Resilience bill: Numeum’s recommendations for successful transposition of the NIS2 directive
1. An opportunity to strengthen our collective resilience
The NIS2 directive will raise our overall level of protection in the face of an ever-increasing cyber threat. With the number of entities concerned increasing tenfold, the challenge is to make this legislation an operational success. In this context, our collective objective must be to identify and support these entities, whether they are companies or local authorities. The first condition for such mobilization is to have a totally clear vision of the directive’s scope of application, which is not yet the case.
2. An inherently European system
Cyber threats know no borders, so it’s essential that EU member states harmonize theirlegislation as far as possiblewhen transposing the new rules. Many digital players are active throughout Europe: excessive differences between the legislation and procedures of each member state would inevitably complicate the implementation of these new rules, and weaken our collective resilience. In this context, we warn against any attempt to overtransposethe directive.
3. ANSSI at the heart of the system
With its strengthened competencies and the number of entities under its supervision, ANSSI has become France’s “cybersecurity regulator”. We welcome the collaborative approach that ANSSI has initiated with stakeholders. To play this role to the full, in our view ANSSI will need to (i) have the necessary resources, (ii) establish a clear regulatory framework in all circumstances, and (iii) position itself in a regulatory role, leaving any remediation tasks to the private sector.
4. A structuring text for the French cybersecurity market
France’s cybersecurity industry is dynamic. However, questions remain about the proposed level of requirement, which could, as it stands, create too much demand in this area, which would not necessarily be absorbed by supply, andcould lead to market consolidation. In addition, many ESNs affected by future obligations are concerned about the cost of implementing cybersecurity measures linked to this level of technical requirement.
5. The need for a clear, operational framework for companies
In addition to the NIS2 directive, other texts also govern cybersecurity in France and Europe, such as the 2024-2030 military programming law or the future Cyber Resilience Act. With the proliferation of regulatory texts in the digital space, it is vital that the public authorities ensure that all these measures are properly coordinated. For example, each of these texts sets out an incident or vulnerability notification obligation applicable to several digital players: we need to be careful not to multiply the number of points of contact, andto ensure that these different notifications are subject to a single procedure. This will guarantee simplicity and predictability for businesses, and ensure that the various pieces of legislation are applied more effectively.
-
Position d'influenceAffaires publiquesNotre feuille de route européenne pour l’essor des startups
-
-
