The European SRI2 directive has not yet been fully integrated into French law. The bill on critical infrastructure resilience and strengthening cybersecurity has been passed by the Senate, but its final validation remains pending.
This transition marks a major evolution of the digital security framework in Europe: SRI2 significantly expands organizations’ obligations and places cybersecurity at the heart of governance.
As value chains become more interdependent and cyber threats become more sophisticated, SRI2 is undergoing a paradigm shift: digital security is no longer a technical issue reserved for IT teams.
It becomes a strategic responsibility, directly engaging the governing bodies.
1. An expanded scope: more organizations concerned
SRI2 replaces the 2016 SRI Directive and broadens the scope of sectors subject to enhanced obligations. Two categories now structure the device:
- Essential entities: energy, health, water, transport, digital infrastructure, financial sector, public administration, space.
- Important entities: digital services, waste management, agri-food, manufacture of critical products, research, chemistry, logistics, industrial equipment.
Any organisation with more than 50 employees or €10 million in turnover, and operating in one of these sectors, is likely to be concerned.
This extension leads to a direct consequence: a large number of strategic midcaps and SMEs now fall within the regulatory scope.
2. Strengthened governance: a direct responsibility of the EXCOM
One of the major contributions of SRI2 lies in the explicit commitment of the governing bodies.
Governance bodies shall:
- validate cybersecurity policies;
- follow the levels of risks;
- ensure the implementation of security measures;
- follow regular training on cybersecurity issues.
The directive also introduces personal liability on the part of managers in the event of serious breaches.
The COMEX is witnessing a significant change: cybersecurity is now a field that needs to be piloted, documented, and audited with the same level of requirements as finance or operational risks.
3. Ten structuring obligations that companies must apply
SRI2 imposes a common core of measures aimed at strengthening digital resilience. Among the key obligations:
- Governance and risk management: identification and treatment of risks, formalization of a security strategy.
- Security policies and incident management: detection, response and coordination with the competent authorities.
- Business continuity and crisis management: update of PCA, PRA and regular exercises.
- Securing the supply chain: evaluation of critical providers, reinforced contractual clauses.
- IT hygiene and hardening: patch management, MFA, segmentation, controlled backups.
- Network and information systems security: technical controls adapted to the level of risk.
- Vulnerability management: detection, analysis and correction process.
- Identity and access management: strong authentication, principles of least privilege.
- Supervision and detection: SOC, SIEM or equivalent devices adapted to the size of the entity.
- Regular testing: technical audits, penetration tests and crisis exercises.
The objective is clear: to raise the overall level of maturity and structure a coherent approach from prevention to resilience.
4. A new incident notification regime: 24h, 72h, 1 month
To improve coordination and transparency, NIS2 imposes a precise schedule:
- 24 hours: preliminary notification («early warning»)
- 72 hours: detailed report on the incident
- 1 month: final report describing the impact and corrective measures
This requirement strengthens the collective capacity to detect, understand and respond to major incidents.
5. Increased supervision and a meaningful sanctions regime
National authorities will have strengthened levers:
- mandatory audits,
- inspections sur site,
- requests for evidence of conformity,
- follow-up of corrective measures.
The planned sanctions can reach:
-
10 million euros, or
-
2% of global turnover, whichever is greater.
These levels reflect a strong desire to strengthen cybersecurity discipline at the European level.
6. Impacts for organizations: a transversal project
NIS2 compliance affects several dimensions simultaneously:
Governance
- Formalization of the cyber strategy, structuring of responsibilities, implementation of indicators.
Organisation
- Strengthening of security teams, regular training, coordination with the professions and external partners.
Technologies
- Increase of supervision, hardening, segmentation, immutable backups, automation.
Compliance and documentation
- Updates to internal policies, registers, supplier contracts, procedures and evidence of compliance.
SRI2 thus becomes a transformation lever, forcing organizations to move from a reaction logic to an integrated approach to digital risk managemen
7. A strategic opportunity: trust, performance and sovereignty
Beyond the obligations, SRI2 constitutes a vector of value creation:
- reduction of operational risks,
- strengthening of relationships with clients and partners,
- improvement of insurance conditions,
- alignment with other regulatory frameworks (GDPR, DORA, CER, SecNumCloud).
Proactive organizations can turn this constraint into a competitive advantage by installing managed, controlled and trustworthy security.
The bottom line
SRI2 greatly expands the scope of the entities concerned.
Leaders are directly responsible for cyber governance.
Ten structuring bonds underpin the resilience model.
Incidents must be notified according to a strict schedule.
The sanctions are among the highest in European frameworks.
SRI2 is an opportunity to strengthen resilience, compliance and sustainable performance.
