NIS 2: Frequently asked questions and differences with NIS 1

Olivier CHANTALOU, Head of Audit & Consulting / Governance, Risk and Compliance, explains the main questions asked by his clients concerning the new NIS 2 regulations and the differences with the previous NIS regulations.

A reminder about
the NIS directive and its purpose:


NIS stands for Network and Information System Security. 

European Directive (EU) 2016/1148 defines a general framework to ensure a common high level of security for networks and information systems in European countries. It regulates IS security, which is necessary to maintain the country's economic and societal activity, for two types of actor: Operators providing Essential Services (OES) and Digital Service Providers (DSPs).

NIS sets out three levels of obligations for Essential Service Operators (ESOs): 

  1. Application of 23 security rules for essential Information Systems (IS) identified by the OSE, grouped into 4 categories: governance, protection, defense and resilience;
  2. Notification to the national cybersecurity agency (ANSSI for France) of any security incidents occurring on IS's;
  3. OSE cooperation in case of inspection by the national cybersecurity agency (ANSSI or an ANSSI qualified audit provider).

What is NIS2? 

On November 10, 2022, members of the European Parliament adopted the NIS 2 directive.
NIS 2 will take effect in France in the second half of 2024.
In France, many companies and public authorities will be subject to these new regulations.

NIS2 distinguishes two categories as regulated entities according to their level of criticality: 

  • Essential entities;
  • Important entities.

How do I know if
I'm an important or essential organization?


The NIS 2 directive includes annexes 1 and 2, which indicate the sectors, sub-sectors and entity types concerned. If your entity belongs to one of these sectors, sub-sectors or entity types, and respects the legal size requirements, then you will be covered by the NIS 2 directive. 

On a national scale, NIS 2 will apply to thousands of entities in over eighteen sectors that will now be regulated. Around 600 different types of entity will be affected, including administrations of all sizes and companies from small and medium-sized businesses to CAC40 groups. The main integration criteria have been defined at European level. 

They relate essentially to 

  • Number of employees, 
  • Sales turnover 
  • Nature of the activity carried out by the entity.

what are the differences between NIS and NIS2?

Firstly, the definitions of organizations involved have changed:

In NIS 1, the definitions of ESOs and NSFs were given in the directive.
In NIS 2, the directive describes and clarifies the definitions, especially in its annexes 1 and 2, to cover more companies or authorities and more services.

Secondly, NIS 2 extends the scope of its application.

In NIS 1, only essential service operators (ESOs) and digital service providers (DSOs) were mentioned. NIS 2 includes more entities, such as online service providers, key digital services and many public organizations.

Finally, in NIS 2, the security requirements are extended to more entities, with specific requirements for cybersecurity and reporting of security incidents.

What are the advantages of complying with the NIS 2 directive?

The benefits can be summarized as follows:

  • Increase customer, employee and stakeholder confidence (management, shareholders, suppliers);
  • Improve cyber-attack security, by protecting your infrastructures (the NIS 2 Network) and information systems;
  • Better ability to perform your business activities, thanks to increased resilience and continuous operations;
  • ensure legal compliance and avoid financial sanctions imposed by regulatory authorities. 

OPPIDA can support you in all these areas, using its technical skills (technical audits, security solution evaluation laboratory - CESTI) and its GRC department.

Our other news