What is the NIS2 Directive? A Guide for Businesses in France

For CISOs and IT leaders managing operations in France, the NIS2 Directive (Directive EU 2022/2555) marks a pivotal moment in European cybersecurity. This isn’t just an update; it’s a comprehensive strengthening of cyber resilience mandates that will significantly impact a wider range of French businesses. Navigating these new obligations requires a clear understanding of the directive’s core tenets and its specific implementation within French national law. Failure to comply carries substantial risks, including significant financial penalties, reputational damage, and operational disruptions.

This guide aims to cut through the complexity, offering English-speaking cybersecurity professionals in France authoritative and actionable insights. We will delve into NIS2’s purpose, the French transposition process, the entities in scope, and the critical requirements you must address to ensure your organisation is compliant and resilient against the ever-evolving cyber threat landscape.

The Evolution of EU Cybersecurity: From NIS1 to NIS2

The NIS2 Directive supersedes the original Network and Information Security (NIS) Directive (EU 2016/1148). While NIS1 provided the initial framework for cybersecurity across the EU, its varied national implementations and limited scope were identified as weaknesses. NIS2 addresses these by:

  • Expanded Scope: Broadening the range of critical sectors and digital service providers covered, including new industries vital to the European economy.
  • Enhanced Requirements: Introducing more stringent cybersecurity risk management measures and stricter, harmonised incident reporting obligations.
  • Consistent Enforcement: Aiming for greater uniformity in supervisory approaches and the application of penalties across Member States.
  • Supply Chain Focus: Placing a significant emphasis on managing cybersecurity risks throughout the entire supply chain.

Adopted in November 2022 and effective since January 16, 2023, NIS2 is designed to elevate the common level of cybersecurity across the Union, fortifying Europe against sophisticated and pervasive cyber threats.

France’s National Approach: Transposing NIS2 into French Law

As an EU Directive, NIS2 requires each Member State to transpose its provisions into national law. In France, this process involves integrating the directive’s requirements into existing legal frameworks, primarily under the umbrella of the Agence nationale de la sécurité des systèmes d’information (ANSSI), France’s national cybersecurity agency. The French transposition typically involves modifying the Code of Defence and relevant decrees.

The original EU deadline for national transposition was October 17, 2024, with the transposed provisions applying from October 18, 2024. While France has actively engaged in the legislative process, like many other Member States, it has faced challenges in fully meeting this stringent deadline. As of September 2025, the legislative work for the NIS2 transposition is ongoing. This may involve amendments to the French Defence Code (Code de la défense) and the publication of specific decrees (décrets) to detail the exact obligations and enforcement powers for ANSSI.

This ongoing legislative process does not imply a grace period for French organisations. The core principles and requirements of NIS2 are clear, and French CISOs must proactively prepare to align their cybersecurity posture. ANSSI’s existing expertise and guidance will form the bedrock of France’s NIS2 implementation, making engagement with their recommendations crucial for businesses in France.

Are You in Scope? NIS2 Entity Types in the French Context

A critical first step for any French enterprise is to definitively ascertain if it falls within NIS2’s scope and, if so, under which classification. NIS2 primarily targets medium and large entities in designated critical sectors, but also includes certain smaller entities deemed highly critical. Entities are categorised into two main types, affecting the level of supervision and potential penalties:

