NIS 2 FAQ – Cybersecurity lawyers in Paris: compliance & IT contracts (NIS2 Directive) | AUMANS AVOCATS

For organisations that may fall within the scope of NIS2 ("essential" or "important" entities depending on sector and size), as well as their subsidiaries/establishments, critical service providers and executives subject to governance obligations. We also support early-stage scoping to confirm applicability, prioritise actions and structure the compliance programme.

We conduct an eligibility assessment: sector analysis, mapping of relevant activities, verification of size thresholds, review of specific cases (groups, multi-activity organisations, value chains) and an initial qualification as "essential" or "important" under the applicable rules. The outcome is documented in a position paper with the proposed compliance perimeter.

• Governance and management accountability (approval, oversight, training).
• Cyber risk management (proportionate organisational and technical measures).
• Incident handling and notification duties.
• Supply chain security (suppliers and service providers).
• Business continuity, resilience and crisis management.
• Supervision, inspections, sanctions and evidence/documentation.

• Scoping & perimeter: applicability assessment, mapping of entities/systems in scope, programme governance.
• Maturity assessment: gap analysis against NIS2 requirements, prioritisation.
• Compliance roadmap: action plan, milestones, responsibilities, governance model and KPIs.
• Governance & accountability: committee structure, roles (management/CISO/DPO), policies and delegations, executive training.
• IT contracts & suppliers (Article 21): mapping of direct vendors, procurement strategy, due diligence, cybersecurity clauses (incident/notification, vulnerabilities, audits, subcontracting) and contract governance (KPIs, reviews, evidence).
• Incidents & crisis: procedures, notification readiness, tabletop exercises.
• Compliance & evidence: documentation, evidence registers, preparation for inspections and discussions with competent authorities.
• Inspections/investigations support: strategy, responses, sanction risk management, litigation where relevant (including vendor-related issues).
• Pre-litigation & litigation on IT contracts: support in disputes (SLAs/penalties, downtime, cyber incidents, security non-compliance, audits, unauthorised subcontracting), formal notices, amendments, evidence management, termination/exit and representation where relevant.
• Regulatory watch: monitoring French implementation and continuous updates.

Yes. NIS2 compliance is cross-functional: management, CISO/cybersecurity, IT, risk/compliance, procurement, legal and business teams—and sometimes the DPO (especially where incidents involve personal data or where there are synergies with GDPR). We help clarify responsibilities, coordinate contributions and support decision-making.

Yes. We support your crisis team with legal incident qualification, decision support (notification, communications, contractual steps), preparation and review of notifications (NIS2 and, where applicable, GDPR), evidence preservation, coordination with technical counsel (forensics), and a strategy to manage regulatory and dispute risks.

We help you implement a tailored vendor approach: segmentation (critical/important/standard), minimum requirements, questionnaires and due diligence, contractual clauses (security measures, incident notification, subcontracting, exit/reversibility, audits) and operational follow-up processes.

The goal is to align contracts and day-to-day practices with NIS2 requirements and your risk level.

Under Article 21 of the NIS2 Directive, “supply chain security” notably covers security aspects related to the relationship between the entity and its direct suppliers/service providers. In practice, this means embedding cybersecurity requirements in IT contracts (SaaS, outsourcing, cloud, hosting, maintenance, software vendors, integrators), making them operational (processes, indicators, controls) and being able to evidence them.

In practice, “IT contract management” under Article 21 means securing your relationships with key technology providers (cloud, SaaS, outsourcing, hosting, maintenance, software vendors, integrators) to reduce operational risk, avoid blind spots during incidents, and demonstrate at any time that cybersecurity requirements are properly embedded and effectively managed.

• Define the perimeter and the critical points: truly critical services, access granted (admin/data), dependencies (hosting, software) and subcontractors.
• Set a proportionate security baseline: “must-have” requirements (MFA, logging, patching, backups, encryption…) aligned with your risk level and the service.
• Be ready when it happens (alerts & notifications): rapid alerting, cooperation, required facts, crisis communication channels, and alignment between contractual timelines and regulatory notification duties.
• Control vulnerabilities and updates: treatment rules, remediation SLAs, support, end-of-life/obsolescence and coordinated disclosure.
• Keep control of subcontracting chains: transparency, change management, flow-down obligations and key risk points (location, critical services).
• Obtain usable assurance (audit & evidence): certifications/reports (ISO, SOC…), tailored audit rights, access to evidence and a managed remediation plan.
• Secure continuity and exit: BCP/DRP, testing, RTO/RPO, exit/reversibility, migration support, return/deletion of data.
• Put in place simple, effective governance: committees, cybersecurity KPIs, periodic reviews, change control and an evidence file ready for inspections or disputes.

Our goal is to improve control and reactivity vis-à-vis key vendors while protecting your room for manoeuvre (SLAs, audits, remediation, continuity, reversibility) and your ability to account for compliance with a clear evidence trail.

What you get (deliverables): a ready-to-use NIS2 IT contracts pack including (i) an IT contracts & critical vendors mapping, (ii) a legal/cyber review checklist, (iii) a library of cybersecurity clauses and security annexes (incident/notification, audits, subcontracting, vulnerabilities, reversibility), (iv) recommendations on SLAs/KPIs, and (v) an evidence file template usable for inspections, incidents or disputes.

Yes. We provide tailored sessions: executive awareness on governance and oversight duties, training for support functions (legal, procurement, risk/compliance) on key requirements, and practical workshops (notification, crisis management, vendors). Materials can be adapted to your sector and risk scenarios.

• NIS2 scoping/perimeter memo (assumptions and rationale).
• Prioritised gap analysis matrix.
• Compliance roadmap (action plan and timeline).
• Cybersecurity and incident-notification clauses/templates.
• NIS2 IT contracts pack (mapping, review checklist, clause/annex library by contract type, SLA/KPI recommendations, governance plan).
• Supplier risk matrix and remediation plan (priorities, owners, deadlines), including contract improvements.
• Supplier-incident playbook: contractual communications, information requests, evidence preservation and coordination with technical investigation.
• IT contracts pre-litigation/litigation kit: strategy, timeline of facts, evidence bundle, draft formal notices, and exit/reversibility scenarios.
• Policies/procedures (or update recommendations): incident handling, crisis management, governance, suppliers.

Depending on your needs, we work on a fixed-fee basis (scoping, gap analysis, document packs) or time-based/retainer arrangements (programme steering, ongoing support, incident response). A proposal is issued after a scoping discussion (scope, stakeholders, expectations, deadlines, deliverables).

The timeline depends on size, complexity (multi-site/multi-subsidiary), existing controls and maturity. As an indication, scoping + gap analysis can be delivered within a few weeks, and implementation then runs through prioritised workstreams over several months (quick wins plus a structured trajectory).

We start with a 30–60 minute scoping call to understand your sector, organisation and priorities. We then share a proposed engagement (scope, approach, timeline and deliverables). Contact details to be completed: name / email / phone / address.

We look for synergies and avoid duplication: reusing existing controls and evidence (ISMS/ISO 27001, internal policies), ensuring consistency of incident procedures (NIS2/GDPR), and aligning vendor contracting. Where multiple regimes apply depending on your sector, we help build an integrated, risk-based approach focused on effective implementation and demonstrability.