NIS2 LOCAL AUTHORITIES

NIS2 Local Authorities Multi-Site: Complete Guide (1000+ Employees)

NIS2 Directive: which local authorities are concerned? How to bring a multi-site community of municipalities into compliance (multiple town halls, 1000 employees, 150 IS)? Detailed checklist, architecture, timeline and costs.

Local authorities compliance demo Local Authorities Offer

NIS2: Which local authorities are concerned?

The NIS2 directive (Network and Information Security 2), which came into force on October 17, 2024, applies to "essential entities" and "important entities" providing critical services. For local authorities, this mainly concerns:

Authorities concerned by NIS2

Communities of municipalities/agglomeration: +1000 employees or shared critical services (water, energy, waste)
Medium and large cities: +50,000 inhabitants, managing essential services (civil status, social, urban planning)
Departments and regions: digital infrastructure, health (hospitals), education (colleges/high schools)
Intermunicipal syndicates: water, sanitation, waste, energy if +250 people served

NIS2 Eligibility Criteria

You are concerned if your authority meets at least one of these criteria:

• Management of an essential service (water, energy, waste, transport)
• +50 employees working on critical information systems
• Annual digital budget > 100K€
• Digital service provider for other authorities
• Hosting of sensitive citizen data (civil status, social, health)

NIS2 Sanctions: In case of non-compliance, sanctions can reach 10 million euros or 2% of annual budget of the authority, with publication of the sanction and personal liability of elected officials.

Use case: Multi-site community of municipalities

Community of Agglomeration (anonymized name)

Community of agglomeration grouping a dozen municipalities, 50,000 inhabitants, Nouvelle Aquitaine region (southwest)

Characteristics:

1200 employees spread over a dozen sites (town halls + shared services)
150 information systems: civil status, finance, HR, technical (water, waste)
Shared services: IT, HR, finance, urban planning, social, early childhood
Digital budget: 850K€/year (hardware, licenses, vendors)
Vendors: Outsourced IT (15 people), hosting, application maintenance

Essential services managed:

Drinking water: 40,000 subscribers, remote reading, billing
Sanitation: 5 treatment plants, SCADA supervision
Waste: collection 25 municipalities, 3 recycling centers
Civil status: 25 connected town halls, dematerialized archiving
Social action: CCAS, sensitive personal data

Why this authority is subject to NIS2

This community of agglomeration cumulates several eligibility criteria:

✓ Management of essential services (water, sanitation) for +40,000 people
✓ More than 1000 employees using interconnected IS
✓ Hosting of sensitive citizen data (civil status, social)
✓ Digital budget > 100K€/year

Specific challenges of multi-site authorities

1. Heterogeneity of information systems

Each municipality historically has its own applications (civil status, finance, HR). The community of municipalities has added its own IS for shared services. Result: 150 different applications, some obsolete, others in SaaS, others hosted on-site.

NIS2 Impact: All these IS must be mapped, critical ones identified, their risks assessed, and proven to be secure. Without a GRC platform, it's mission impossible.

2. Multiple stakeholders

NIS2 involves coordinating: a dozen mayors, the presidency of the community, the outsourced IT department, business departments (water, waste, social), vendors (hosters, maintenance), and 1200 employees who must be trained.

NIS2 Impact: Governance is complex. Who is responsible in case of incident? How to organize steering committees? How to train 1200 people? Answer: collaborative platform + AI.

3. Budget constraints

Authorities have limited budgets. The cost of NIS2 compliance must not exceed 3-5% of annual digital budget, i.e. 25-40K€ for our use case. Impossible to hire a full-time CISO (80K€/year) or pay a Big4 consulting firm (150K€).

NIS2 Impact: Solution: low-cost GRC platform (1500€/month) + part-time freelance CISO consultant (2d/month, 1200€) + online employee training = 35K€/year total.

4. Regulatory urgency

NIS2 has been applicable since October 2024. ANSSI audits can start now. The authority must prove that it has at least launched the project and has a credible action plan over 12-18 months.

NIS2 Impact: No time to start from scratch. A turnkey solution with pre-configured NIS2 templates, AI assistant for autonomy, and express deployment (1 month) is needed.

