NIS2 Country Guide

NIS2 France: Critical Infrastructure Resilience & Cybersecurity Bill

See how France is transposing the NIS2 Directive through the bill on the resilience of critical infrastructures and the strengthening of cybersecurity, the central role of ANSSI, and what essential and important entities operating in France need to do to prepare for full NIS2 compliance.

Get Ready Checklist Get Consultation
France NIS2 transposition: in progress Competent authority: ANSSI

Introduction: NIS2 Directive & the French context

France already had a robust cybersecurity framework built around operators of vital importance (opérateurs d’importance vitale, OIV) and essential service operators (OSE) under the original NIS Directive and national law. NIS2 requires France to broaden this framework, cover more sectors and entities, and reinforce governance and incident-reporting obligations.

To achieve this, France is adopting a comprehensive bill on the resilience of critical infrastructures and the strengthening of cybersecurity. This bill is designed to jointly transpose NIS2, the Critical Entities Resilience Directive and DORA into French law.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in France

France formally launched the NIS2 transposition process on 15 October 2024, when the bill on the resilience of critical infrastructures and the strengthening of cybersecurity was presented in the Council of Ministers and tabled in Parliament.

The bill, often referred to as the “projet de loi Résilience”, is structured in several titles, including a cybersecurity title that specifically transposes Directive (EU) 2022/2555 (NIS2). It updates definitions (critical activities, critical infrastructures), extends the scope of regulated entities and modernises supervisory powers.

In March 2025, the French Senate adopted the bill in first reading under an accelerated procedure, and the text was transmitted to the National Assembly. As of late 2025, the legislative process is still ongoing and full entry into force is expected after final adoption and promulgation.

Status

NIS2 transposition is advanced but not fully completed. The bill has been adopted by the Senate and is under discussion in the National Assembly; final promulgation and implementing decrees are pending.

Legal structure

The bill on critical infrastructure resilience and cybersecurity will serve as the main NIS2 transposition vehicle, complemented by implementing decrees and ANSSI guidance.

Supervisory approach

ANSSI remains the central authority, coordinating with sectoral regulators and regional actors to supervise a significantly expanded population of NIS2 entities.

NIS2 France: what you need to know about compliance

France will apply the NIS2 model of essential and important entities across a wide range of sectors, expanding far beyond the earlier OIV/OSE perimeter. Estimates suggest that several thousand organisations could ultimately be brought into scope.

Who is in scope?

  • Entities in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in NIS2 Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium-sized and large organisations meeting NIS2 staff or turnover thresholds.
  • Entities in particularly sensitive sectors (e.g. trust services, DNS, TLD registries, major cloud and data centres) regardless of size.

Core obligations (NIS2-aligned)

  • Implement risk-management measures covering technical and organisational security.
  • Adopt policies and procedures for incident prevention, detection, response and recovery.
  • Report significant incidents and certain cyber threats within NIS2-defined timeframes.
  • Manage supply-chain cybersecurity risks and integrate security clauses in critical contracts.
  • Ensure management bodies approve cybersecurity policies and receive regular training.

Registration & pre-registration

Entities in scope will have to register with the national authority. Ahead of full transposition, ANSSI has already made available a NIS2 information and pre-registration portal to help organisations anticipate their future obligations.

Practical tip: Even before the law formally enters into force, French organisations can start mapping their services, identifying NIS2-relevant systems and conducting risk assessments, instead of waiting for the final legal text.

Competent authorities & CSIRTs

France uses a centralised model with ANSSI as the primary NIS2 competent authority and single point of contact, working in close cooperation with sectoral regulators and national CSIRTs.

Role Authority Notes
National competent authority & Single Point of Contact ANSSI (Agence nationale de la sécurité des systèmes d’information) Leads NIS2 transposition, supervision, strategy and coordination; acts as the national point of contact for EU partners and other Member States.
National CSIRT FR-CERT (operated by ANSSI) and sector CSIRTs Receives incident notifications, coordinates technical response, shares threat intelligence and supports entities in scope.
Sectoral regulators Various (e.g. ARCEP, energy, finance, transport authorities) Cooperate with ANSSI for sector-specific supervision where EU sectoral regimes (such as telecom or financial regulations) intersect with NIS2.

