European NIS 2 directive: a new challenge for DPOs and cybersecurity.


NIS 2 has the potential to significantly transform the role of Data Protection Officers (DPOs) and their relationship with security. On the one hand, it considerably widens the range of organizations affected, increasing the number of DPOs for which employers will have legal security constraints. Specifically, NIS 2 expands from 6 regulated activity sectors in NIS 1 to 23 sectors. On the other hand, the directive targets not only large groups or central administrations, but also SMEs, ETIs, and all territorial collectivities.

To address this development, ANSSI itself is adapting to NIS 2 by moving towards a network and service-based approach for effective information system security management. The agency has also strengthened its sanctioning capabilities for extreme cases of non-compliance with NIS 2 requirements.

With the NIS 2 directive, DPOs will face new challenges by becoming more involved in cybersecurity management. This development is a step towards a more comprehensive approach to data and information system security within organizations. DPOs will need to adapt to these new legal requirements and be prepared to tackle new cybersecurity challenges.

And what about DPO PARTAGE in all this?

The new version of the European directive NIS, NIS 2, considerably widens the range of organizations affected by information system security requirements. Specifically, it expands from 6 regulated activity sectors in NIS 1 to 23 sectors. This development affects not only large groups and central administrations, but also SMEs, ETIs, and all territorial collectivities. In this context, DPOs must be prepared to meet these new legal cybersecurity requirements.

In this perspective, DPO PARTAGE, an online platform for sharing externalized DPOs, is a suitable solution for companies of all sizes seeking to comply with the NIS 2 directive. Indeed, DPO PARTAGE allows its clients to benefit from the expertise of qualified and experienced DPOs without having to hire an internal DPO.

By externalizing their DPO, companies can comply with new legal obligations in terms of cybersecurity while limiting associated costs. Moreover, DPO PARTAGE offers a flexible and quick response to growing demands for cybersecurity.

Thanks to a team of experienced and qualified DPOs, DPO PARTAGE ensures optimal protection of its clients’ data in accordance with European and international standards. The platform also offers consulting services to help companies identify risks and implement appropriate security measures.

In summary, the NIS 2 directive considerably expands the scope of legal cybersecurity obligations for companies, particularly SMEs and ETIs. To comply with these requirements, companies can use solutions to externalize their DPO, such as DPO PARTAGE, to benefit from the expertise of qualified and experienced professionals while limiting associated costs.

Details on the NIS directive

The NIS directive: everything you need to know about network and information system security in Europe

The Network and Information Security (NIS) directive is a European regulation aimed at ensuring an optimal level of security for all networks and information systems in the European Union. To achieve this, it imposes obligations on Essential Service Operators (ESOs) and digital service providers (DSPs).

The NIS directive also seeks to strengthen national cybersecurity capacities and optimize the level of security for companies by establishing a European cooperation framework.

Organizations that do not comply with the directive risk heavy financial penalties of up to 125,000 euros.

ONE GDPR: your partner for meeting NIS directive requirements

To avoid these financial penalties, companies can turn to ONE GDPR Experts. Our cybersecurity specialist team will respond to your requests by offering a toolbox, and then accompany you to advise and satisfy you.

How to prepare for the NIS 2 directive?

The NIS 2 directive is about to be definitively adopted, which means that organizations need to prepare to comply with the new cybersecurity requirements. After a 21-month grace period, non-compliant organizations will be subject to significant fines. To best prepare, organizations need advice, training, and tools to comply with the directive.

The first step is to designate a representative of the company or local authority with the ANSSI. This determines the organization’s information systems, based on which security rules will be implemented. Next, monitoring and evaluating networks or information systems are necessary to ensure compliance with the NIS 2 directive. Specialist companies often use two methods, active scanning and passive monitoring, to detect security vulnerabilities continuously.

Finally, organizations must produce compliance reports to be submitted to national competent authorities. To facilitate this task, NIS 2 deployment specialists use report and dashboard templates to create customized reports for each compliance obligation.

It is essential for organizations to prepare for the NIS 2 directive by adopting the operational and technical measures necessary to manage the risks to which information systems are exposed. For this, cybersecurity experts, such as those provided by ONE GDPR, can be helpful in helping organizations comply with the NIS 2 directive and avoid fines.

