FR transposition

NIS 2 status in France

What the directive requires, how France transposes it, and where ANSSI sits inside the picture.

Simon OrzelSimon Orzel·

Overview

The NIS 2 directive is the EU layer. It binds every member state, including France, with one cybersecurity floor for essential and important entities. France must put that floor into French law and run a supervision regime under it.

France transposes NIS 2 through Ordonnance n° 2024-1093 of 2 December 2024 and the implementing decrees that follow it. The text layers on top of the existing OIV regime (Opérateurs d'Importance Vitale) and the NIS 1 OSE regime (Opérateurs de Services Essentiels) rather than replacing them outright.

ANSSI (Agence nationale de la sécurité des systèmes d'information) is the supervisor and the national CSIRT. Registration runs through the MonEspaceNIS2 portal. Sector regulators stay in the loop for sectors that already had one, finance in particular, where DORA acts as lex specialis.

Where the rules live
Three layers that anyone reading the French version of NIS 2 needs to keep apart.

EU directive

Directive (EU) 2022/2555 (NIS 2)

The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.

EU implementation

Commission Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in France without national transposition.

French transposition

Ordonnance n° 2024-1093 of 2 December 2024

The French NIS 2 transposition. Implementing decrees and ANSSI guidance fill in the operational detail. The text amends the Code de la défense (Articles L.1332-x for OIV) and extends it to the broader NIS 2 perimeter.

Three things to know
What changes for entities operating in France.
Transposition

Ordonnance n° 2024-1093

Carries the NIS 2 obligations into French law. Defines the EEI category (Entités essentielles importantes), the supervision powers of ANSSI, incident reporting duties, and sanctions. Most operational detail is delegated to décrets d'application.

Authority

ANSSI as supervisor and CSIRT

ANSSI runs supervision, audits and sanction proposals. It also operates the national CSIRT and the MonEspaceNIS2 portal. Sector regulators such as ACPR for finance keep their own competence where lex specialis applies.

Deadlines

Registration and reporting

The directive required entities to be identifiable by Member States from 17 April 2025. In France this happens through MonEspaceNIS2. Significant incidents follow the directive's 24h early warning, 72h notification and one-month final report cadence.

Two principles that decide every edge case
Use these before reading a French commentary on NIS 2.

Local law applies inside France

Operations on French territory follow the French transposition. A German Geschäftsführer running a French subsidiary reads Ordonnance n° 2024-1093 for that subsidiary, not the German BSIG. The directive obligations are the same; the procedure, the portal and the sanctions live in French law.

France cannot go below the EU floor

The directive is a minimum harmonisation instrument. France can go stricter, and historically has via the OIV regime. It cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.

Who does what in France
Three institutions that show up in almost every NIS 2 question.
FR

ANSSI

Lead competent authority, supervisor and national CSIRT. Runs MonEspaceNIS2, issues guidance, conducts audits, and proposes sanctions to the Premier ministre. Holds the historical OIV doctrine that now feeds NIS 2 supervision.

FR

CNIL

The French data protection authority. Not the NIS 2 regulator. Stays competent for personal data breach reporting under GDPR. A NIS 2 incident touching personal data is often a dual notification: ANSSI and CNIL.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for French entities; ANSSI is.

Pitfalls
Mistakes we see when French entities first read NIS 2.
  • We are already OIV, so NIS 2 is handled.

    OIV and OSE classifications under the existing Code de la défense and NIS 1 framework do not automatically carry over as EEI under NIS 2. The perimeter is different, sectoral thresholds are different, and entities must verify their status against the new criteria. Many OIV are also NIS 2 essential entities, but the obligation set and reporting channel change.

  • NIS 2 in France only applies to large operators.

    The size test caps at medium and large enterprises by default, but the directive captures small entities where they are the sole provider, where disruption has cross-border impact, or where French law adds them. Public administrations and certain digital providers are in regardless of size. The applicability check has to be done case by case, not by company size alone.

  • MonEspaceNIS2 and ANSSI only accept French.

    The portal and official guidance are French-first, but ANSSI accepts technical reporting and supporting documentation in English in defined cases, in line with EU cooperation. Foreign parent companies should not assume they need a full French translation of every internal policy to register or to file an incident report.

Practitioner view

Most French Mittelstand-equivalent operators we see still treat NIS 2 as an extension of the old OIV / OSE regime. That is half right. The supervision and incident channel sit inside ANSSI like before, but the scope is wider and the management body sign-off is heavier. The Geschäftsführer-equivalent (président, directeur général, gérant) is personally on the hook for risk-management approval and training.

The practical move is the same as everywhere else in the EU: confirm scope under the directive, register through the national portal (here MonEspaceNIS2), set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk, management body oversight), and document the minimum. The OIV apparatus helps, but it does not substitute for the NIS 2 obligation register.

How the platform helps

We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a French subsidiary using Ordonnance n° 2024-1093, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.

For French scope you start with the applicability check, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where ANSSI publishes sector guidance, we reference it; we do not duplicate it.

Sources
  • Directive (EU) 2022/2555 (NIS 2): EUR-Lex
  • Commission Implementing Regulation (EU) 2024/2690
  • Ordonnance n° 2024-1093 du 2 décembre 2024: Légifrance
  • Code de la défense, Articles L.1332-1 et suivants (OIV): Légifrance
  • ANSSI: Agence nationale de la sécurité des systèmes d'information, official site
  • MonEspaceNIS2: French NIS 2 registration portal (ANSSI)
  • ACPR / Banque de France: competent authority for DORA in the financial sector
Check your French scope in under five minutes
The applicability check applies the directive's size and sector test. If your French subsidiary is in scope, the next step is MonEspaceNIS2.