  • Entités essentielles (Essential Entities):
    • These are typically larger organisations operating in sectors listed in Annex I of the Directive, considered highly critical to the economy and society. Examples relevant to France include major players in the energy sector (e.g., EDF, Engie, major grid operators), the transport sector (e.g., SNCF, Aéroport de Paris, Air France), banking and financial market infrastructures (e.g., BNP Paribas, Crédit Agricole, Euronext), healthcare providers (e.g., Assistance Publique – Hôpitaux de Paris (AP-HP), large pharmaceutical groups), digital infrastructure providers (e.g., major ISPs like Orange, large cloud service providers), and public administration at central and regional levels.
    • These entities will be subject to stricter supervisory and enforcement measures, including proactive audits and inspections by ANSSI or other designated national authorities.
  • Entités importantes (Important Entities):
    • This category generally covers medium and large enterprises in other critical sectors listed in Annex II. Relevant French examples include companies in the manufacturing sector, particularly those involved in critical products like aerospace (e.g., Airbus suppliers), automotive (e.g., Stellantis suppliers), or machinery. Other sectors include postal and courier services (e.g., La Poste), waste management, and digital providers (e.g., large online marketplaces, search engines, social media platforms).
    • While these entities must implement the same cybersecurity risk management measures as Essential Entities, they are typically subject to reactive supervision. This means ANSSI or other authorities would intervene primarily after an incident or upon evidence of non-compliance.

Both Essential and Important Entities face substantial fines for non-compliance. Essential Entities can face penalties of up to €10 million or 2% of total worldwide annual turnover (whichever is higher), and Important Entities up to €7 million or 1.4% of total worldwide annual turnover. ANSSI, under the transposed French law, will have the power to impose these fines.

Organisations must conduct a thorough self-assessment based on their industry, size, and critical service provision. ANSSI is expected to provide comprehensive guidance and tools to help French entities determine their exact classification under the national NIS2 implementation.

Deep Dive: NIS2 Scope & Entity Classification

Core NIS2 Requirements: What French CISOs Must Implement

NIS2 Article 21 outlines the comprehensive cybersecurity risk management measures that all in-scope entities in France must implement. These measures are designed to be proportionate to the risks faced and the entity’s size. CISOs must ensure their organisations address all of the following:

  • Policies on risk analysis and information system security: Establish clear strategies for identifying, assessing, and mitigating cyber risks, aligning with ANSSI’s existing risk management frameworks.
  • Incident handling: Develop robust procedures for detecting, containing, analysing, and responding to cybersecurity incidents, including specific reporting obligations to ANSSI.
  • Business continuity and crisis management: Implement measures like backup management, disaster recovery, and crisis communication plans to ensure continuity of critical services during and after a cyber incident.
  • Supply chain security: Address cybersecurity risks stemming from your direct suppliers and service providers through due diligence and contractual measures. This is particularly crucial given France’s complex industrial and digital supply chains (e.g., aerospace, defence, automotive).
  • Security in network and information systems acquisition, development, and maintenance: Integrate security throughout the lifecycle of IT systems, including robust vulnerability handling and disclosure processes.
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption: Ensure appropriate use of cryptographic solutions to protect data and communications, consistent with French national security policies.
  • Human resources security, access control, and asset management: Implement robust measures for personnel security, managing user access to systems and data, and maintaining an inventory of information assets.
  • Use of multi-factor authentication (MFA) or continuous authentication solutions: Where appropriate, mandate MFA to enhance access security, along with secured voice, video, and text communications, and emergency communication systems.

Beyond these technical and organisational measures, NIS2 also introduces strict incident reporting obligations. Entities will need to notify ANSSI of significant cybersecurity incidents within specific timelines (e.g., initial notification within 24 hours of becoming aware, an update within 72 hours, and a final report within one month). ANSSI will then coordinate responses and information sharing, often leveraging its established framework for incident management.

The Role of ANSSI: France’s National Cybersecurity Authority

The Agence nationale de la sécurité des systèmes d’information (ANSSI) is France’s central authority for cybersecurity, playing a critical and long-established role in the implementation and enforcement of national and European cybersecurity regulations. Its responsibilities under the French NIS2 transposition will include:

  • Guidance and Recommendations: Issuing specific guidelines, recommendations, and best practices tailored to the French context to help entities comply with NIS2 requirements. This builds upon ANSSI’s renowned “Guide d’hygiène informatique” and its various technical recommendations.
  • Supervision and Enforcement: Overseeing the compliance of in-scope entities, conducting audits, requesting information, and imposing administrative fines for non-compliance. ANSSI’s existing powers for critical infrastructure (Opérateurs d’Importance Vitale – OIV) will likely be adapted and extended for NIS2.
  • Incident Coordination: Acting as the central point of contact for cybersecurity incident reporting, coordinating responses, and sharing threat intelligence nationally and with ENISA.
  • Vulnerability Management: Supporting vulnerability handling and disclosure processes, leveraging its national expertise.

