NIS2 in France
Everything you need to know about the NIS2 directive in France: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
France missed the 17 October 2024 EU transposition deadline and is under a Commission infringement procedure. The transposition vehicle — the Loi relative a la resilience des infrastructures critiques et au renforcement de la cybersecurite (Loi Resilience) — was adopted by the Senat on 12 March 2025 and is awaiting promulgation, expected mid-2026. Despite the delay, ANSSI's MesServicesCyber portal is already live so entities can self-identify, voluntarily pre-register and prepare now (its NIS2 space is progressively integrating the earlier MonEspaceNIS2 service).
Key facts at a glance
Projet de loi relatif a la resilience des activites d'importance vitale (in parliamentary review)
Adopted / in force: 2026-Q2
Agence nationale de la securite des systemes d'information (ANSSI)
https://cyber.gouv.frUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
How ReCyF maps to NIS2
Each objective of ReCyF — the national framework for NIS2 — shown against the NIS2 controls it covers. This is the authority's own correspondence, not a generic article list: where a objective has no direct NIS2 control nexus, we say so.
| Objective (ReCyF) | NIS2 control(s) | ISO 27001 correspondence | Status |
|---|---|---|---|
| Recensement des systèmes d'information1 | Art. 21(2)(i) | Covered | |
| Mise en œuvre d'un cadre de gouvernance de la sécurité numérique2 | Art. 20(1) Art. 20(2) Art. 21(2)(a) Art. 21(2)(f) Art. 21(2)(h) Art. 21(2)(i) | ReCyF v2.5 p. 8 — SMSI ISO 27001:2022 admissible | Covered |
| Maîtrise de l'écosystème3 | Art. 21(2)(d) Art. 21(2)(i) | Covered | |
| Intégration de la sécurité numérique dans la gestion des ressources humaines4 | Art. 21(2)(g) | Covered | |
| Maîtrise des systèmes d'information5 | Art. 21(2)(e) Art. 21(2)(i) | Covered | |
| Maîtrise des accès physiques aux locaux6 | — | No direct NIS2 mapping | |
| Sécurisation de l'architecture des systèmes d'information7 | Art. 21(2)(e) Art. 21(2)(h) | Covered | |
| Sécurisation des accès distants aux systèmes d'information8 | Art. 21(2)(e) Art. 21(2)(h) Art. 21(2)(j) | Covered | |
| Protection des systèmes d'information contre les codes malveillants9 | Art. 21(2)(e) | Covered | |
| Gestion des identités et des accès des utilisateurs aux systèmes d'information10 | Art. 21(2)(e) Art. 21(2)(i) Art. 21(2)(j) | Covered | |
| Maîtrise de l'administration des systèmes d'information11 | Art. 21(2)(e) Art. 21(2)(i) | Covered | |
| Identification et réaction aux incidents de sécurité12 | Art. 21(2)(b) | Covered | |
| Continuité et reprise d'activité13 | Art. 21(2)(c) | Covered | |
| Réaction aux crises d'origine cyber14 | Art. 21(2)(c) Art. 21(2)(j) | Covered | |
| Exercices, tests et entrainements15 | Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(g) | Covered | |
| Mise en œuvre d'une approche par les risques16 | Art. 21(2)(a) | ReCyF v2.5 p. 30-31 — SMSI ISO 27001:2022 admissible OU PACS qualifié ANSSI | Covered |
| Audit de la sécurité des systèmes d'information17 | Art. 21(2)(f) | ReCyF v2.5 — audits internes du cycle SMSI ISO 27001:2022 admissibles | Covered |
| Sécurisation de la configuration des ressources des systèmes d'information18 | Art. 21(2)(e) | Covered | |
| Administration des systèmes d'information depuis des ressources dédiées19 | Art. 21(2)(e) | Covered | |
| Supervision de la sécurité des systèmes d'information20 | Art. 21(2)(b) | Covered |
Mapping derived from the authority's published ReCyF framework. Reglyze maintains it as the source data evolves — see the platform for the full control-by-control view.
Priority sectors for NIS2 in France
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where France's transposition and ANSSI supervision focus most.