NIS 2 compliance: the importance of a cybersecurity expert

The new NIS 2 directive from the European Union requires essential and important operators to comply with strict cybersecurity rules. Compliance is not an easy task and can be costly. However, it has become a priority for companies, public administrations, and states. Entrusting this project to a cybersecurity professional like ONE GDPR is the best solution for successful compliance.

Proven technical expertise

Compliance companies have excellent technical expertise and extensive experience in international management system standards. Most of them have managed hundreds of NIS compliance projects throughout Europe. This allows them to pilot this project from start to finish with great success.

Multidisciplinary teams

Cybersecurity providers have multidisciplinary teams that are responsible for developing a compliance strategy, taking into account budget, sponsorship, and overall development plan. They also perform rigorous and reliable penetration testing, implement executive expertise, and develop an effective risk mitigation plan. In short, they have the necessary resources to help companies understand and materialize the NIS 2 directive.

Accompaniment to escape sanctions and establish a lasting relationship

Compliance with the NIS 2 directive is crucial to avoid sanctions imposed by the European Union. It also establishes a lasting relationship between the organization and its various partners. Indeed, cybersecurity is a major issue for the protection of personal data and the reputation of the company. Entrusting this project to a cybersecurity expert accustomed to this kind of mission is, therefore, an effective solution to implement reliable and lasting security measures.

Sanctions for non-compliance with NIS 2

The NIS 2 directive imposes new cybersecurity obligations on companies and public administrations. The sanctions for non-compliance with this regulation are also stricter than those of the previous directive. Let’s take a closer look at what organizations risk if they do not comply with the NIS 2 directive.

Fines can reach high amounts

Non-compliance with the NIS 2 directive exposes organizations to significant financial sanctions. Fines can reach up to €10 million or 2% of the organization’s worldwide annual turnover. These amounts are particularly high and can jeopardize the survival of companies that have not complied with the obligations of the directive.

Sanctions can also take the form of prohibitions or activity restrictions. These measures are also very restrictive for companies that can no longer operate normally.

Responsibility of leaders involved

The leaders of the organizations concerned by the NIS 2 directive are also subject to sanctions. Indeed, the responsibility of people in representative or management positions may be engaged in case of violation of cybersecurity obligations.

Sanctions can take the form of financial sanctions, prohibitions or restrictions on activities. Leaders may also be required to resign or leave their position.

Sanctions for Member States

The NIS 2 directive also imposes certain surveillance and enforcement obligations on Member States. If states do not fulfill these obligations, they may be prosecuted and sanctioned by European authorities.

These sanctions can take the form of financial sanctions or restrictive measures. States may also be required to implement specific measures to comply with the NIS 2 directive.

European NIS 2 directive and GDPR: two identical realities?

The NIS directive and the GDPR are two European standards on cybersecurity that have different objectives. Despite this, some people confuse these two legislations. To clarify things, it is important to specify that the GDPR (General Data Protection Regulation) is a European regulation that came into force in 2018. Its objective is to optimize the protection of personal data of European citizens by holding all public or private actors who collect or process this data responsible.

The GDPR focuses on transparency in the collection and use of data. The authority responsible for its proper implementation in France is the CNIL (National Commission for Informatics and Liberties). This regulation applies to public or private organizations established in the EU whose activity directly targets the people who live there.

The NIS directive, on the other hand, is a European directive on cybersecurity that aims to strengthen the protection of networks and information systems against cyberattacks and cyber threats. It defines risk management, reporting and vulnerability disclosure obligations for essential operators and important operators.

DPO Partagé
DPO Partagé
Looking for a DPO? Entrust your mission to DPO PARTAGE - Contact us at +33 (0)7 56 94 70 90 or by email at DPO PARTAGE is the leader in DPO services for health and sensitive data.

Intéressant ? Partagez-le !


Audit gratuit Conformité RGPD


A ne pas manquer !

Encore plus d'actualités
Informations RGPD

Xerox Corp is reportedly the victim of a major cyberattack.

Xerox Cyberattack by Incransom : on December 30, 2023,...

Turning GDPR Compliance into Competitive Advantage: Unveiling the New Guide for American Enterprises

In a world where data protection and regulatory compliance...

Web Analytics and GDPR Compliance: How Website Hosts Can Adhere in France

Web Analytics and GDPR, CNIL's Position: Website hosts using...