The national transpositions have enabled the EU Member States to adopt a set of measures to raise the level of digital security on their respective territories, leading to undeniable progresses in terms of cybersecurity level for the EU as a whole. At national level, the transposition of the NIS directive has been a lever to extend consistently the pre-existing regulatory framework to improve the maturity of the actors that are essential to the functioning of the economy and of the society.
The directive, in line with its initial objectives, has been an efficient driver to increase the level of cybersecurity of the actors that are essential to the functioning of the economy and of the society in the Member states of the EU.
Materialized through the NIS cooperation group and the network of Computer Security Incident Response Teams (CSIRTs), the set-up of these bodies has played a key role to create the conditions for the Member states to exchange in confidence and contribute to the appropriate cyber-related EU policy developments.
Improving some aspects of the directive, through further harmonization measures in order to ensure an adequate level of security in a context where cyber threats are growing: this is our ambition. Consistency shall be a key word of this approach.
While several EU cyber-related sectorial legislations are about to be negotiated. In this context, it is primordial to keep NIS as the legislative framework of reference in the cybersecurity area, based on minimal harmonization measures and with a crossectorial dimension.
Digitalization of our societies and economies has been booming since 2016 and digital security, beyond its technical dimension, has turned into a real economic and strategic issue for companies. Considering these evolutions, the revision of the NIS directive is an opportunity to emphasize more precisely the necessity for the operators of essential services (OESs) to set-up appropriate governance and digital risk management processes, reporting to the top management of the organization.
Amongst the new cyber threats, the multiplication of supply chain attacks, targeting the overall ecosystem of the OESs (subcontractors, providers, partners…), is a major evolution. As a consequence, it is essential to bring evolutions to the NIS directive, so that it contributes to secure the digital ecosystem around the OESs.
It is important to assess how to make national approaches more convergent to improve the already existing mechanisms concerning OES identification and incident response. Capitalizing upon the launch of the CyCLONE network at the occasion of Blue Olex 2020, integrating cyber crisis management and cooperation in the perimeter of NIS shall be a decisive progress to strengthen the cyber resilience of the EU and of the Member states.
This revision process will be efficient and, this is an ANSSI wish, as quickly conclusive as possible, by envisaging these changes in a pragmatic and concrete way.