In the face of rising cyber threats, with 135,225 incidents detected in 2024 (+4.5% in one year, Source: OCD Security Navigator 2025), the NIS2 directive emerges as a key framework to strengthen cybersecurity across Europe. Etienne Bauche, Chief Security Officer at Orange Business, shares insights and experiences from Orange Business to help companies tackle this challenge.
What are the key challenges of the NIS2 directive for businesses, particularly for Orange Business?
The NIS2 directive aims to establish a common cybersecurity foundation across Europe for essential and important entities, spanning 18 sectors. Approximately 15,000 companies in France and 100,000 across Europe are affected. The goal is to foster a safer and more resilient digital environment.
For businesses, the main challenges include implementing enhanced technical and organizational measures based on risk assessments, including supply chain risks. This directive will have a systemic impact beyond the directly targeted sectors. Companies must also prepare for stricter controls and penalties for non-compliance. Additionally, multinational companies will need to navigate varying national transpositions of the directive.
These challenges are particularly significant at Orange Business. Operating in several regulated sectors and present in most EU countries, we must not only ensure our own compliance with NIS2 but also support our clients in achieving compliance through tailored solutions and guidance.
How has Orange Business approached its own compliance with NIS2?
At Orange Business, we have chosen to integrate compliance with all recent European regulations, such as NIS2, DORA, CER, and CRA, into a single unified program with centralized governance. This program covers all European countries where we operate.
To develop it, we relied on the expertise of Orange Cyberdefense and Orange Consulting. This approach serves a dual purpose: maximizing efficiency and minimizing the costs associated with compliance. We use common processes and tools, such as an enhanced security incident management process deployed across all our subsidiaries.
Additionally, we adapt specific measures in each of the 22 countries where we operate to meet local authorities' and clients' expectations. Finally, we leverage security certifications and attestations, such as ISO 27001 and SOC 2, to independently demonstrate the relevance and effectiveness of our security measures.
What are the benefits for Orange Business clients?
Whether it’s NIS2 or DORA, these regulations raise the overall level of cybersecurity by imposing a formal, common, and auditable framework. They enhance business resilience and provide greater transparency in risk management. Working with a provider subject to NIS2 and multi-certified for Orange Business clients offers key guarantees: better data protection, strengthened service continuity, and increased transparency in areas such as incident management and audits. For those also subjected to regulations, such as financial sector players under DORA, this simplifies supplier risk management and reduces audit-related costs.
Moreover, the outcomes of our compliance program benefit all our clients uniformly, regardless of their sector, size, or the country where they use our services. This ensures a high level of reliability and security across Europe.
What compliance insights can Orange Business share?
Although national transpositions of NIS2 are still underway, we can share some initial lessons from our experience. Anticipation was key: we quickly mobilized the Group executive committee to ensure strong commitment from the outset.
We also defined clear priorities to guide implementation and established a unique transnational requirements framework against which a gap analysis was performed by Orange Cyberdefense. This allowed us to approach compliance globally, rather than country by country, while accounting for local specificities. A dedicated tool for tracking compliance and storing evidence was also deployed to ensure optimal traceability.
Additionally, we communicated extensively, including with employees outside Europe, to ensure understanding and buy-in at all levels. Finally, we ensured our approach covered all business segments, from small structures to large corporations. Our compliance program is currently being finalized and will depend on the implementation deadlines in each European country. These initial insights now enable us to share our experience and support our clients in their own compliance efforts. This reflects our commitment to anticipating changes and fostering innovation in a trusted digital environment.
Étienne is the Chief Security Officer at Orange Business.
With over 25 years of experience in telecommunications, he has held strategic roles in operations transformation, complex program management, and international leadership. He has led teams in more than 60 countries and managed major security, business continuity, and regulatory compliance projects.
A graduate of École Polytechnique and École Nationale Supérieure des Télécommunications, Étienne is fluent in six languages.
He is recognized for his expertise in large-scale transformation and multicultural management.