OES and OIV: what is the impact of the NIS2 directive?

OES and OIV: what is the impact of the NIS2 directive?

30 Aug 2023 | Cybersecurity, Legislation and Compliance

With the forthcoming application of the NIS 2 Directive in Europe, essential service operator (OES) and operator of vital importance (OIV) are preparing for new obligations to strengthen their cybersecurity.

A new name for essential service operator (OES)

The creation of essential entities (EE) and important entities (IE)

The main aim of this amendment to the NIS1 Directive is to maximise the security of the networks and information systems of sensitive European organisations. One of the changes is the end of the term OES (essential service operator). This used to refer to essential services whose cessation would have a major impact on the functioning of the French economy or society.

The NIS2 Directive does away with the term “essential service operator” in favour of two categories of entity:

  • Essential Entities (EE), which would mainly include large companies in sectors classified as highly critical.
  • Important Entities (IE), which would mainly concern medium-sized organisations in sectors classified as highly critical and organisations in critical sectors.

“Digital Service Providers” fall into these categories. It should be noted that there has been no change to the designation OIV (operator of vital importance). These are covered by NIS2.

Find out more about highly critical and critical sectors

Obligations for essential entities, important entities and OIV

Use ANSSI-certified security solutions

The security measures recommended by NIS2 include “the use of secure voice, video and text communications and secure emergency communication systems within the entity, as required”. For OIV, the use of security solutions certified by the ANSSI, thanks to its Security Visa, is even becoming compulsory. In the event of a crisis, operators of vital importance need to react quickly and demonstrate resilience. Secure communications solutions are therefore essential. They enable employees to carry on working. Various technologies, such as end-to-end encryption, guarantee data protection.

visa de sécurité ANSSI
Tixeo VSecure Video Conferencing

Security Visa from ANSSI: a guarantee of reliability

The ANSSI Security Visa makes it easy to identify the most reliable cybersecurity solutions. These solutions have been checked and assessed by approved laboratories.

For over 5 years, Tixeo has been the only French secure videoconferencing solution to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.

Protecting network architecture

The NIS2 directive recommends partitioning networks and remote access. This is particularly the case when using on-premise security solutions. These must be able to function in an isolated network. The organisation will also need to be aware of all their impacts on its network architecture.

serveur visioconférence
visa de sécurité ANSSI

The benefits of secure on-premise videoconferencing

TixeoServer is Tixeo’s secure on-premise videoconferencing solution, certified and qualified by the ANSSI. Security is part of every step from its design to its deployment. For example, only one network port needs to be opened for installation, in order to limit the impact on the organisation’s information system security policy.

Discover TixeoServer

Use secure subcontractors and service providers

Actors in the supply chain, whether subcontractors or service providers, are subject to the NIS2 Directive. They generally have access to their customer’s infrastructure and therefore represent a security risk. In the event of security breaches within their infrastructure, the network security of the more or less critical entities for which they work would be impacted.

 

Find out all you need to know about the NIS2 directive :

The NIS2 directive: what changes for European businesses and administrations?

Essayez gratuitement la visioconférence sécurisée Tixeo
The NIS2 directive: what changes for European businesses and administrations?

The NIS2 directive: what changes for European businesses and administrations?

29 Aug 2023 | Cybersecurity, Legislation and Compliance

These European-wide cybersecurity regulations are unprecedented. There are many requirements to ensure that European organisations can demonstrate a common high level of IT security. Companies will have to comply, and quickly. Here are the main changes in the new NIS2 directive.

NIS2 directive: extending the scope of NIS1

In 2016, the Network and Information Security (NIS) Directive was adopted by the European Parliament and the Council of the European Union. Its main objective was to increase the level of cybersecurity of major organisations in around ten high-risk business sectors. In France, this represented around a hundred players.

With the intensification of cyberthreats, in a tense geopolitical context, more and more companies and institutions are concerned by the risk of IT incidents. That’s why Europe has published NIS2, an extension of the NIS1 directive, to take effect at the end of 2022. The aim is to broaden the scope of the sectors concerned and to strengthen cybersecurity requirements.

The new directive employs an “all-risks approach”. In other words, it requires a wide range of organisations to better protect their networks and information systems, through a combination of multiple cyber strategies. These include:

  • Risk analysis,
  • incident handling,
  • business continuity,
  • supply chain security,
  • and the use of secure emergency communication systems within the organisation.

