Risk management is essential for any organization operating critical infrastructure. Identifying risks and responding effectively can significantly reduce the odds of a successful attack. Yet it is equally important to limit the impact by gaining control at the earliest signs. This approach is now visible on a daily basis in the field, across Europe, in sectors such as energy, healthcare, and logistics — inherently highly sensitive domains.
The NIS 2 directive therefore marks a major turning point in Europe’s cybersecurity regulation. For France as well as for all EU member states, the stakes go beyond mere regulatory compliance: it is a true lever for transforming how we protect critical infrastructures, whose activity underpins economic, social, and political stability.
While France lags somewhat in transposing the directive, the debate takes on strategic dimensions: how can this constraint be transformed into an opportunity to strengthen digital trust and bolster European sovereignty?
France’s cybersecurity heritage: a foundation for NIS 2
To protect their most critical assets, the majority of companies implement rigorous controls on access to resources and personnel. This enables them to maintain operational continuity, even in the face of a major incident.
In France, it is worth recalling that the country was a pioneer in critical infrastructure security with the NIS directive, directly inspired by the Military Programming Law (LPM). This legislative framework imposes strict security measures on Operators of Vital Importance (OIV) and helped define a clear approach to protecting critical infrastructures against cyber threats. Thanks to this experience, compliance is relatively well structured in France.
Building on these foundations, the NIS 2 directive aims to strengthen the resilience of organizations in the sectors of critical infrastructure. Its objective is to improve incident response to prevent a threat from turning into a catastrophe.
NIS 2 as a catalyst for incident management
NIS 2 emphasizes resilience, governance and threat anticipation. It shifts the regulatory objective from prescriptive controls to a resilience-based-on-outcomes approach, turning incident management from a best practice into a compliance obligation.
One of the most significant changes is the obligation for organizations to notify authorities within 24 hours of becoming aware of a major incident. This tight deadline requires real-time visibility into network activity and lateral movement — capabilities that are often missing from traditional perimeter-based security architectures.
Zero Trust segmentation, a proactive approach to containing attacks to preserve operational integrity, plays a crucial role in enhancing cyber resilience through several key steps:
> Risk identification: spotting vulnerabilities such as high-risk open ports, unpatched systems, or connections to malicious IPs.
> Risk reduction: eliminating these vulnerabilities and establishing barriers to contain an attack, for example by separating IT and OT environments.
> Reduction of impact: dynamically isolating infected resources to separate them from the rest of the infrastructure.
Challenges for organizations and SMEs
The NIS 2 directive aims to reduce resilience gaps and strengthen collective risk awareness. Its major change lies in the broadening of sectors and organizations covered, notably small and medium-sized enterprises (SMEs), which will likely face the challenge of mobilizing the resources necessary to achieve compliance.
Thus, not all companies are at the same level of preparedness. Those that have already adopted NIS 1 are generally ready for NIS 2, with adjustments mainly related to harmonization between states.
Conversely, companies newly covered by NIS 2 find themselves in two situations: those with good cyber hygiene often find the process relatively smooth, while those without a cybersecurity policy are likely to encounter difficulties. The biggest challenge probably lies in the lack of resources to devote fully to compliance.
Fortunately, most countries have set the compliance deadline at 2030 at the latest, giving companies additional time. ANSSI mentioned a grace period after transposition, and full compliance could be required by the end of 2027.
It remains to be seen how each state will transpose the directive and what certification procedures will look like. The main challenge will likely lie in protecting older equipment.
Priority investments to build resilience
Although many security controls are already in place, many organizations will likely need to invest more in incident management to bolster their resilience and meet NIS 2 requirements.
Key investment areas include:
> Risk analysis: identifying vulnerability hotspots that could lead to a compromise;
> Incident management: containment of attacks and quarantining infected resources;
> Business continuity: reducing the impact of an attack;
> Supply chain security: controlling access to resources by third parties;
> Vulnerability management: disabling high-risk services and unpatched systems.
The most important step is to understand the risks within the organization, which involves:
> Understand and map all traffic flows within the organization;
> Identify and shut down unnecessary high-risk services;
> Patch vulnerabilities;
> Segment and segregate environments to prevent the spread of an attack.
A risk-based strategic approach
Despite the challenges of compliance, NIS 2 represents a positive development in that it encourages a stronger focus on resilience and business continuity. It raises the cybersecurity bar and mandates a proactive, structured approach to incident management, including containment.
For organizations, it is crucial to adopt a risk-based approach, identifying critical assets and implementing additional controls, such as segmentation, to protect them. For example, if your greatest fear is a shutdown of your production line, focus on securing industrial control systems, then map out potential attack vectors.
In this approach, two common mistakes are to be avoided: first, trying to apply every requirement to the letter, which can be costly and ineffective; second, neglecting the importance of relying on experts, as NIS 2 compliance can be complex depending on the organization’s maturity.
A strategic, risk-based approach backed by experts is essential to effectively meet NIS 2 requirements while strengthening, in the long term, resilience and security for organizations facing digital challenges.
*Damien Gbiorczyk is a cyber-resilience expert at Illumio
