Publication 30 April 2024

7 recommendations on the draft bill transposing the NIS2 Directive

TRANSLATED BY

  • Laure Gimbail Volunteer rapporteur

Renaissance Numérique was heard on April 3, 2024, by the High Council for Digital and Postal Services (CSNP) on the future transposition of the European NIS2 Directive on cybersecurity.

Renaissance Numérique was heard on Wednesday, April 3, 2024, by the High Council for Digital and Postal Services (CSNP), as part of the working group on the transposition of the NIS2 directive, led by Senator Damien MICHALLET, Président of the CSNP, and Representative Anne LE HENANFF.
Samuel Le Goff, Vice President of Renaissance Numérique, and Rayna Stamboliyska, cybersecurity expert, presented a detailed analysis and seven recommendations, which you can find in full and download (opposite).

In summary, Renaissance Numérique believes that the NIS2 Directive is a necessary and generally well-written text. However, the overall logic of which must be preserved in French law, without over-transposition or referral to decrees, for provisions that can be enshrined in law. The think tank calls for this transposition not to be turned into a political and media issue by taking liberties with European law. Recent experience with the SREN bill shows that this is not a good idea.

We believe that several points require particular attention, beyond the wording of the legislative text. The new rules will greatly expand the scope of entities affected by the obligations, which will require support to be considered in order to ensure the proper application of the new framework. A whole culture of security needs to be put in place. This requires advice and goodwill on the part of the regulator, but also financial resources, which not all entities always have.

Renaissance Numérique therefore recommends :

  1. In terms of operational cybersecurity, that the description of the organization from a cybersecurity perspective is left to the discretion of the Essential Entity (EE) or Important Entity (IE) organization to reflect operational reality.
  2. The addition of a criterion for the significance of an incident, whereby an incident not known to the Executive Committee/Management Committee is not a significant incident.
  3. The co-creation of groups of criteria by sector concerned. Thus, when players in the energy sector, for example, contact ANSSI, they can submit their definitions and criteria for qualifying a significant incident. Actors in the health sector, relevant public administrations, etc. will do the same. This approach would allow for a detailed understanding that is as close as possible to reality, enabling ANSSI to provide appropriate support.
  4. The rationalization of reporting approaches:
    • To optimize reporting times, persons authorized to make such reports must be registered in advance by the organization with the authority.
    • The timing of NIS2 reporting must be retained as is. The transposition project should, through a decree if more practical, include the elements required at each stage.
    • To ensure efficiency and consistency in the management of cybersecurity incidents at the European level, it is crucial that notification processes be harmonized and standardized, with common deadlines and information to be provided. This will enable international companies to report a significant incident to a single NIS2 authority, thus avoiding multiple and potentially contradictory reports.
  5. A reasonable adaptation of the measures already existing in NIS2 in order to avoid undermining the European character of this text once transposed into French law and the difficulties associated with overly pronounced national contextualization.
  6. The creation and dissemination of standard contractual clauses to address the basis of the contractual component.
  7. Clarification work dedicated to cloud services.

Renaissance Numérique is pleased to have been able to contribute its vision and analysis of a draft bill to a committee of expert parliamentarians prior to the legislative process. For a useful and calm dialogue, it is essential that exchanges between elected officials and civil society take place before various decisions are made.  We can only encourage these preparatory hearings on legislative texts, and we are ready to respond to them, as civil society has this responsibility in the face of requests from public decision-makers.