1. NIS2: Are you ready?
Networks and information systems have become indispensable features of our daily lives due to rapid digital transformation and the interconnectedness of society.
Indeed, many critical societal and economic activities depend on the proper functioning of these networks and information systems. However, the number, scale, sophistication, frequency, and impact of incidents affecting these networks and systems now pose significant threats to the public, businesses, and public authorities.
An increasingly digital society and the growing use of new technologies are accompanied worldwide by a surge in cyberattacks but also, as numerous recent incidents have demonstrated, by an intensification of the severity and extent of these attacks. These attacks are carried out by criminals, terrorists, activists, or foreign military and intelligence services, with the aim of undermining the integrity, availability, and confidentiality of data used by information systems.
All citizens, businesses, and public authorities must therefore be aware of the importance of taking preventive measures against cyber threats and cyber incidents. A cyber incident is, in fact, likely to cause serious operational disruptions of these essential services and affect natural or legal persons by causing significant material, physical, or moral damage.
For example, an incident could result in the disruption of the energy distribution or the unavailability of transport services. Insofar as they affect essential actors in key sectors, including public authorities, these incidents constitute serious threats to public security.
A few definitions…
Cybersecurity: The actions necessary to protect networks and information systems, users of such systems and other persons exposed to cyber threats (source : Règlement (UE) 2019/881) [1]
Cyber threat: Any potential circumstance, event or action that could harm or otherwise adversely affect networks and information systems, users of such systems and other persons, or cause disruptions of such networks and systems (source : Règlement (UE) 2019/881)
Risk: The potential for loss or disruption caused by an incident, expressed as a combination of the extent of such loss or disruption and the likelihood of such an incident occurring (source : Directive (UE) 2022/2555) [2]
Incident: An event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data, or the services that networks and information systems provide or make accessible (source : Directive (UE) 2022/2555)
Réseau et système d’information :
a) Network and information system: an electronic communications network within the meaning of point 1 of Article 2 of Directive (UE) 2018/1972 [3] ;
b) any device or set of interconnected or related devices, one or more of which, in execution of a program, performs automatic processing of digital data; or
c) the digital data stored, processed, retrieved or transmitted by the devices referred to in points (a) and (b) for the purpose of their operation, use, protection and maintenance (source : Directive (UE) 2022/2555)
[1] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 concerning ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification of information and communication technology, and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)
[2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive) 2
[3] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
