Thursday, January 29, 2026
NIS2 Directive: Are you ready?
GOVERN
NIS2 Directive: What are the implications for French companies?
At the first edition of Lyon Cyber Expo, we are pleased to welcome a panel of experts composed of Mathieu Delaplace, Digital Security Delegate for the Auvergne-Rhône-Alpes region – ANSSI, Ahoefa Agbessi-Awussi, Information Security Compliance Manager – Cegid, Alexandre Sahut – Cybersecurity Delivery Service Manager – Visiativ And Antoine CamusDirector of the Cybersecurity Department – MinalogicThey discussed the new European regulatory framework NIS2 to understand the keys to compliance, the challenges to overcome and the opportunities to seize.
NIS2: A broader framework for enhanced cybersecurity
The NIS2 (Network and Information Security) directive, succeeding NIS1, marks a key step in the digital security of businesses in Europe. With a broader scope, it now covers 18 sectors of activity and applies to medium-sized companies (more than 50 employees or €10 million in revenue).
“NIS2 expands the number of entities concerned, from 500 critical operators under NIS1 to 15,000 companies in France. This regulation imposes minimum cybersecurity measures to protect the entire economic ecosystem.”Mathieu de Laplace, regional delegate of the National Cybersecurity Agency of France (ANSSI)
Challenges AND opportunities for SMEs
For companies, NIS2 is both a regulatory challenge and a strategic opportunity. According to Fleur Agbessi, compliance manager at Cégid, " This is an opportunity to improve our security, but also a challenge, because we need to anticipate the transposition of the directive and prepare now. “Alexandre, from Visiativ, adds: While large companies are already aware of these issues, the challenge will be for SMEs, which are often less familiar with them. The key is to start with simple and pragmatic actions. »
Tools and resources to prepare for NIS2
ANSSI provides companies with practical tools to support them:
- MySpace-NIS2 Portal: Allows you to test your eligibility and follow regulatory changes.
- Qualified service providers: ANSSI certifies specialized actors in auditing, consulting and incident response to help companies achieve compliance.
"The directive highlights digital hygiene measures that we have been recommending for years, such as risk analysis and incident management."Mathieu de Laplace, regional delegate of the National Cybersecurity Agency of France (ANSSI)
ISO and NIS2 standards: clear synergies
Cégid, ISO 27001 certified for seven years, is an example of proactive planning. Fleur Agbessi explains: “The ISO 27001 standard is an excellent foundation for NIS2. It covers requirements such as asset management, business continuity, and risk management. However, NIS2 goes further in areas such as authentication and crisis management.” At Visiativ, also ISO 27001 certified, supporting subsidiaries and clients is a core focus. Alexandre emphasizes: “ISO certification is not an end in itself, but a process. It allows us to support our clients, often industrial SMEs, in their journey toward greater maturity.”
SMEs: the first to be affected, the first to act
Small and medium-sized enterprises, although often far removed from regulatory requirements, must mobilize. Alexandre observes: “The level of maturity varies depending on the ecosystem. Airbus subcontractors, for example, are already very advanced. Other mid-sized companies, despite their size, remain relatively unaware.”
Key success factors for SMEs
- Management sponsorship: Identify a cybersecurity manager and integrate governance.
- External support: Engaging service providers to assess maturity and define priorities.
- Progressive actions: Start with simple measures, such as risk analysis or raising employee awareness.
Training and raising awareness: a strategic priority
With 80% of cyberattacks due to human error, training is essential. At Cegid, awareness campaigns and regular phishing tests are organized. Fleur Agbessi explains: "We have integrated a feature into Outlook to report phishing attempts. An external provider then analyzes the threats and acts quickly."
Collective governance for success
Mathieu de Laplace emphasizes the importance of external support: "It is difficult for a company to assess itself alone. An external perspective, capable of comparing its maturity with the ecosystem, is essential." Indeed, NIS2 is not limited to technical obligations. It is a collective approach involving managers, employees, suppliers and customers.
The NIS2 directive is a strategic lever for strengthening cybersecurity for businesses in Europe. It is aimed at all organizations, large and small, to rethink their processes and protect themselves effectively against cyber threats.