The NIS 2 directive imposes cybersecurity as a strategic priority, expanding its scope to SMEs and the supply chain to build true operational resilience.
Much more than a simple regulatory constraint, the new NIS-2 directive is an opportunity for French companies to strengthen their digital resilience. By extending security obligations to tens of thousands of organizations, including SMEs, and by placing the supply chain at the heart of its system, it imposes a major cultural change.
The European directive NIS-2, recently transposed into French law, is not a simple update. It represents a paradigm shift for cybersecurity, elevating it to a strategic responsibility at the highest level of the enterprise. In France, under the supervision of Anssi (the National Information Systems Security Agency), tens of thousands of organizations are now required to apply stricter security measures, including, for example, initial incident notification within 24 hours. This shift is a direct response to the growing sophistication of cyber threats and our vital reliance on an interconnected digital ecosystem.
One of the strongest impacts of NIS 2 is the expansion of its scope via the notion of “Entity”. As part of this, the company as a whole must implement security measures. This contrasts with an ISMS or other familiar certifications, where a specific scope is typically defined to include only selected areas.
In addition, subsidiaries that provide services within a group of companies will also be taken into account under NIS-2 and will serve as the basis for assessing liability. Additionally, as part of a group, the headcount and turnover of the parent company may be added to yours, increasing the likelihood of falling foul of regulation. Many SMEs that previously flew under the radar are now affected. If an SME belongs to a larger group, the workforce and turnover of the entire group are consolidated to determine its liability. Thousands of small entities thus inherit the regulatory obligations of their parent company, making security an undeniably collective responsibility.
The other revolution of this directive is its unprecedented attention to the supply chain. The message is clear: safety is everyone’s business. The regulations impose stricter management of suppliers, requiring the implementation of information systems security policies and the verification of basic technical and organizational measures, such as multi-factor authentication (MFA). The customer-supplier relationship thus transforms into a partnership where transparency and due diligence become the norm.
Fortunately, this framework is not solely punitive. The compliance deadlines provided for by law give businesses time to adapt. This room for maneuver should not be a pretext for inaction, but rather an opportunity to prepare intelligently. The real goal, shared by lawmakers and industry experts, is not administrative compliance, but operational resilience. NIS-2 is a historic opportunity to strengthen our collective defenses and build a more secure digital future for all.