NIS2 Checklist for local authorities (25 essential points)

1. Governance and organization

Appoint a cybersecurity officer (CISO or equivalent)
Create a cyber steering committee (elected officials + IT + business)
Define roles and responsibilities (RACI)
Validate annual cyber budget (3-5% digital budget)

2. Asset mapping and essential services

Inventory of 150 IS (applications, servers, networks)
Identify essential services under NIS2 (water, civil status, social)
Map dependencies (critical IS → essential services)
Assess criticality of each IS (impact if unavailable)

3. Risk analysis and management

Risk analysis on critical IS (EBIOS RM method)
Risk prioritization (criticality × probability)
Risk action plan with timeline and owners
Continuous monitoring of residual risks

4. Technical and organizational measures

Access security: mandatory MFA, privileged account management
Encryption of sensitive data (civil status, social)
3-2-1 backup (3 copies, 2 media, 1 off-site)
Security monitoring (logs, intrusion detection)
Security patch management

5. Awareness and training

Cybersecurity training for 1200 employees (e-learning)
Regular awareness campaigns (phishing, passwords)
Specific training for IS administrators

6. Crisis management and continuity

Cyber incident response plan (who does what in case of attack)
Business continuity plan (BCP) for essential services
Annual plan testing (crisis exercises)
Incident reporting to ANSSI (within 24h if major)

7. Vendor management

Cybersecurity audit of all critical vendors
Cyber clauses in contracts (responsibilities, SLA, insurance)
Annual review of vendor compliance

Access complete checklist

Via OwlCub demo: interactive checklist + automated tracking

Multi-site compliance architecture with OwlCub

Community level

• Centralized OwlCub GRC platform
• Community cyber officer (0.5 FTE)
• Consolidated dashboard 25 municipalities
• ANSSI reporting + council

Municipality level (10 sites)

• OwlCub access per municipality
• 1 cyber officer/municipality (0.1 FTE)
• Local IS mapping
• Specific action plans

Vendor level

• Outsourced IT: OwlCub admin access
• Hosters: annual tracked audits
• Publishers: contracts with cyber clauses
• Continuous compliance monitoring

Automated compliance workflow

Step 1

Municipalities fill in IS mapping in OwlCub

Step 2

Automatic consolidation at community level

Step 3

Global risk analysis + prioritization

Step 4

Action plans dispatched by site

Vendor management: External IT, managed services, hosters

Local authorities massively use external vendors: shared IT department, cloud hosters, business software publishers, maintenance. NIS2 requires that you audit and supervise the cybersecurity of these third parties.

Outsourced IT (most common case)

Your IT is managed by a joint syndicate or private vendor. You remain responsible for NIS2 compliance, even if the vendor operates.

Actions to take:

Audit NIS2 compliance of IT vendor (via OwlCub: standardized questionnaire)
Add cyber clauses to contract: compliance obligation, incident notification within 4h, annual audits
Give OwlCub access to external IT: they become compliance actors, not spectators
Quarterly cyber review (steering committee authority + IT)

Cloud hosters and datacenters

Your applications are hosted at OVH, AWS, Azure, or a local datacenter. NIS2 requires verifying their resilience and security.

Actions to take:

Verify hoster certifications (ISO 27001, HDS if health data)
Require annual SOC 2 Type II report (security evidence)
Data location: favor France/EU (sovereignty)
Hoster continuity plan (guaranteed RTO/RPO)

Business software publishers

You use dozens of SaaS software (civil status, finance, HR, social). Their vulnerabilities can expose you.

Actions to take:

Mandatory cybersecurity questionnaire for any new publisher (OwlCub template)
Verify patch management policy (critical CVE patch timelines)
GDPR clauses (DPA) + cyber clauses (incident notification within 24h)
Annual monitoring: does the publisher maintain its security level?

Timeline: NIS2 compliance in 6-12 months

M1-2

Phase 1: Scoping and launch

✓ Steering committee constitution (elected officials + IT + business)
✓ Community cyber officer appointment
✓ OwlCub GRC platform subscription
✓ Team training (2d)
✓ Communication to member municipalities

M3-4

Phase 2: Mapping and analysis

✓ 150 IS mapping (1 month, automated OwlCub)
✓ Essential services identification (water, civil status, social)
✓ Risk analysis on critical IS (light EBIOS RM method)
✓ Vendor audit (IT, hosters, publishers)
✓ NIS2 gap analysis (gaps vs requirements)

M5-8

Phase 3: Technical measures deployment

✓ MFA on all accounts (3 months progressive deployment)
✓ Backup strengthening (3-2-1)
✓ Sensitive data encryption (civil status, social)
✓ Security monitoring (centralized logs, optional external SOC)
✓ Automated patch management

