On 10 November 2022, the European Parliament adopted the Network Information Security (NIS2) Directive which replaces the NIS Directive adopted on 6 July 2016, defining European-wide legislation on cybersecurity common to the Member States. The Directive will be transposed into French legislation by the end of 2024.
The aims of NIS2 are to take into account the evolving nature of cybersecurity issues and the constant change in threats around the world.
In short, the NIS 2 Directive:
1. broadens the scope to include new actors. The transport sector is identified as a highly critical sector.
2. defines common Cyber risk management procedures
3. imposes new obligations for reporting cybersecurity incidents to the authorities,
4. introduces more stringent supervisory measures for national authorities on and/or off site, as well as requests for access to evidence.
According to Sylvie Andraud, ANSSI sector coordinator:
“For the maritime sector, around 20 operators are already subject to NIS1 and are required to follow 23 security rules outlined in a Prime Ministerial Order (French Order of 14 September 2018) for their critical information systems. With NIS2, more shipping companies and ports should be affected. In France, the National Agency for Information System Security (ANSSI) is in charge of transposing the directive, as was the case for NIS1. Each Member State has 21 months to transpose the directive into national law. The notion of “operators of essential services” is removed in favour of two new concepts: essential entities and important entities. The maritime transport sector is listed in Annex I of the directive as a “highly critical sector”. Medium-sized and large entities in the sector will be considered essential entities and some smaller companies will be considered as important entities.”
The entire port ecosystem will be affected.
We’ll keep you informed of any new developments!
Fabrine FRESTEL MGI ISSO