The NIS2 directive: what changes for European businesses and administrations?

The NIS2 directive: what changes for European businesses and administrations?

These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2 directive.

NIS2 directive: extending the scope of NIS1

In 2016, the Network and Information Security (NIS) Directive was adopted by the European Parliament and the Council of the European Union. Its main objective was to increase the level of cybersecurity of major organisations in around ten high-risk business sectors. In France, this represented around a hundred players.

With the intensification of cyberthreats, in a tense geopolitical context, more and more companies and institutions are concerned by the risk of IT incidents. That’s why Europe has published NIS2, an extension of the NIS1 directive, to take effect at the end of 2022. The aim is to broaden the scope of the sectors concerned and to strengthen cybersecurity requirements.

The new directive employs an “all-risks approach”. In other words, it requires a wide range of organisations to better protect their networks and information systems, through a combination of multiple cyber strategies. These include:

  • Risk analysis,
  • incident handling,
  • business continuity,
  • supply chain security,
  • and the use of secure emergency communication systems within the organisation.

 

Virtually all sectors affected

NIS2 will now affect thousands of entities in more than 18 business sectors. All private or public entities with more than 50 employees, or with a turnover in excess of €10 million, are affected. These include digital companies and certain public authorities, which have been particularly targeted by cyber attacks in recent months. These sectors are classified in two categories: highly critical sectors and critical sectors.

Sectors classified as highly critical include :

  • energy
  • transport
  • banking
  • financial market infrastructures
  • health
  • drinking water
  • waste water
  • digital infrastructure
  • ICT service management
  • public administration
  • Space

 

The sectors considered critical are :

  • postal and shipping services
  • waste management
  • manufacture, production and distribution of chemical products
  • production, processing and distribution of foodstuffs
  • Manufacturing
  • digital suppliers
  • Research

Two new entity categories (EE and EI)

The other new feature of NIS2 is the classification of entities into two distinct categories: essential entities (EE) and important entities (EI). This classification is based on the level of criticality, the number of employees and the global turnover of the companies concerned. A large company employs at least 250 people and/or has an annual turnover of at least €50 million. A medium-sized company employs at least 50 people and/or has an annual turnover of more than €10 million.

Thus, essential entities would mainly include large companies in sectors classified as highly critical. Important entities would mainly concern large and medium-sized organisations in sectors classified as critical and medium-sized organisations classified in highly critical sectors. This distinction will make it possible to tailor requirements and penalties for organisations in proportion to their resources and the stakes involved in protecting their data.

It should be noted that in certain sectors, the high level of criticality may justify designation as an essential entity, regardless of the size of the organisation. This is particularly the case for entities identified as critical at national level by the CER Directive.

Tougher penalties

Lastly, the NIS2 directive also strengthens the penalty system. An organisation that fails to put in place appropriate risk management measures or to notify a security incident quickly enough will risk a fine proportional to its turnover and level of criticality. Companies could therefore be subject to fines of between 1.4% and 2% of their turnover, up to a maximum of €10 million.

EU Member States are also able to require entities to carry out audits or inspections. If necessary, they can issue warnings and instructions.

Focus on two new obligations for organisations

Reporting security incidents

With NIS2, when a cyber security incident occurs, organisations will have 24 hours to report it to ANSSI. This deadline is not yet definitive and may be reviewed before the directive is transposed into national law. However, all the organisations affected by NIS2 will have to get organised in order to react quickly. This initial notification is similar to a preliminary report, which will have to be supplemented by a final report. The aim is to improve the responsiveness of the authorities in the event of an incident and to trace cyber attacks more accurately.

Cybersecurity training for executives, managers and employees

In-house training is a key point in this new directive, and is encouraging massive awareness of the subject of cybersecurity.

Indeed, the main challenge of NIS2 is to force the implementation of technical measures, but also and above all operational and organisational measures. The entire organisation must be mobilised for its cybersecurity, not just the IT department. That’s why the directive requires cybersecurity training for senior managers, who must systematically approve all security measures. What’s more, the directors representing the organisation could be held liable if they fail to comply with the directive’s obligations.

