This was an oversight that became worrying for French authorities for several years. In the future, digital services companies (ESNs) will have to comply with cybersecurity obligations, including the obligation to notify any serious incident within 72 hours to prevent the spread of an attack.
These IT companies, which make their armies of consultants available to help companies reap the benefits of e-commerce and telecommuting, escaped the measure when, in 2016, Europe adopted a ‘Network and Information Security’ (NIS) directive.
The revision proposed by the European Commission on which Parliament and the States have agreed integrates them into the system imposed on essential operators of the economy. While NIS 1 only concerns a few sensitive sectors such as energy, transport and cloud, NIS 2 extends to almost the entire economy, except companies with less than 50 employees.
Failure to comply with a whole set of technical and organizational measures aimed at raising the level of security against computer attacks will be punished with a fine of up to 2% of the guilty company’s worldwide turnover. And the responsibility of leaders can be engaged. “It was an aberration that the manufacturers of the digital substrate did not worry about regulation”, observes Guillaume Poupard, director general of the National Agency for the Security of Information Systems (Anssi) to which the ESN will have to be more accountable.
The numerous attacks of recent years against ESNs have also occurred, while computer intrusions at Altran, Sopra-Steria, Econocom and others in 2019 and 2020 have shaken their customers. On several occasions, Anssi has been alarmed by the risk of a rebound attack, that is, an attack that would take advantage of a subcontractor’s weakness to attack its donor.
A much wider scope
“I don’t see insurmountable restrictions in the new rules because we’ve already had to organize ourselves to deal with the intensity of the threat,” explains Paul Bayle, director of the security department at Atos.
But some obligations are complex to implement. For almost a year, the company led by Rodolphe Belmer has been training to notify Anssi promptly in the event of an alert. Acts is not alone in having anticipated fact. “At the request of our customers and to anticipate risks, we have been investing more and more in our own cybersecurity for several years now,” adds Fabien Lecoq, head of Sopra-Steria’s cybersecurity division.
Other regulations had already led ESNs to strengthen their defense, namely obligations regarding the protection of personal data, as they include a cyber component. ESNs will now have to apply best practices to a much broader scope of their activities, despite the shortage of cybersecurity talent.
ESNs on an equal footing
However, they will have time to comply. The formal adoption of the revised SRI directive is imminent, but it will have to be transposed into national law within the next two years, before it enters into force a further two years after such transposition.
For Anssi, these obligations could turn into an opportunity. On the one hand, the most virtuous ESNs in terms of cybersecurity will now be on par with the companies that today cut costs on this expense item to present better prices and convince customers who are more attached to lower the bill just to protect themselves. .
So, “NIS 2 restrictions for our customers will open up new markets for ESNs,” notes Quentin Sgard, Compliance Manager at Devoteam. “Regulation is an interesting guideline as it leads to enhanced cybersecurity for essential operators and ESNs,” adds Etienne de Sereville to the Cybersecurity Commission of Numeum, the industry’s professional association. Especially since the amount of fines can lead large groups to increase their demands on their subcontractors, including small businesses.