 

Virtually all sectors affected

NIS2 will now affect thousands of entities in more than 18 business sectors. All private or public entities with more than 50 employees, or with a turnover in excess of €10 million, are affected. These include digital companies and certain public authorities, which have been particularly targeted by cyber attacks in recent months. These sectors are classified in two categories: highly critical sectors and critical sectors.

Sectors classified as highly critical include :

  • energy
  • transport
  • banking
  • financial market infrastructures
  • health
  • drinking water
  • waste water
  • digital infrastructure
  • ICT service management
  • public administration
  • Space

 

The sectors considered critical are :

  • postal and shipping services
  • waste management
  • manufacture, production and distribution of chemical products
  • production, processing and distribution of foodstuffs
  • Manufacturing
  • digital suppliers
  • Research

Two new entity categories (EE and EI)

The other new feature of NIS2 is the classification of entities into two distinct categories: essential entities (EE) and important entities (EI). This classification is based on the level of criticality, the number of employees and the global turnover of the companies concerned. A large company employs at least 250 people and/or has an annual turnover of at least €50 million. A medium-sized company employs at least 50 people and/or has an annual turnover of more than €10 million.

Thus, essential entities would mainly include large companies in sectors classified as highly critical. Important entities would mainly concern large and medium-sized organisations in sectors classified as critical and medium-sized organisations classified in highly critical sectors. This distinction will make it possible to tailor requirements and penalties for organisations in proportion to their resources and the stakes involved in protecting their data.

It should be noted that in certain sectors, the high level of criticality may justify designation as an essential entity, regardless of the size of the organisation. This is particularly the case for entities identified as critical at national level by the CER Directive.

Tougher penalties

Lastly, the NIS2 directive also strengthens the penalty system. An organisation that fails to put in place appropriate risk management measures or to notify a security incident quickly enough will risk a fine proportional to its turnover and level of criticality. Companies could therefore be subject to fines of between 1.4% and 2% of their turnover, up to a maximum of €10 million.

EU Member States are also able to require entities to carry out audits or inspections. If necessary, they can issue warnings and instructions.

Focus on two new obligations for organisations

Reporting security incidents

With NIS2, when a cyber security incident occurs, organisations will have 24 hours to report it to ANSSI. This deadline is not yet definitive and may be reviewed before the directive is transposed into national law. However, all the organisations affected by NIS2 will have to get organised in order to react quickly. This initial notification is similar to a preliminary report, which will have to be supplemented by a final report. The aim is to improve the responsiveness of the authorities in the event of an incident and to trace cyber attacks more accurately.

Cybersecurity training for executives, managers and employees

In-house training is a key point in this new directive, and is encouraging massive awareness of the subject of cybersecurity.

Indeed, the main challenge of NIS2 is to force the implementation of technical measures, but also and above all operational and organisational measures. The entire organisation must be mobilised for its cybersecurity, not just the IT department. That’s why the directive requires cybersecurity training for senior managers, who must systematically approve all security measures. What’s more, the directors representing the organisation could be held liable if they fail to comply with the directive’s obligations.

With a view to extending cybersecurity to all functions, the NIS2 directive could redefine the role of the DPO (Data Protection Officer) by giving him or her tasks relating to the application of this directive. These new tasks will be consistent with those required to comply with the General Data Protection Regulation (GDPR). It’s a way of looking at cybersecurity as a legal risk, and no longer as the preserve of CISOs.

How do you raise employee awareness of cybersecurity?

When will organisations have to comply?

Firstly, the directive will be transposed at national level in 27 countries from 17 September 2023. Then, from October 2024, it will be mandatory for all companies and administrations concerned. However, organisations need to start preparing for these new cybersecurity standards now, by increasing their level of security. In this way, they will be able to counter the growing number of cyber threats.

How do you prepare for the NIS2 directive?  

As of now, organizations affected by the NIS2 Directive can be assisted by experts to assess the security level of their information system and receive recommendations.

As a trusted service provider, certified and qualified by the ANSSI, Tixeo supports essential service operator and operator of vital importance in their NIS2 compliance. The use of secure communication systems is one of the recommendations to ensure business continuity in the event of a crisis. Protecting online communications is therefore a guarantee of cyber resilience for organisations. 