With a view to extending cybersecurity to all functions, the NIS2 directive could redefine the role of the DPO (Data Protection Officer) by giving him or her tasks relating to the application of this directive. These new tasks will be consistent with those required to comply with the General Data Protection Regulation (GDPR). It’s a way of looking at cybersecurity as a legal risk, and no longer as the preserve of CISOs.

How do you raise employee awareness of cybersecurity?

When will organisations have to comply?

Firstly, the directive will be transposed at national level in 27 countries from 17 September 2023. Then, from October 2024, it will be mandatory for all companies and administrations concerned. However, organisations need to start preparing for these new cybersecurity standards now, by increasing their level of security. In this way, they will be able to counter the growing number of cyber threats.

How do you prepare for the NIS2 directive?  

As of now, organizations affected by the NIS2 Directive can be assisted by experts to assess the security level of their information system and receive recommendations.

As a trusted service provider, certified and qualified by the ANSSI, Tixeo supports essential service operator and operator of vital importance in their NIS2 compliance. The use of secure communication systems is one of the recommendations to ensure business continuity in the event of a crisis. Protecting online communications is therefore a guarantee of cyber resilience for organisations. 

How do you raise employee awareness of cybersecurity?

How do you raise employee awareness of cybersecurity?

Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.

Economic and political risks

Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.

The hackers’ objectives may be :

  • To steal money from an individual or a company
  • Capture a company’s customers
  • Damage the reputation of a company or a political player/party
  • Set up industrial, political or military espionage

An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.

 

Cybersecurity awareness campaigns :

Schedule regular training sessions

Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.

Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.

It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.

 

Using gamification

Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.

 

Calling on key players

For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.

 

Strengthening internal communication

Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.

For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.

Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.

 

Read more:

5 tips to secure teleworking from Julien, System and Security Admin at Tixeo

Carry out test campaigns

Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.

 

3 essential precautions for raising awareness of cyber security

Leveraging the diversity of our actions

Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!

Tailoring awareness-raising campaigns to specific professions

It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.

Stepping up training for teleworkers

While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.

 

Find out about other good safety practices for teleworking:

white paper on teleworking security
Protecting personal data also protects companies

Protecting personal data also protects companies

Compliance with the GDPR not only ensures greater protection for employees’ and customers’ personal data, but also guarantees the future of companies.

Avoiding the costs of data breaches

Corporate data is an increasingly coveted commodity. Compromising it can jeopardise a company’s business.

According to a study by Ponemon Institute and IBM Security, in 2022, the average cost of a data breach for a company worldwide is estimated at 4.35 million dollars. This figure is up by 12.7% compared to 2020. In France, the average cost for a company is almost the same, at 4.34 million dollars.

The costs are both related to the loss of data itself but also to the sanctions that may be ordered (such as fines). This is the case if the legal provisions on data protection were not respected. Finally, as a result of a data breach, a company’s trustworthiness may fall and this will also have an impact on its financial activity.

[VIDEO] Apolline SCHMITT, Lawyer at the Strasbourg Bar and DPO Tixeo, explains the stakes of personal data security for companies

These French companies affected by data theft 

Recently, many examples have demonstrated the significant financial impact of data breaches. In 2022, the subsidiary of a French airline company was the victim of a cyber-attack that resulted in a massive leak of its employees’ personal data. What was the cause? A lack of security on the server where the data was stored. If this is verified, the company is liable to a fine of up to 4% of its turnover, as provided for in the GDPR.

While large organisations can afford these costs, SMEs cannot. A French company specialising in movable partitions has paid the price: following a cyber-attack that compromised its personal data, it had to apply for receivership. The attack cost the company several million euros and caused excessive commercial damage.

Improving the company’s image and reputation

A company that does everything it can to protect personal data reassures its ecosystem and, above all, its customers and employees. This is an aspect that can be the subject of communications and thus enhance the image of a transparent and secure company.

In addition, the implementation of a robust data security policy limits the risk of attacks. It avoids any paralysis of the company’s activity.

Video conferencing: do you (really) know how your personal data is handled?

