NIS 2 status in France
What the directive requires, how France transposes it, and where ANSSI sits inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including France, with one cybersecurity floor for essential and important entities. France must put that floor into French law and run a supervision regime under it.
France transposes NIS 2 through Ordonnance n° 2024-1093 of 2 December 2024 and the implementing decrees that follow it. The text layers on top of the existing OIV regime (Opérateurs d'Importance Vitale) and the NIS 1 OSE regime (Opérateurs de Services Essentiels) rather than replacing them outright.
ANSSI (Agence nationale de la sécurité des systèmes d'information) is the supervisor and the national CSIRT. Registration runs through the MonEspaceNIS2 portal. Sector regulators stay in the loop for sectors that already had one, finance in particular, where DORA acts as lex specialis.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in France without national transposition.
French transposition
Ordonnance n° 2024-1093 of 2 December 2024
The French NIS 2 transposition. Implementing decrees and ANSSI guidance fill in the operational detail. The text amends the Code de la défense (Articles L.1332-x for OIV) and extends it to the broader NIS 2 perimeter.
Ordonnance n° 2024-1093
Carries the NIS 2 obligations into French law. Defines the EEI category (Entités essentielles importantes), the supervision powers of ANSSI, incident reporting duties, and sanctions. Most operational detail is delegated to décrets d'application.
ANSSI as supervisor and CSIRT
ANSSI runs supervision, audits and sanction proposals. It also operates the national CSIRT and the MonEspaceNIS2 portal. Sector regulators such as ACPR for finance keep their own competence where lex specialis applies.
Registration and reporting
The directive required entities to be identifiable by Member States from 17 April 2025. In France this happens through MonEspaceNIS2. Significant incidents follow the directive's 24h early warning, 72h notification and one-month final report cadence.
Local law applies inside France
Operations on French territory follow the French transposition. A German Geschäftsführer running a French subsidiary reads Ordonnance n° 2024-1093 for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the portal and the sanctions live in French law.
France cannot go below the EU floor
The directive is a minimum harmonisation instrument. France can go stricter, and historically has via the OIV regime. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
ANSSI
Lead competent authority, supervisor and national CSIRT. Runs MonEspaceNIS2, issues guidance, conducts audits, and proposes sanctions to the Premier ministre. Holds the historical OIV doctrine that now feeds NIS 2 supervision.
CNIL
The French data protection authority. Not the NIS 2 regulator. Stays competent for personal data breach reporting under GDPR. A NIS 2 incident touching personal data is often a dual notification: ANSSI and CNIL.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for French entities; ANSSI is.
We are already OIV, so NIS 2 is handled.
OIV and OSE classifications under the existing Code de la défense and NIS 1 framework do not automatically carry over as EEI under NIS 2. The perimeter is different, sectoral thresholds are different, and entities must verify their status against the new criteria. Many OIV are also NIS 2 essential entities, but the obligation set and reporting channel change.
NIS 2 in France only applies to large operators.
The size test caps at medium and large enterprises by default, but the directive captures small entities where they are the sole provider, where disruption has cross-border impact, or where French law adds them. Public administrations and certain digital providers are in regardless of size. The applicability check has to be done case by case, not by company size alone.
MonEspaceNIS2 and ANSSI only accept French.
The portal and official guidance are French-first, but ANSSI accepts technical reporting and supporting documentation in English in defined cases, in line with EU cooperation. Foreign parent companies should not assume they need a full French translation of every internal policy to register or to file an incident report.
Most French Mittelstand-equivalent operators we see still treat NIS 2 as an extension of the old OIV / OSE regime. That is half right. The supervision and incident channel sit inside ANSSI like before, but the scope is wider and the management body sign-off is heavier. The Geschäftsführer-equivalent (président, directeur général, gérant) is personally on the hook for risk-management approval and training.
The practical move is the same as everywhere else in the EU: confirm scope under the directive, register through the national portal (here MonEspaceNIS2), set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The OIV apparatus helps, but it does not substitute for the NIS 2 obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a French subsidiary using Ordonnance n° 2024-1093, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.
For French scope you start with the applicability check, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where ANSSI publishes sector guidance, we reference it; we do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2): EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Ordonnance n° 2024-1093 du 2 décembre 2024: Légifrance
- Code de la défense, Articles L.1332-1 et suivants (OIV): Légifrance
- ANSSI: Agence nationale de la sécurité des systèmes d'information, official site
- MonEspaceNIS2: French NIS 2 registration portal (ANSSI)
- ACPR / Banque de France: competent authority for DORA in the financial sector