To harmonise and strengthen information security in businesses, the new European NIS2 directive imposes more stringent requirements on a wider group of economic agents. Vincent Bazillio, Global Business Development Manager – Cybersecurity at Axians, helps make sense of this development.
An important milestone has been reached in the strategy to prepare and protect economic organisations against cyber risk. The European NIS2 (Network and Information Security) Directive came into force on 17 October 2024, ensuring that businesses face up to their primary digital security responsibilities.
This new legislative shield supersedes the 2016 NIS1, with a broader scope and more exacting requirements for organisations. While the first version mainly targeted operators of essential services in seven business sectors, NIS2 widens its scope to include private companies, local authorities, research centres, healthcare establishments, etc. across 18 business sectors.
Rather than the few hundred organisations affected previously, the law reportedly now applies to over 15,000 entities, divisible into two major blocks: essential entities, which include large businesses, and important entities, which tend to be SMEs.
Change of scale
“NIS2 introduces genuine 360‑degree risk management to these businesses, which are now required to implement cybersecurity at all functional and operational levels, from R&D and support services to their industrial activities and infrastructure,” explains Vincent Bazillio, Global Business Development Manager – Cybersecurity at Axians, the VINCI Energies ICT brand. “And with the requirements of the new directive also extended to subcontractors and suppliers, we are moving away from the fortress approach toward a secured network model – a very open network extending well beyond the company’s walls.”
“Cybersecurity is a continuum.”
This change of scale is forcing companies to create solid roadmaps and painstakingly organise their action plans. NIS2 does more than just impose a framework – it also stipulates financial sanctions for failures to comply with the new rules. These can amount to €10 million or 2% of total worldwide revenue for essential entities and up to €7 million or 1.4% of annual revenue for important entities.
Businesses are now required to report any “significant” incident within 24 hours. For essential entities, this warning must be followed by a full notification within 72 hours and a detailed final report within 30 days.
Cyber risk culture
There is no cause to panic – the aim of NIS2 is not to overwhelm businesses, but to accelerate their transition to a true cyber risk culture, though undue haste is to be avoided: “Cybersecurity is a continuum, based on a progressive, constantly updated approach. We must therefore proceed step by step. This starts with mapping all business activities and identifying security needs specific to each company, assessing the impacts of an attack on business activity and defining continuity plans,” says Vincent Bazillio.
However, not all companies start on equal footing. While most essential entities have long since addressed their compliance position and have the internal resources needed to manage the tools and processes involved, many SMEs will need additional support.
“Here again, each organisation has its own specific needs,” says Vincent Bazillio. “It’s no longer a question of installing firewalls all over the place; it’s about teaching businesses to think in terms of risk analysis, to identify priorities and focus their actions in strategic areas, with an organic long-term vision. This ensures their security, but also their resilience in the event of an attack.”
07/15/2025