NIS2 timeline & key dates (France)

17 October 2024 — EU deadline for NIS2 transposition; France does not meet the deadline but accelerates work on the resilience and cybersecurity bill.
15 October 2024 — Resilience and cybersecurity bill presented in the Council of Ministers and submitted to Parliament under an accelerated procedure.
Early 2025 — Senate special commission examines and amends the bill; the Senate adopts the text in first reading.
2025 — The bill is transmitted to the National Assembly for examination and further amendments.
2026 (expected) — Final adoption, promulgation and entry into force of the NIS2 law, followed by implementing decrees and a transition period for entities to reach full compliance.

Sector-specific notes for France

  • Energy: electricity, gas and nuclear-related infrastructures will face strict resilience, security and reporting obligations.
  • Transport: aviation, rail, maritime and road operators are in scope under NIS2 and the resilience framework.
  • Finance: banks and financial-market infrastructures are covered through a combined NIS2 and DORA approach.
  • Healthcare: hospitals and critical health-service providers are a major focus due to recent large-scale cyberattacks.
  • Public administration: key State and local authorities fall under the extended NIS2 perimeter.
  • Digital infrastructure: data centres, cloud providers, major ICT operators and trust services are explicitly targeted as critical players.

Penalties for non-compliance

The future French NIS2 law is expected to mirror the Directive’s approach to sanctions, allowing for significant administrative fines, corrective measures and management-level accountability in cases of serious or persistent non-compliance.

  • Turnover-based fines up to NIS2 ceilings for the most serious breaches.
  • Corrective orders and mandatory remediation plans issued by ANSSI.
  • Enhanced supervision and follow-up in case of repeated deficiencies.
  • Potential consequences for management where governance failures are identified.

How to prepare for NIS2 in France

  1. Check if you are likely in scope: map your services and size thresholds against NIS2 Annex I & II sectors.
  2. Monitor the legislative process: follow ANSSI and official publications for the final law text and decrees.
  3. Perform a gap assessment: compare your current posture against NIS2 risk-management and governance requirements.
  4. Prepare for registration: gather information on critical services, systems, dependencies and NIS2 contact persons.
  5. Strengthen incident readiness: build monitoring, escalation and reporting processes compatible with NIS2 deadlines.
  6. Review supply-chain risk: update contracts with key providers to include security and incident-notification clauses.
  7. Align with a recognised framework: use ISO/IEC 27001, NIST CSF or similar to structure your compliance roadmap.
  8. Train management and staff: ensure leadership and key teams understand their upcoming NIS2 responsibilities.
Run Eligibility Check Start Readiness Test

Official links & resources

🇫🇷 ANSSI — Official website
📘 MonEspaceNIS2 — French NIS2 information portal
📄 Legislative dossier: Resilience & Cybersecurity Bill
📊 European Commission — NIS2 in France
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in France

Has France fully transposed NIS2?
Not yet. As of late 2025, the main resilience and cybersecurity bill is still going through the legislative process and has not been fully promulgated. Full transposition is expected once the law and implementing decrees are adopted.
Who is the NIS2 competent authority in France?
ANSSI (Agence nationale de la sécurité des systèmes d’information) is the central authority, single point of contact and main supervisor for NIS2 entities.
Should we start preparing before the law is fully in force?
Yes. Organisations are encouraged to start mapping their scope, assessing risks and preparing for registration and NIS2-aligned obligations ahead of full legal entry into force.
Will ISO 27001 certification be mandatory?
No specific certification is mandated by name, but frameworks like ISO/IEC 27001 are strongly encouraged as a way to structure and evidence NIS2 compliance.
Information provided for general guidance; always consult the official French legislation, ANSSI publications and legal counsel for definitive NIS2 compliance requirements.