Cybersecurity: the territorial challenge of NIS2

With the bill to transpose the European NIS2 (Network and Information Security 2) directive into French law, passed by senators on March 12, 2025, the scope of players targeted by the extension of European “cyber” regulations is expanding. With the bill to transpose the European NIS2 (Network and Information Security 2) directive into French law, passed by senators on March 12, 2025, the scope of players targeted by the extension of European “cyber” regulations is expanding.

Today, in France, 15,000 new organizations (compared to 500 with NIS1) are directly concerned. They operate in sectors considered “critical”: energy, transport, healthcare, sanitation, digital infrastructures and services, public administration, telecommunications and finance. In concrete terms, postal and courier services, waste management, chemical manufacturing, production and distribution, food production, processing and distribution, medical devices, computers, electronic and optical equipment fall within the scope of NIS2 and the REC (Critical Infrastructure Resilience) and DORA (Digital Operational Resilience Act) directives also adopted by the Senate. 

While final adoption of the law by the French National Assembly is expected by the summer, the organizations now affected must immediately adopt the necessary measures to protect themselves from cyber-attacks and engage resilience strategies.

Local authorities and higher education establishments directly concerned in France

As emphasized by the Senate's special committee, extending the scope of application of the “cyber” law to local authorities and higher education establishments is essential and relevant for several reasons:

• Vulnerability and increased targeting. Public authorities and educational establishments are increasingly falling victim to cybercriminals. Ransomware attacks targeting them increased by 24% and 9% respectively in 2022-2023 due to the sensitive data these organizations handle (citizens' personal data, research data, etc.).
• Continuity of essential services. Cyber attacks can paralyze local public services and educational activities, having a direct impact on citizens and students.
• Heterogeneity of security levels. Inclusion in the scope of the law aims to harmonize and raise the overall level of protection, establishing common obligations and standards to reduce the disparity in cybersecurity levels between entities.
• Accountability and governance. Application of the directive encourages the establishment of more structured security governance within these organizations, with clearly defined responsibilities for cybersecurity.
• Cooperation and information sharing. Including these entities in the regulatory framework can facilitate cooperation and information sharing on threats and best practices with the ANSSI (Agence nationale de la sécurité des systèmes d'information) and other cybersecurity players, thus reinforcing the collective security posture.

Inetum Cyber Trust, a partner you can trust

With a strong public and regional footprint, expertise in cybersecurity and regulatory compliance, and our UGAP and CANUT listings, Inetum offers support to local authorities and educational establishments through several services:

• Specialized support. We carry out cybersecurity audits to implement NIS2-compliant remediation plans and security measures, and define clear security policies.
• Targeted training and awareness campaigns. We offer impactful and stimulating crisis exercises between business and IT, communications and regulators, using programs based on new technologies such as AI, immersive and interactive training with the metaverse, or bringing in experts such as former members of the GIGN, firefighters and senior civil servants.
• Unifying actions. We streamline non-contradictory controls and remediation into a single program to encompass all actions specific to different cyber regulations.
• Cyber surveillance. Our CERT (Computer Emergency Response Team) monitors threats to local authorities and higher education establishments.
• Change management. We understand the challenge of empowering and involving all elected representatives and institutions in the integration of security as an essential element of their mandate. 

Extending the scope of NIS2 to local authorities and higher education establishments is a necessary measure to protect these key players in the face of the growing cyber threat. As Europe's leading provider of digital solutions and services, Inetum is committed to supporting these organizations in effectively implementing the new regulatory requirements.

A cyber project? Contact romain.massari@inetum.com
Linkedin Romain MASSARI / Inetum