NIS2 in France

1. Quick SME Applicability Snapshot in France

Does NIS2 apply to SMEs in France?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in France and, in certain cases, foreign digital providers serving the French market.

SMEs should assess whether they fall within France's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in France

France is transposing NIS2 through the Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité (the "Loi Résilience"), which consolidates the NIS2 Directive, the CER Directive (critical infrastructure resilience), and DORA in a single legislative package. The bill was presented to the Council of Ministers on 15 October 2024, adopted by the Senate on 12 March 2025, and approved by the National Assembly's special committee on 10 September 2025. As of April 2026, final adoption by the full National Assembly and promulgation remain pending; promulgation is expected during 2026, after which implementing decrees will specify technical standards and reporting procedures.

The revised framework aligns France's national cybersecurity regime with Directive (EU) 2022/2555, expanding obligations relating to governance, incident reporting, supervisory powers, and sanctions. France's scope is expected to grow from approximately 500 entities under NIS1 to 15,000–18,000 entities across 18 sectors. The draft introduces 20 security objectives for essential entities and 15 for important entities as the compliance framework, and confirms that ISO 27001 certification alone does not satisfy NIS2 compliance in France (covering only 2 of the 20 objectives).

ANSSI has launched a pre-registration portal (MonEspaceNIS2) to allow future regulated entities to assess their scope and prepare for compliance in advance of formal enactment. France remains under a European Commission reasoned opinion issued 7 May 2025 for failure to notify full transposition, and continues to build on its pre-existing cybersecurity model by integrating NIS2 standards into established oversight structures.

3. Scope of Application in France

France's scope reflects Directive minimum categories, integrated within its established national security model.

4. Size Thresholds and SME Applicability in France

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors fall automatically within scope.

Small and micro enterprises may be designated if considered critical to national or economic stability, public security, or essential service continuity.

French authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in France

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections, audits, and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced supervision.

France's classification structure aligns with the Directive's two-tier supervisory model.

6. Cybersecurity Risk Management Requirements in France

France's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain France risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and French cybersecurity guidance is encouraged.

Supply chain oversight includes vendor due diligence and contractual cybersecurity safeguards to mitigate cascading risk.

7. Management Liability and Governance in France

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under France's framework:

• Boards are accountable for compliance oversight.
• Senior leadership must ensure adequate cybersecurity expertise.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability France expectations elevate cybersecurity governance to executive-level responsibility.

8. Incident Reporting Obligations in France

9. Supervisory Authorities and Enforcement Model in France

Primary authority: National Agency for the Security of Information Systems (ANSSI).

France operates a centralized cybersecurity supervisory model coordinated by ANSSI, integrated with sector-specific regulatory bodies where applicable.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination

The enforcement structure reflects Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in France

France applies Directive-aligned administrative penalties.

NIS2 fines France enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under French legislation.

11. NIS2 Supply Chain and Vendor Security in France

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down requirements
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

France's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in France

Entities within scope must:

• Prepare to register with ANSSI via the MonEspaceNIS2 pre-registration platform (monespacenis2.cyber.gouv.fr), already operational. Formal registration deadlines and procedures will be defined by decree following promulgation of the Loi Résilience.
• Provide corporate identification details
• Disclose sector classification
• Maintain updated contact information

Formal registration deadlines and procedural mechanics will be set by implementing decrees following promulgation of the Loi Résilience. In the interim, ANSSI's MonEspaceNIS2 portal provides a scope assessment tool and allows entities to prepare in advance. Self-identification will be mandatory once the law is promulgated; entities should use the MonEspaceNIS2 tool now to assess their likely classification as essential or important.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in France

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific French cybersecurity rules

A single cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in France are supervised by French authorities for cross-border services.

Foreign digital providers offering services in France may be subject to French oversight depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving French markets.

15. Implementation Timeline in France

• Directive adoption: 2022
• National legislative amendments: Loi Résilience presented to Council of Ministers 15 October 2024; adopted by Senate 12 March 2025; approved by National Assembly special committee 10 September 2025; full National Assembly vote and promulgation pending
• Entry into force: Pending promulgation by the President of the Republic, expected during 2026; implementing decrees (technical standards, reporting procedures) to follow promulgation
• Commission notification: EC reasoned opinion issued 7 May 2025 for failure to notify full transposition; France remains under infringement procedure
• Compliance milestone: To be defined by implementing decrees post-promulgation; MonEspaceNIS2 pre-registration portal already live; formal compliance deadlines expected to follow entry into force by several months

France missed the EU transposition deadline of 17 October 2024 and remains under EC infringement procedure. The Loi Résilience is expected to be promulgated during 2026, with implementing decrees to follow. Entities should use ANSSI's MonEspaceNIS2 portal to assess scope and begin compliance preparation now.

16. Key Takeaways for SMEs in France

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if operationally critical.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is a core obligation.
• Early compliance planning is essential — use ANSSI's MonEspaceNIS2 portal now to assess scope. Note that ISO 27001 certification alone does not meet France's NIS2 requirements, covering only 2 of the 20 security objectives defined in the draft framework.

FAQ: NIS2 France SME Guide