Become a digital nomad without forgetting the security of your data

Become a digital nomad without forgetting the security of your data

Traveling while working means being able to change offices every day, enjoying exceptional landscapes during your coffee break, but also being exposed to cybersecurity risks. To leave with peace of mind, in addition to taking mosquito repellent in the suitcase, the digital nomad must ensure that his data is protected.

A new way of working

The rise of telecommuting has been a real wake-up call for professionals. In the digital sector, more and more of them are dreaming of a freer professional life, which leaves them time to blossom elsewhere than in the office.

Those who make this dream a reality are also called digital nomads. Sometimes to the end of the world, they travel with their computer under their arm, always ready to switch to video conferencing with their colleagues or clients. They are no longer necessarily self-employed, since many companies now allow their employees to “teletravel” (or telework while traveling).

The digital nomad frees himself from the traditional boundaries between professional and personal life to get away from it all while teleworking. But the change of scenery has its constraints.

Telecommuting everywhere, really ?

Away from the office, the digital nomad must avoid connecting to Wi-Fi in a completely open public place like a train station or a café. These networks have multiple security holes. These can lead to a leakage of the data contained in the computer, including those stored on the company’s network, which are often confidential. This leaves the door wide open to malicious intrusions.

The same applies to coworking spaces. Even if they seem to be more secure, connections in these places do not generally have a sufficient level of security. Moreover, the digital nomad is exposed to risks of theft or loss of equipment (hard disk, USB key…), which could seriously compromise data security.

Use reliable equipment

It’s not recommended to use personal equipment to work. Indeed, the latter has not benefited from the necessary security configurations : authentication at startup, disk encryption, management of administrator rights or connection to removable media… These controls must be carried out by the company on the professional equipment before letting the digital nomad leave, whether abroad or in his country house. Objective: protect data access.

Preserve the confidentiality of exchanges

The digital nomad maintains constant links with his company. To do this, they use videoconferencing tools for meetings, calls and file sharing. Here again, vigilance is required.

Today, most videoconference exchanges are likely to be listened to and watched. Outside the office, the risk of computer espionage is even higher. It can have serious consequences for the integrity of employees and company data.

It is therefore in the interest of companies to choose a secure video collaboration solution. The ANSSI (National Agency for Information Systems Security) assists them in their choice via a certification and qualification process. It identifies the most reliable cybersecurity solutions by awarding them a “Security Visa” label.

This is the case of Tixeo, the only European video-collaboration solution to be certified and qualified by ANSSI, which makes it the most secure solution on the market. Its end-to-end encryption technology for all multipoint exchanges (audio, video and data) eliminates all risks of industrial espionage.

3 last tips to protect your digital nomad data

1 – Don’t just use a VPN

The VPN is a secure link between the digital nomad’s equipment and the company’s network. But it does not protect against security breaches ! If the teleworker connects to a public Wi-Fi network and inadvertently lets malicious software enter his computer, the virus can infiltrate via the VPN and go up to the company’s server…

2 – Protect your computer from prying eyes

Physical protections can be useful for the digital nomad, such as screen filters or USB port locks that prevent any indiscreet look or intrusion in the system.

3 – Be careful with your own personal data

When you say digital nomad, you mean passport, plane or train tickets that are sometimes shared in the messaging system of video collaboration tools. These personal data are exposed if the exchanges are not secured, which can lead to identity theft.

How the Institut Godinot secured its remote medical meetings

How the Institut Godinot secured its remote medical meetings

Specialized in oncology, the Institut Godinot in Reims (France) has implemented Tixeo, a videoconferencing solution certified by ANSSI, for its remote medical meetings.

Located in Reims, the Godinot Institute (GI) is specialized in adult oncology. It collaborates with the Soissons hospital, in particular with a radiotherapy unit on site, to avoid patients having to travel to Reims.

The multidisciplinary consultation meetings (RCP) involve the collaboration of various specialists (radiotherapist, anatomopathotologist, etc.) to define the personal care plan (PPS). The bases of the PPS (imaging, analyses, opinions, patient file…) as well as the PPS itself are obviously highly confidential and sensitive. At the end of 2019, in order to avoid having busy specialists travel between Reims and Soissons, the IJG therefore looked for a suitable videoconference solution. With the confinements related to the Covid-19 health crisis, the need was only more general.