Local government (collectivites territoriales)
France goes beyond the directive minimum: the draft law brings all regions and departments, plus municipalities above 30,000 inhabitants and their etablissements publics administratifs, into scope as essential entities — a national-discretion extension the directive itself leaves optional.
Vital-importance operators (OIV)
Operators designated under the LPM (code de la defense art. L. 1332-2) keep their pre-existing SIIV security obligations stacked on top of NIS2: they must apply BOTH the national ReCyF framework AND specific Premier ministre instructions — two parallel regimes.
Digital and trust services
Qualified trust service providers (PSCo qualifies — certificate authorities, e-signature, timestamping) face a tighter 24-hour intermediate-notification window aligned with eIDAS, rather than the standard 72 hours.
Key deadlines
2024-10-17
EU transposition deadline — missed by France (infringement procedure opened).
2026-Q2
Expected adoption of the transposition law. ANSSI has published draft guidance.
Continuous
ANSSI's MesServicesCyber portal is live — entities can self-identify and voluntarily pre-register. Its NIS2 space is progressively integrating and replacing the earlier MonEspaceNIS2 service. Mandatory registration opens only on promulgation of the loi resilience.
Is your company in scope? Common France scenarios
Two worked examples of how NIS2 scoping plays out in France. Not sure where you land? Run the free NIS2 scope checker.
The draft Loi Resilience designates municipalities above 30,000 inhabitants, so a commune of 50,000 is caught even though the NIS2 baseline would only reach national- or regional-level government bodies.
Entities previously designated OIV under the LPM are automatically classified as essential entities and must satisfy two parallel regimes: the ReCyF framework plus their SIIV-specific Premier ministre instructions.
What France businesses need to know
France missed the EU transposition deadline and is subject to an infringement procedure by the European Commission.
Despite the delay, ANSSI's MesServicesCyber portal is live — an early self-identification and voluntary pre-registration service that is progressively integrating and replacing the earlier MonEspaceNIS2 space.
The French law is expected to impose stricter thresholds than the directive minimum for certain sectors.
ANSSI's CERT-FR will handle all incident notifications, replacing OIV-specific reporting under the old LPM framework.
Organizations that were previously Operateurs d'Importance Vitale (OIV) will automatically be classified as Essential Entities.
How ANSSI enforces NIS2 in France
French enforcement is graduated and institutionally split. ANSSI investigates and orders compliance — first a written warning (mise en demeure), then an injonction with an optional astreinte of up to EUR 5,000 per day — while a separate commission des sanctions (shared with the LPM/CER vital-infrastructure regime) alone imposes administrative fines of up to EUR 10M or 2% of turnover. An entity that takes corrective action between warning and order generally avoids the fine. As a last resort, ANSSI can temporarily ban a director from management functions. Registration, notifications and audit submissions all flow through MesServicesCyber, which requires FranceConnect Pro authentication.
NIS2 in France: frequently asked questions
- Where does NIS2 transposition in France stand?
- The Loi Resilience was adopted by the Senat on 12 March 2025 and awaits promulgation, expected mid-2026. France is under an EU infringement procedure for missing the October 2024 deadline, but ANSSI's MesServicesCyber portal is already operational for self-registration and preparation.
- Which collectivites territoriales are in scope?
- The draft law extends NIS2 to all regions and departments, plus municipalities above 30,000 inhabitants and their etablissements publics administratifs — a stricter scope than the directive minimum, which only requires national- or regional-level government bodies.
- What is ReCyF?
- ReCyF (referentiel cyber France) is France's national reference framework. Entities can demonstrate compliance through ReCyF, through an existing ANSSI qualification (PASSI, SecNumCloud, PRIS, etc.) or through an EU certification scheme — three coexisting routes, a French specificity.
- What sanctions does the French law provide?
- Administrative fines of up to EUR 10M or 2% of global annual turnover, imposed by the commission des sanctions (not directly by ANSSI). ANSSI can also temporarily ban directors from management functions as a last resort, and France adds a stand-alone fine specifically for obstructing an investigation.
Official sources
Primary references for NIS2 in France — verify the latest text and deadlines directly with the authority.