M9-10

Phase 4: Training and documentation

✓ Cybersecurity e-learning 1200 employees (integrated OwlCub platform)
✓ Policy writing (PSSI, BCP, incident response plan)
✓ Operational procedures (account management, incidents, vendors)
✓ Phishing test campaign (with Owly AI)

M11-12

Phase 5: Audit and continuous improvement

✓ Internal NIS2 audit (external consultant or OwlCub AI audit)
✓ Cyber crisis exercise (ransomware simulation)
✓ Compliance report for council + ANSSI
✓ Continuous improvement planning (2-3 year roadmap)

Note: This timeline is realistic for a medium-sized authority (1000 employees, 150 IS) with the help of an automated GRC platform and a part-time CISO consultant. Without tooling, expect 18-24 months.

Costs & ROI: Realistic budget for 1000 employee authority

NIS2 compliance budget (Year 1)

OwlCub GRC platform (multi-site)18,000€

Part-time CISO consultant (2d/month × 12 months × 1200€)28,800€

E-learning training 1200 employees (15€/employee)18,000€

Technical measures (MFA, monitoring, backups)25,000€

Vendor audit (IT, hosters)8,000€

Final NIS2 compliance audit12,000€

YEAR 1 TOTAL109,800€

Authority digital budget: 850K€/year

NIS2 cost as % of digital budget: 109,800€ / 850,000€ = 12.9%

✓ Budget compliant with recommendations (3-15% for initial compliance)

Recurring budget (Year 2+)

OwlCub GRC platform18,000€

CISO consultant (1d/month, maintenance)14,400€

New employee training (10%)1,800€

Security monitoring (optional external SOC)12,000€

Annual compliance audit8,000€

ANNUAL TOTAL (recurring)54,200€

Recurring cost as % of digital budget: 54,200€ / 850,000€ = 6.4%

✓ Sustainable budget (5-8% recommendation for security maintenance)

110K€

Year 1 Investment

vs 200K€ without GRC platform

54K€

Recurring budget/year

6.4% of digital budget

10M€

Max penalty avoided

+ reputational impact

NIS2 Local Authorities FAQ

Is my small 2000 inhabitant municipality concerned by NIS2?

Probably not if isolated. NIS2 targets authorities managing essential services on a large scale. However, if you are a member of a community of municipalities subject to NIS2, you will be indirectly impacted (harmonization of cyber practices, audit of shared vendors). GDPR remains mandatory for all municipalities (citizen data).

Who is responsible in case of cyber incident: the municipality or the community?

Depends on the distribution of competencies. If IT is shared at community level, the community is NIS2 responsible. Individual municipalities remain responsible for their own IS (e.g. local business applications). Responsibilities must be clearly defined in a sharing agreement annexed to the statutes.

Must a full-time CISO be hired to be NIS2 compliant?

No, not necessarily. NIS2 requires a "cybersecurity officer", who can be part-time or external. For a 1000 employee authority, optimal solution: 0.5 FTE internal cyber officer (from IT or business) + 1-2d/month external CISO consultant (expert skills, audits). Cost 15-30K€/year vs 80K€ full-time CISO.

How to train 1000+ employees in cybersecurity with a limited budget?

E-learning + conversational AI. In-person training costs 500-1000€/day for 15 people = prohibitive budget. Solution: cybersecurity e-learning (15-30€/employee/year) + Owly AI assistant integrated in OwlCub that answers daily employee questions. Completion rate >90% vs <50% in-person.

What happens if we are not ready for an ANSSI audit?

ANSSI can conduct unannounced audits. If you are late, two scenarios: (1) You have launched the project with credible action plan: ANSSI grants additional delay (3-6 months) under supervision. (2) You have done nothing: formal notice then sanctions (10M€ or 2% budget). Our advice: start immediately with OwlCub to have traceability of your efforts.

Can NIS2 compliance be shared among several authorities?

Yes, highly recommended. Several communities of municipalities or departments can share: GRC platform (group license), external CISO consultant (circuit riding), employee training, vendor audits. 30-40% economy of scale. OwlCub offers group packages for authorities. Contact us for custom pricing.

Local authorities: Start your NIS2 compliance now

OwlCub GRC platform special multi-site authorities: IS mapping, risk management, employee training, ANSSI reporting. Free 30-minute demo.

Local authorities compliance demo Detailed Local Authorities Offer

✓ Degressive multi-site pricing • ✓ GDPR module included • ✓ Dedicated public support • ✓ ANSSI financing possible