NIS 2 : Who is it for? And above all, by when?
- Jerome RETIF
- Feb 19, 2025
- 3 min read
The European NIS 2 (Network and Information Security) Directive, adopted in December 2022, aims to strengthen cybersecurity within the European Union by expanding the scope of the first NIS Directive from 2016. It imposes increased obligations on a larger number of companies and organizations, including in France, in order to ensure a high level of security for networks and information systems.
Entity categorization
The directive introduces two new categories of entities:
Essential Entities (EE): Large companies with more than 250 employees or an annual turnover exceeding €50 million, operating in highly critical sectors.
Important Entities (IE): Medium-sized companies with between 50 and 250 employees and an annual turnover between €10 million and €50 million, operating in other critical sectors.
This classification makes it possible to tailor obligations according to the size and importance of the entity concerned, with a few exceptions.
Expanded scope
The NIS 2 Directive now applies to a broader range of sectors considered critical or important to society and the economy. These sectors are divided into two categories :
Highly critical sectors, mainly affecting Essential Entities (EE):
Énergie
Energy
Transport
Banking sector
Financial market infrastructures
Healthcare
Drinking water
Wastewater
Digital infrastructure
ICT service management
Public administration
Space
Other critical sectors, mainly affecting Important Entities (IE):
Postal and courier services
Waste management
Chemical industry
Production, processing, and distribution of food products
Manufacturing
Digital service providers
Research
This extension means that many French companies previously not covered must now comply with the directive’s requirements. According to some estimates, the number of affected companies in France could increase from around 300 to 20,000 or more.
Let’s be proactive: overview of obligations for companies
Companies subject to the NIS 2 Directive must implement several measures to strengthen their cybersecurity :
Security measures : adopt risk management policies, incident response procedures, and staff training programs.
Incident management: establish procedures to detect, manage, and report security incidents to the competent authorities.
Business continuity: ensure the resilience of information systems to maintain essential services in the event of an incident.
Supply chain security: assess and manage risks related to suppliers and partners.
Incident reporting: notify designated national authorities of security incidents with a significant impact and provide reports on how the situation evolves.
Failure to comply with these obligations may result in significant penalties, including fines of up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% of global annual turnover for important entities. Beyond the company itself, executives may be held personally liable in the event of non-compliance.
By when? Implementation in France
By the end of 2024, only 3 out of the 27 EU Member States had already transposed the NIS 2 Directive. As required, France began the transposition process in October 2024, and it should be finalized “in the coming months.” Without a precise application date, it is therefore difficult to plan in the very short term.
However, given the potential penalties, it is essential for companies and their executives to assess their resilience posture and establish a roadmap starting today.
This is no longer just a technical issue for CIOs—it is a strategic issue for companies and their entire value chain. If a large company wants to protect itself, it will almost certainly need to encourage its partners to do the same.
There is still some way to go, so don’t wait until the last minute.
The French government has provided an online test to determine whether your entity is affected: https://monespacenis2.cyber.gouv.fr/
Contact us to receive guidance and support in your NIS 2 compliance journey.