Xavier Grandjean, CIO of the Godinot Institute - How the Institut Godinot secured its remote medical meetings

Xavier Grandjean, CIO of the Institut Godinot, has made ANSSI certification a major criterion of choice.

Institut Godinot with Tixeo : knowing Tixeo

Our mission is to design and deliver secure video conferencing solutions that guarantee organizations a strict confidentiality of their communications.

Working in close cooperation with our customers, we have developed 100% “Made in France” video conferencing solutions with a level of performance, collaboration and security never reached before (ANSSI certified/qualified).

Every day throughout the world, we support thousands of users, SMEs and large groups.

We are aware of the issues related to espionage and cybercrime, and are committed to offering our customers a highly secure collaboration experience.

End-to-end encryption, guaranteeing digital sovereignty

End-to-end encryption, guaranteeing digital sovereignty

TRIBUNE – By Renaud Ghia, CEO Tixeo

Favored by the health crisis, teleworking and the massive use of digital collaboration tools (such as video conferencing) have allowed many companies to continue their activity. This unprecedented situation has also facilitated the highlighting of issues related to the confidentiality of exchanged information and caused a real craze concerning the use of end-to-end encryption in online meetings.

In this context, accentuated by the economic crisis, protection against industrial espionage has become paramount for companies. End-to-end encryption is the only guarantee against eavesdropping. But what is this mechanism whose definition is unfortunately too often distorted?

The fight against industrial espionage requires true end-to-end encryption

The end-to-end encryption of videoconferences is a data transmission process (video, audio, data) that only allows the sender and the receiver(s) to decrypt these data without any decryption phase between the correspondents. It must prevent any electronic eavesdropping, including by telecommunication and Internet access providers and even by the videoconferencing solution editor. Thus, no one is able to access the encryption keys needed to decrypt the conversation.

Unfortunately, and especially since the beginning of the health crisis, too many videoconference editors claim to offer end-to-end encryption but are content to encrypt only the flows passing between the user and the communication server! They can thus very easily access the decrypted data when it passes through their servers. Moreover, these editors are for the most part subject to foreign legislation that requires them to obtain the users’ encryption keys on request from the authorities. Under these conditions, the level of security is far from the one announced.

Fortunately, it is still possible in France to access reliable solutions offering effective protection against any attempt at espionage. To help companies see more clearly, organizations such as the ANSSI (Agence nationale de la sécurité des systèmes d’information) can guide them in their choice. An organization opting for an ANSSI-labeled end-to-end encryption mechanism is always guaranteed to use a reliable and perfectly secure solution.

Digital independence and sovereignty: the two bulwarks of data protection

Beyond the health crisis, true end-to-end encryption helps guarantee true independence for businesses. On the scale of France and Europe, such a choice conditions the digital sovereignty of our industries and our economies. It is now vital to think European when setting up our digital ecosystem. Technology, R&D, support and of course hosting must be developed and consumed locally to prevent any risk of dependence on non-European powers. But the influences remain very strong and continue to weigh… Moreover, only a few days ago, the organization of the Paris Olympic Games in 2024 chose the Chinese solution Ali Baba for its Cloud. The battle is far from being won.

As far as end-to-end encryption is concerned, vigilance is still required: it is always useful to remember this in a context where some powers that be (governments, authorities…) sometimes try to limit its use to have more control over communication flows in the name of security and the fight against terrorism. Some countries like Australia require editors to integrate backdoors to help authorities intercept and read messages sent by suspects. However, it is important to remember that even if end-to-end encryption is banned, malicious people will still be able to circumvent the rules to achieve their ends.

Prohibiting this mechanism will not solve the problems related to terrorism, but it will expose the European industry to the plundering of its data, which will have more to lose than to gain. In France, even if some would be tempted to proscribe this mechanism, the legislation does not impose any constraint on publishers. This legal framework is clearly favorable to encryption technologies and thus guarantees their effectiveness in the fight against industrial espionage.