Cyber threats are on the rise. Against this backdrop, regulations on the protection of IT systems are being tightened. In April 2024, the European NIS 2 directive will come into force in France. This will affect many companies, which will be subject to strict cybersecurity obligations. Experts at AURIS Finance, a mergers and acquisitions consultancy, take a closer look.
Growing needs
The cybersecurity sector is set for significant growth over the next few years. According to a study by IDC (an expert in emerging technologies), the cybersecurity market in Europe is expected to reach €45 billion in 2025, up from €34 billion in 2021. This growth is being driven by the increasing digitalisation of the economy. With all sectors now using digital tools, the need to secure systems is growing. This is coupled with an increase in threats: cybersecurity is now the number one concern of business executives around the world. It is their number one concern, ahead of sanitary or geopolitical risks.
Towards tighter security standards
Threats are increasing. It is against this backdrop that the European Union adopted regulations in 2016 (to be transposed into French law in 2018) that impose stricter security standards on “operators of essential services”. The NIS Directive – Network and information security – applies to so-called essential organisations, i.e. those that, according to Anssi (the French National Agency for Information Systems Security), “provide an essential service, the interruption of which would have a significant impact on the functioning of the economy or society”. The text was revised in May 2022 to produce a more comprehensive version. NIS 2, due to come into force in France in April 2024, will apply to a wider range of businesses. Central and regional public administrations will also be affected. In total, almost 150,000 companies and organisations are expected to be concerned.
A wide range of sectors now concerned
The companies impacted by the introduction of NIS 2 are numerous. All sensitive sectors are concerned: banking, financial markets, energy, transport, healthcare, water and telecommunications networks. Other strategic activities are also covered, including waste management, postal services, food retailers, internet service providers and data centres.
A two-year compliance period
All these companies will be subject to new obligations, including basic IT hygiene, cybersecurity training, use of cryptography, personnel security, access control policies, and asset management. Other areas include crisis management and incident response, vulnerability management and disclosure, and policies and procedures for assessing the effectiveness of cybersecurity risk management measures. In addition to protecting sensitive entities, these new regulations aim to strengthen cooperation between countries, enabling them to share information in the event of a cyber-attack and expertise in cyber risk management. These regulations are in line with Cyclone, the European cyber crisis liaison organisation network, which aims to prepare Member States for digital crisis management.
Get the support you need
When a company is sold or acquired, all its assets are carefully scrutinised. Aware of the reality of threats, buyers pay particular attention to cybersecurity as a factor in the value of the target. Therefore, it is important to comply quickly. AURIS Finance’s sector specialists can help you with all aspects of your acquisition or sale operation.