CISOs in France should proactively engage with ANSSI’s extensive publications, certifications, and guidance, as they will provide the authoritative interpretation of NIS2 requirements under French law. ANSSI’s robust technical expertise and strong regulatory posture make it an indispensable partner in France’s cybersecurity landscape.

Critical Deadlines & Staying Compliant in France

As noted, while the EU set an initial transposition deadline of October 17, 2024, France’s legislative process for NIS2 is ongoing, with the final national decrees and laws expected to take full effect in due course. However, this is not a justification for inaction. Proactive preparation is paramount:

  • Self-Assess Your Scope: Begin by definitively determining if your organisation falls under NIS2 and which entity type (Essential or Important) applies based on French industry context.
  • Perform a Gap Analysis: Compare your current cybersecurity posture and any existing Information Security Management System (ISMS) (e.g., ISO 27001) against the NIS2 requirements (Article 21) and ANSSI’s recommendations.
  • Strengthen Core Measures: Prioritise improvements in areas like incident response, supply chain security, and vulnerability management, which are central to NIS2 and already emphasized by ANSSI.
  • Monitor ANSSI Guidance: Regularly check ANSSI’s official website for updates, draft decrees, and specific recommendations regarding the national NIS2 implementation.
  • Review Contractual Agreements: Ensure your contracts with suppliers and service providers reflect NIS2’s supply chain security demands, potentially requiring specific clauses related to cybersecurity obligations and incident reporting.

The European Commission has already initiated infringement procedures against Member States for failing to meet the transposition deadline. This reinforces the urgency for France to finalise its law and for French organisations to be ready.

Understand NIS2 Deadlines & National Transposition

How Nistra Automates NIS2 Compliance in France

Navigating the evolving NIS2 landscape in France, especially with the ongoing legislative process and ANSSI’s detailed requirements, presents a complex challenge. Understanding your exact scope, interpreting ANSSI’s comprehensive guidance, conducting a thorough gap analysis, and implementing new controls demands significant expertise and continuous monitoring.

Nistra’s AI-powered platform is specifically designed to streamline and automate your NIS2 compliance journey in France. Our NIS2 Compliance Assessment provides a tailored, step-by-step plan based on your organisation’s profile and the specific requirements under French law. It continuously monitors legislative updates from ANSSI and the EU, cross-references ENISA guidance, and offers intelligent mappings to international standards like ISO 27001, highlighting gaps and suggesting actionable remediation steps.

With Nistra, you can:

  • Get a definitive determination of your NIS2 scope and entity type under French law.
  • Receive a clear roadmap tailored to the French NIS2 implementation requirements.
  • Effortlessly track compliance progress and demonstrate due diligence to ANSSI.
  • Access up-to-date information and expert recommendations relevant to the French market.

Eliminate guesswork, reduce manual effort, and achieve demonstrable NIS2 compliance faster and more confidently in France.

Request your Free NIS2 Compliance Assessment today.

Citations:

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). Official Journal of the European Union. L 333/80. (Accessible via EUR-Lex: https://eur-lex.europa.eu/eli/dir/2022/2555/oj)

Agence nationale de la sécurité des systèmes d’information (ANSSI). Official website and publications. (Refer to https://www.ssi.gouv.fr/ for national decrees, guides, and recommendations relevant to cybersecurity.)

European Commission. “Infringement procedures against Member States for non-notification of national transposition measures for NIS2 Directive.” (Refer to official press releases or infringement reports from the European Commission: https://ec.europa.eu/commission/presscorner/home/en)

European Union Agency for Cybersecurity (ENISA). Official website and publications. (Refer to www.enisa.europa.eu for relevant guidance.)

Related Posts