits: up to €10 million / 2% for Essential Entities (EE) and €7 million / 1.4% for Significant Entities (SE).
Action: Don’t let fear drive your decisions. Base your decisions on the actual costs: business interruption, customers, insurance.
FREQUENTLY ASKED QUESTIONS
My country is lagging behind – should I get started now?
Yes, absolutely. The “Resilience” bill is making progress. But above all: cyber threats don’t wait for legislation. Starting now gives you an advantage: you’ll have time to do things properly rather than rushing. And everything you put in place (mapping, risk management, incident procedures) protects you from today onwards.
As a subcontractor to a regulated company, does this apply to us?
Not directly by law (unless you meet the criteria yourself), but indirectly, yes. NIS2 requires regulated entities to secure their supply chains. In practical terms, your clients will ask you for assurances: security questionnaires, contractual clauses, and proof of compliance. Anticipating these requests gives you a competitive advantage.
My organisation is already ISO 27001 certified – is that enough?
No. ISO 27001 covers only 2 of the 20 NIS2 objectives. It is an excellent starting point, but it notably lacks: incident reporting requirements (with strict deadlines), supply chain security, certain specific technical measures, and the ‘evidence’ aspect required by NIS2. Use your certification as a foundation and build the bridge to NIS2.
What is the exact timetable in my country?
The directive was due to be transposed by 17 October 2024 — Once the law is enacted in your country, businesses will have three years to comply. Implementing regulations will follow. See the list of affected entities.
Where to start?
Our 4-step guide:
- Check your eligibility with our quiz
- Map your critical systems and their dependencies
- Assess how you measure up against the 20 objectives (or 15 for EI)
- Prioritise high-impact actions: incidents, backups, privileged access
What is the difference between a Key Entity and an Important Entity?
Essential Entities (EE) are large companies operating in highly critical sectors (Annex 1). They are subject to the strictest requirements: 20 security objectives, proactive inspections by your local Authorities, and fines of up to €10 million or 2% of turnover.
Significant Entities (SEs) are medium-sized enterprises or those in the sectors listed in Annex 2. Reduced obligations: 15 objectives (approximately 60% of SEs), reactive controls, penalties of up to €7 million or 1.4% of turnover.