Try Tixeo secure video conferencing for free
How do you raise employee awareness of cybersecurity?

How do you raise employee awareness of cybersecurity?

26 Jul 2023 | Cybersecurity, Threats and vulnerabilities

Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.

Economic and political risks

Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.

The hackers’ objectives may be :

  • To steal money from an individual or a company
  • Capture a company’s customers
  • Damage the reputation of a company or a political player/party
  • Set up industrial, political or military espionage

An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.

 

Cybersecurity awareness campaigns :

Schedule regular training sessions

Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.

Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.

It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.

 

Using gamification

Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.

 

Calling on key players

For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.

 

Strengthening internal communication

Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.

For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.

Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.

 

Read more:

5 tips to secure teleworking from Julien, System and Security Admin at Tixeo

Carry out test campaigns

Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.

 

3 essential precautions for raising awareness of cyber security

Leveraging the diversity of our actions

Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!

Tailoring awareness-raising campaigns to specific professions

It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.

Stepping up training for teleworkers

While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.

 

Find out about other good safety practices for teleworking:

Download the white paper
white paper on teleworking security
Try Tixeo secure video conferencing for free

Spying: how to recognise an unsecured video conference?

How to avoid “zoombombing” during an online meeting?

Protecting personal data also protects companies

Protecting personal data also protects companies

6 Jan 2023 | Cybersecurity, Data protection

Compliance with the GDPR not only ensures greater protection for employees’ and customers’ personal data, but also guarantees the future of companies.

Avoiding the costs of data breaches

Corporate data is an increasingly coveted commodity. Compromising it can jeopardise a company’s business.

According to a study by Ponemon Institute and IBM Security, in 2022, the average cost of a data breach for a company worldwide is estimated at 4.35 million dollars. This figure is up by 12.7% compared to 2020. In France, the average cost for a company is almost the same, at 4.34 million dollars.

The costs are both related to the loss of data itself but also to the sanctions that may be ordered (such as fines). This is the case if the legal provisions on data protection were not respected. Finally, as a result of a data breach, a company’s trustworthiness may fall and this will also have an impact on its financial activity.

[VIDEO] Apolline SCHMITT, Lawyer at the Strasbourg Bar and DPO Tixeo, explains the stakes of personal data security for companies

These French companies affected by data theft 

Recently, many examples have demonstrated the significant financial impact of data breaches. In 2022, the subsidiary of a French airline company was the victim of a cyber-attack that resulted in a massive leak of its employees’ personal data. What was the cause? A lack of security on the server where the data was stored. If this is verified, the company is liable to a fine of up to 4% of its turnover, as provided for in the GDPR.

While large organisations can afford these costs, SMEs cannot. A French company specialising in movable partitions has paid the price: following a cyber-attack that compromised its personal data, it had to apply for receivership. The attack cost the company several million euros and caused excessive commercial damage.

Improving the company’s image and reputation

A company that does everything it can to protect personal data reassures its ecosystem and, above all, its customers and employees. This is an aspect that can be the subject of communications and thus enhance the image of a transparent and secure company.

In addition, the implementation of a robust data security policy limits the risk of attacks. It avoids any paralysis of the company’s activity.

Video conferencing: do you (really) know how your personal data is handled?

Download our RGPD guide
Try Tixeo free for 30 days
Become a digital nomad without forgetting the security of your data

Become a digital nomad without forgetting the security of your data

2 Aug 2022 | Cybersecurity, Data protection

Traveling while working means being able to change offices every day, enjoying exceptional landscapes during your coffee break, but also being exposed to cybersecurity risks. To leave with peace of mind, in addition to taking mosquito repellent in the suitcase, the digital nomad must ensure that his data is protected.

A new way of working

The rise of telecommuting has been a real wake-up call for professionals. In the digital sector, more and more of them are dreaming of a freer professional life, which leaves them time to blossom elsewhere than in the office.

Those who make this dream a reality are also called digital nomads. Sometimes to the end of the world, they travel with their computer under their arm, always ready to switch to video conferencing with their colleagues or clients. They are no longer necessarily self-employed, since many companies now allow their employees to “teletravel” (or telework while traveling).

The digital nomad frees himself from the traditional boundaries between professional and personal life to get away from it all while teleworking. But the change of scenery has its constraints.

