Why NIS 2 makes the cyber lawyer indispensable for the company – Journal du Net

The cyber lawyer essential for the company

To raise the cybersecurity level of many thousands of small and medium-sized businesses, NIS 2 contains many new standards.

The draft law transposing NIS 2, currently before the National Assembly, contains numerous obligations to raise the level of cybersecurity of the organizations concerned. For example, they will have to report any security incident within 24 hours of being identified. They will also be required to provide a report documenting the reported incident within one month of its occurrence. Finally, they will have to take measures to ensure the security of the information system even in the event of subcontracting or provide procedures for managing incidents.

All these new standards make the lawyer a “beacon in the storm of the cyber crisis”, says Rayan Le Calloch, legal director at Alcyconia, a company specialising in cyber crisis management. And for good reason, he is then the only one capable of “qualifying and evaluating the risks and incidents” with regard to these new obligations and then deciding to report them to the competent authorities. This is why NIS 2 requires that CIOs and CISOs and CISOs engage with legal professionals. This is the opinion of lawyer Marc-Antoine Ledieu, who specialises in cybersecurity law, who presents himself as a “legal CISO”, and CISO Jean-Philippe Gaulier. Securing the information systems of many small and medium-sized companies via his company Cyberzen, he explains that “cyber teams must have a lawyer to be able to deal with everything that needs to be dealt with from start to finish.”

To demonstrate that NIS 2 forces lawyers, CIOs and CISOs to dialogue, Marc-Antoine Ledieu relies on a draft decree implementing the transposition law that he has seen. Already prepared by the National Agency for the Security of Information Systems (ANSSI) even though the transposition law has still not been voted on by the deputies, it would be composed of about forty pages composed of “extremely detailed” standards mixing both the technical and legal aspects of cybersecurity. According to him, these cannot be understood by a CISO without the help of a lawyer. For his part, Jean-Philippe Gaulier specifies that NIS 2 will “strengthen the dialogue between CISOs and lawyers” by requiring the introduction of cybersecurity obligations in the contracts concluded between organizations and their subcontractors: “we are in both the legal and cyber fields.”

The liability of managers reinforces the need for the lawyer

According to lawyer Alexandra Iteanu, NIS 2 causes “an electroshock” making it necessary for the legal profession within the entities concerned because of the sanctions that they and their managers may incur if they do not comply with the new regulations. “In reality, the lawyer has been at the heart of the cyber crisis since the General Data Protection Regulation which also prescribes notification as soon as possible to the competent authority in the event of a personal data breach. But what changes with NIS 2 is that the managers can be held liable and that they will be directly concerned in the event of breaches.”

Consequently, the lawyer is a considerable asset for the management of a company concerned by the directive because he mitigates the risk of it being heavily sanctioned, the penalties provided for being substantial. They range from fines of up to €10 million to a sum equivalent to 2% of annual worldwide turnover, excluding taxes. Also, the Enforcement Committee may decide to suspend the performance of a director’s duties, as he or she may also be subject to criminal charges.

An essential cog before, during and after the cyber crisis

The cybersecurity lawyer can intervene in all the key stages of an organization’s compliance with NIS 2. First, to make the information system as secure as possible, the new regulations require scrupulous drafting of the contracts binding the entities concerned and their subcontractors. Indeed, it prescribes that the organization must ensure the cybersecurity of its supply chain, as subcontractors can be vectors of cyberattacks. This is the case, for example, when they have access to even a tiny part of the information system. To do this, the lawyer can introduce clauses in the contract that rigorously secure the relationship between the organization and its service providers and verify their proper execution, as indicated by Marc-Antoine Ledieu.

Then, when a cyber crisis occurs, the lawyer is the one who allows you to take a step back from the situation in order to “manage it with regard to the law which, in turmoil, is inviolable: even in a crisis, it does not change”, says Rayan Le Calloch. It therefore makes it possible to correctly qualify the facts with regard to the legal obligations of cybersecurity and to reassure if necessary. Indeed, the legal manager at Alcyconie specifies that he is often confronted with crisis units who, panicked by an alert, wish to issue a notification to the National Commission for Information Technology and Civil Liberties when the conditions are not met. Also, the lawyer can take an active part in crisis communication so that it uses legal terms adapted to the situation, which seems necessary “in a context of judicialization of cyberattacks”.

Finally, after the cyber crisis, the lawyer must “seek the responsibility of the person who caused or made possible the cyberattack because he was negligent” says Marc-Antoine Ledieu. This requires collecting evidence in collaboration with the technical teams. During this pre-litigation phase, he must also perform the obligations set out in the insurance contract he has negotiated, in particular that of filing a complaint within the required deadline.

Article written by Pascal Coillet-Matillon for the Journal du Net.