Enough is enough… Cyberattacks have inflicted significant damage on European organizations. The impact was profound not only on these companies but also on many essential services such as electricity and healthcare. The NIS2 directive seeks to enhance and harmonize cybersecurity standards across Europe. What are the implications for French companies, and how concerned should they be?
The requirement to comply with certain European standards is a priori not well received. Companies face new constraints, the need for costly human resources for reporting, and the looming prospect of heavy fines for non-compliance… This is the case with the NIS2 directive, which came into effect at the European level on January 17, 2023—with a compliance deadline for France set for October 17, 2024. NIS stands for “Network and Information Systems.”
Why this new European directive?
The aim of NIS2 is to compel administrations and companies providing essential services to invest sustainably and effectively in securing their IT systems. These companies need not only to be optimally protected but also to be resilient: they should be able to restore operations swiftly if necessary. There is an underlying message: compliance with this directive will generally be less costly than dealing with the aftermath of a cyberattack. According to the study Cyberattacks in France – 2025 Report published by jedha.co, 43% of French companies have experienced at least one successful cyberattack, with the average cost estimated at approximately €59,000.
An issue that goes beyond just companies
It may initially seem that cybersecurity is solely a company’s concern. If it suffers an attack due to insufficient IT protection, isn’t that just its own misfortune? Why impose the obligation to secure its data with the threat of potential sanctions?
The fact is, the proper functioning of some operators is vital to society. In reality, NIS2 aims to protect not only businesses but also citizens from the unfavorable fallout that can result from cyberattacks. Some concrete examples illustrate this.
Hospitals
Consider the example of a hospital or clinic. In recent years, many such establishments have fallen victim to cyberattacks. The consequences were severe: an inability to access patient medical records, the necessity to cancel certain urgent operations… Patients needed to be redirected to other facilities, and their lives might have been endangered.
Under the NIS2 directive, hospitals are required to ensure continuous monitoring of their IT security.
Energy Suppliers
The same applies to an energy supplier. If it suffers an attack that leads to service disruption, it could cause large-scale power outages. Tens or hundreds of thousands of households might find themselves without heating in the middle of winter, critical businesses could be unable to operate, and public functions like traffic lights could cease to work… Clearly, safeguarding the IT systems of an energy supplier is a major priority, as a disruption can affect multiple sectors.
Transportation
The transport sector is no exception. The proper functioning of railway signaling systems and adherence to schedules can be crucial for many travelers. Once again, a prolonged outage is rarely conceivable.
Banks
And what about private banks? A cyberattack could lead to the theft of personal data, which is already quite alarming, but it could also block access to accounts and prevent thousands of users from making everyday purchases or receiving their salaries. Hence, implementing top-level cybersecurity measures is essential here as well.
Why was NIS1 no longer sufficient?
The first European directive, NIS1, was issued in 2016. However, since then, cyberattacks have achieved an unforeseen level of sophistication—especially with the rise of ransomware. They have also become more frequent and costly, impacting businesses of all sizes and sectors.
NIS1 applied to only a limited number of sectors deemed essential (energy, transport, healthcare, etc.). Many critical service providers or administrations were unaffected by its application. Additionally, each member state had the freedom to interpret and implement it, which turned out to be excessive in practice and limited opportunities for coordination and cooperation. This resulted in vulnerabilities that cybercriminals could exploit.
What changes with the NIS2 directive?
As a result, NIS2 encompasses more sectors and companies, including entire public administrations and also SMEs providing critical services. This improved directive now harmonizes minimum cybersecurity measures across the EU. It enhances and speeds up incident reporting obligations. The deadlines are reduced to 24 hours for an initial notice and 72 hours for a full report submission. Leaders now bear increased personal responsibility. Finally, NIS2 imposes deterrent sanctions that can reach up to 10 million euros.
NIS2 takes effect in France on October 17, 2024, but companies typically have a timeframe to implement this directive, which can vary depending on their activity and size.
Are the fines excessive?
At first glance, a fine that can reach 10 million euros or even 2% of annual global turnover might appear excessive. Rest assured, however. Only sectors truly vital to society (health, energy, transportation, etc.) are subject to such sanctions, and these would only apply in cases of major and repeated breaches. Furthermore, sanctions are adjusted according to the size and turnover of the company: an SME will face much less stringent penalties than a large enterprise with thousands of employees.
These figures must also be weighed against other factors. Firstly, cyberattacks cost billions of euros annually and often lead to adverse consequences: data theft, service disruption, a decline in public trust in a given operator, etc. For instance, attacks on hospitals have sometimes resulted in enormous financial costs.
The goal is to ensure that companies take the security of their IT infrastructures very seriously. Prevention is better than cure!