Telecommuting everywhere, really ?

Away from the office, the digital nomad must avoid connecting to Wi-Fi in a completely open public place like a train station or a café. These networks have multiple security holes. These can lead to a leakage of the data contained in the computer, including those stored on the company’s network, which are often confidential. This leaves the door wide open to malicious intrusions.

The same applies to coworking spaces. Even if they seem to be more secure, connections in these places do not generally have a sufficient level of security. Moreover, the digital nomad is exposed to risks of theft or loss of equipment (hard disk, USB key…), which could seriously compromise data security.

Use reliable equipment

It’s not recommended to use personal equipment to work. Indeed, the latter has not benefited from the necessary security configurations : authentication at startup, disk encryption, management of administrator rights or connection to removable media… These controls must be carried out by the company on the professional equipment before letting the digital nomad leave, whether abroad or in his country house. Objective: protect data access.

Preserve the confidentiality of exchanges

The digital nomad maintains constant links with his company. To do this, they use videoconferencing tools for meetings, calls and file sharing. Here again, vigilance is required.

Today, most videoconference exchanges are likely to be listened to and watched. Outside the office, the risk of computer espionage is even higher. It can have serious consequences for the integrity of employees and company data.

It is therefore in the interest of companies to choose a secure video collaboration solution. The ANSSI (National Agency for Information Systems Security) assists them in their choice via a certification and qualification process. It identifies the most reliable cybersecurity solutions by awarding them a “Security Visa” label.

This is the case of Tixeo, the only European video-collaboration solution to be certified and qualified by ANSSI, which makes it the most secure solution on the market. Its end-to-end encryption technology for all multipoint exchanges (audio, video and data) eliminates all risks of industrial espionage.

Try Tixeo for free

3 last tips to protect your digital nomad data

1 – Don’t just use a VPN

The VPN is a secure link between the digital nomad’s equipment and the company’s network. But it does not protect against security breaches ! If the teleworker connects to a public Wi-Fi network and inadvertently lets malicious software enter his computer, the virus can infiltrate via the VPN and go up to the company’s server…

2 – Protect your computer from prying eyes

Physical protections can be useful for the digital nomad, such as screen filters or USB port locks that prevent any indiscreet look or intrusion in the system.

3 – Be careful with your own personal data

When you say digital nomad, you mean passport, plane or train tickets that are sometimes shared in the messaging system of video collaboration tools. These personal data are exposed if the exchanges are not secured, which can lead to identity theft.

Discover secure videocollaboration solutions
How the Institut Godinot secured its remote medical meetings

How the Institut Godinot secured its remote medical meetings

6 Dec 2021 | Case studies, Cybersecurity

Specialized in oncology, the Institut Godinot in Reims (France) has implemented Tixeo, a videoconferencing solution certified by ANSSI, for its remote medical meetings.

Located in Reims, the Godinot Institute (GI) is specialized in adult oncology. It collaborates with the Soissons hospital, in particular with a radiotherapy unit on site, to avoid patients having to travel to Reims.

The multidisciplinary consultation meetings (RCP) involve the collaboration of various specialists (radiotherapist, anatomopathotologist, etc.) to define the personal care plan (PPS). The bases of the PPS (imaging, analyses, opinions, patient file…) as well as the PPS itself are obviously highly confidential and sensitive. At the end of 2019, in order to avoid having busy specialists travel between Reims and Soissons, the IJG therefore looked for a suitable videoconference solution. With the confinements related to the Covid-19 health crisis, the need was only more general.

Xavier Grandjean, CIO of the Godinot Institute - How the Institut Godinot secured its remote medical meetings

Xavier Grandjean, CIO of the Institut Godinot, has made ANSSI certification a major criterion of choice.

Read the rest of the article

Institut Godinot with Tixeo : knowing Tixeo

Our mission is to design and deliver secure video conferencing solutions that guarantee organizations a strict confidentiality of their communications.

Working in close cooperation with our customers, we have developed 100% “Made in France” video conferencing solutions with a level of performance, collaboration and security never reached before (ANSSI certified/qualified).

Every day throughout the world, we support thousands of users, SMEs and large groups.

We are aware of the issues related to espionage and cybercrime, and are committed to offering our customers a highly secure collaboration experience.