Skip to content
PolicyForge
All posts
By Vyrhak SATH · Founder, NAGASHIELD SECURITY11 min

NIS2 in France: where the transposition law stands in 2026

The state of NIS2 transposition in France — the “resilience” bill timeline, who is in scope (15,000+ entities), essential vs important entities, sanctions, and what ANSSI’s ReCyF framework and MonEspaceNIS2 portal mean for your compliance plan.

Where the French NIS2 law stands

France has not yet transposed NIS2. The EU deadline for member states was 17 October 2024; as of 1 January 2026, 20 of the 27 member states had completed transposition — France is not among them. The French vehicle is the bill on the resilience of critical infrastructure and strengthening of cybersecurity (the “resilience” bill), which also transposes the CER and REC directives.

The timeline so far:

DateMilestone
17 October 2024EU transposition deadline — missed by France
March 2025Bill adopted by the Sénat
September 2025Adopted in committee at the Assemblée nationale
17 March 2026ANSSI publishes the ReCyF framework without waiting for the law
Mid-2026Plenary examination still pending — a political dispute over encryption provisions is holding up an otherwise consensual text

The delay changes when obligations bite, not whether. The requirements come from the directive itself, ANSSI has already published its expected measures, and the supervisory machinery is being built. Waiting for the final text is the one strategy that guarantees a rushed compliance project.

Who is in scope in France

NIS2 moves France from roughly 300 regulated operators under NIS 1 to more than 15,000 entities across 18 sectors — plus, under the current bill, around 1,000 intercommunal authorities and some 300 municipalities of more than 30,000 inhabitants.

Entities are classified in two tiers:

  • Essential entities (EE) — broadly, large organisations (250+ employees, or over €50M turnover) in highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration and space.
  • Important entities (IE) — broadly, mid-sized organisations (50+ employees, or over €10M turnover) in those sectors, and organisations of either size in the other critical sectors: postal services, waste management, chemicals, food, manufacturing, digital providers and research.

The obligations are broadly the same for both tiers; supervision and sanctions differ. Under the directive, essential entities face fines up to €10M or 2% of worldwide turnover, important entities up to €7M or 1.4% — and management bodies carry personal accountability.

Not sure which side you fall on? ANSSI’s MonEspaceNIS2 portal on cyber.gouv.fr includes an eligibility test that classifies your organisation in a few questions.

ReCyF: ANSSI’s answer to the parliamentary delay

On 17 March 2026, ANSSI published the Référentiel Cyber France (ReCyF) — a framework of 20 security objectives, each paired with acceptable means of compliance, scaled by a proportionality principle between essential and important entities.

Two things make ReCyF strategically important:

  • It is voluntary by default until the law passes, but an entity that applies it can rely on that work when ANSSI supervision begins — the framework is explicitly designed to become the reference for future controls.
  • It converts an abstract directive into a concrete checklist: governance, risk analysis, incident handling, continuity, supply-chain security, access control, MFA, vulnerability management, logging, training.

If you build your documentation against ReCyF now, the eventual French law is an administrative event, not a project.

What to do while Parliament debates

  1. Run the MonEspaceNIS2 eligibility test and record the result — it is your scoping evidence. For a first orientation in four questions, try our free NIS2 simulator.
  2. Map ReCyF’s 20 objectives against what you already have; the gaps are your roadmap.
  3. Write the documentary core — information security policy, risk analysis, incident response with 24h/72h notification, continuity, supplier security. Our 10-step NIS2 guide for SMEs walks through the full sequence.
  4. Brief your leadership: NIS2 makes management personally accountable, and that provision is not controversial in the French debate.

Primary sources

How PolicyForge helps

The NIS2 policy generator produces the documentary core NIS2 and ReCyF expect — security policy, risk management, incident response, continuity, supply chain, access control, vulnerability management, awareness — as structured, bilingual documents with approval blocks and review dates.

Start free → · See the NIS2 policies

Frequently asked questions

Has France transposed NIS2 yet?

No. As of mid-2026 the French transposition bill — the “resilience” bill covering NIS2, CER and REC — has been adopted by the Sénat (March 2025) and in committee at the Assemblée nationale (September 2025), but its plenary examination is still pending, delayed by a dispute over encryption provisions. The EU deadline was 17 October 2024.

What is ReCyF?

The Référentiel Cyber France, published by ANSSI on 17 March 2026, defines 20 security objectives with acceptable means of compliance for each, proportionate between essential and important entities. It is voluntary until the transposition law passes, but is designed to become the reference framework for future ANSSI supervision under NIS2.

How do I know if my company is an essential or important entity?

Broadly: large organisations (250+ employees or over €50M turnover) in highly critical sectors are essential entities; mid-sized organisations (50+ employees or over €10M turnover) and entities in the other critical sectors are important entities. ANSSI’s MonEspaceNIS2 portal on cyber.gouv.fr offers an eligibility test that classifies your organisation.

What are the NIS2 sanctions in France?

Under the directive, essential entities face administrative fines up to €10M or 2% of worldwide annual turnover, and important entities up to €7M or 1.4%, whichever is higher. NIS2 also makes management bodies personally accountable for approving and overseeing cybersecurity risk-management measures. The final French amounts will be fixed by the transposition law.

Should we wait for the French law before starting NIS2 compliance?

No. The obligations come from the directive and are already known; ANSSI published the ReCyF framework in March 2026 precisely so organisations can prepare without waiting, and recommends doing so. Entities that build their documentation against ReCyF now will treat the law’s entry into force as an administrative step rather than an emergency project.