Where the French NIS2 law stands
France has not yet transposed NIS2. The EU deadline for member states was 17 October 2024; as of 1 January 2026, 20 of the 27 member states had completed transposition — France is not among them. The French vehicle is the bill on the resilience of critical infrastructure and strengthening of cybersecurity (the “resilience” bill), which also transposes the CER and REC directives.
The timeline so far:
| Date | Milestone |
|---|---|
| 17 October 2024 | EU transposition deadline — missed by France |
| March 2025 | Bill adopted by the Sénat |
| September 2025 | Adopted in committee at the Assemblée nationale |
| 17 March 2026 | ANSSI publishes the ReCyF framework without waiting for the law |
| Mid-2026 | Plenary examination still pending — a political dispute over encryption provisions is holding up an otherwise consensual text |
The delay changes when obligations bite, not whether. The requirements come from the directive itself, ANSSI has already published its expected measures, and the supervisory machinery is being built. Waiting for the final text is the one strategy that guarantees a rushed compliance project.
Who is in scope in France
NIS2 moves France from roughly 300 regulated operators under NIS 1 to more than 15,000 entities across 18 sectors — plus, under the current bill, around 1,000 intercommunal authorities and some 300 municipalities of more than 30,000 inhabitants.
Entities are classified in two tiers:
- Essential entities (EE) — broadly, large organisations (250+ employees, or over €50M turnover) in highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.
- Important entities (IE) — broadly, mid-sized organisations (50+ employees, or over €10M turnover) in those sectors, and organisations of either size in the other critical sectors: postal services, waste management, chemicals, food, manufacturing, digital providers and research.
The obligations are broadly the same for both tiers; supervision and sanctions differ. Under the directive, essential entities face fines up to €10M or 2% of worldwide turnover, important entities up to €7M or 1.4% — and management bodies carry personal accountability.
Not sure which side you fall on? ANSSI’s MonEspaceNIS2 portal on cyber.gouv.fr includes an eligibility test that classifies your organisation in a few questions.
ReCyF: ANSSI’s answer to the parliamentary delay
On 17 March 2026, ANSSI published the Référentiel Cyber France (ReCyF) — a framework of 20 security objectives, each paired with acceptable means of compliance, scaled by a proportionality principle between essential and important entities.
Two things make ReCyF strategically important:
- It is voluntary by default until the law passes, but an entity that applies it can rely on that work when ANSSI supervision begins — the framework is explicitly designed to become the reference for future controls.
- It converts an abstract directive into a concrete checklist: governance, risk analysis, incident handling, continuity, supply-chain security, access control, MFA, vulnerability management, logging, training.
If you build your documentation against ReCyF now, the eventual French law is an administrative event, not a project.
What to do while Parliament debates
- Run the MonEspaceNIS2 eligibility test and record the result — it is your scoping evidence. For a first orientation in four questions, try our free NIS2 simulator.
- Map ReCyF’s 20 objectives against what you already have; the gaps are your roadmap.
- Write the documentary core — information security policy, risk analysis, incident response with 24h/72h notification, continuity, supplier security. Our 10-step NIS2 guide for SMEs walks through the full sequence.
- Brief your leadership: NIS2 makes management personally accountable, and that provision is not controversial in the French debate.
Primary sources
- Directive (EU) 2022/2555 (NIS2) — full text on EUR-Lex (eur-lex.europa.eu/eli/dir/2022/2555/oj).
- ANSSI — NIS2 hub, ReCyF and MonEspaceNIS2 (cyber.gouv.fr).
- Sénat — dossier législatif du projet de loi résilience (senat.fr).
How PolicyForge helps
The NIS2 policy generator produces the documentary core NIS2 and ReCyF expect — security policy, risk management, incident response, continuity, supply chain, access control, vulnerability management, awareness — as structured, bilingual documents with approval blocks and review dates.