France’s NIS2 Competent Authority Explained: ANSSI’s Triple Role, the Live Cyber France Framework, and What to Do Before the National Law Passes

France’s NIS2 transposition deadline was 17 October 2024. As of June 2026, the national implementing law — the Projet de Loi Résilience — still hasn’t reached the statute book. Yet ANSSI, France’s national cybersecurity agency, is not waiting. It published the Référentiel Cyber France readiness framework in March 2026, opened pre-registration for in-scope entities in November 2025, and continues to operate as the active hub for NIS2 supervision, incident coordination, and cross-border liaison.

This situation — a European directive already in legal effect, a national law still pending, and a supervisory agency already acting — creates specific compliance questions for French organisations and those providing services into France. Understanding ANSSI’s institutional role under the directive is the starting point. For a broader overview of France’s NIS2 landscape, see our France NIS2 guide.

This article explains each of ANSSI’s three NIS2 roles, what the Référentiel Cyber France (ReCyF) requires across 20 security objectives, why the national law is delayed, and five concrete steps your organisation can take before it passes.

Does NIS2 Apply to Your Organisation in France?

Two entity classifications determine what you must do and how ANSSI will supervise you. The classification depends on your sector and your size. If your organisation operates in a regulated sector and employs at least 50 people — or has annual turnover above €10 million — you are likely in scope. Essential entities face stricter obligations than important entities, but both must comply once the national law passes.

Classification	Size threshold	Regulated sectors
Essential Entity (EE)	≥250 employees, OR ≥€50M turnover AND ≥€43M balance sheet	Annex I (highly critical): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space
Important Entity (IE)	≥50 employees AND ≥€10M turnover	Annex I sectors (medium-size) plus Annex II: postal and courier services, waste management, chemicals, food production, manufacturing, digital providers (online marketplaces, search engines, social platforms)
Automatically Essential — no size test	Any size	DNS providers, TLD registries, cloud computing services, data centre services, CDN providers, managed service providers, managed security service providers, trust service providers, public electronic communications networks

France’s implementing law is expected to bring approximately 15,000 entities within NIS2 scope — up from roughly 500 under the original NIS Directive [5]. See our guide to essential vs. important entity classification for the full eligibility criteria. If you are unsure which classification applies, ANSSI’s scope simulator at messervices.cyber.gouv.fr/nis2 provides a preliminary assessment in 5 to 10 minutes [8].

ANSSI’s Triple Role Under NIS2: Authority, CSIRT, and Cross-Border Contact

Most EU member states divided NIS2 oversight across multiple agencies. France took a centralised approach: ANSSI holds three legally distinct roles simultaneously, each rooted in a different article of Directive 2022/2555.

Role 1 — National Competent Authority (NCA)

Under Article 8(1) of Directive 2022/2555, each member state must designate one or more competent authorities responsible for cybersecurity supervision [1]. France designated ANSSI as its sole NCA. As NCA, ANSSI maintains the official registry of essential and important entities, exercises supervisory and enforcement powers, conducts compliance inspections, and can issue binding instructions and impose administrative fines.

Role 2 — Single Point of Contact (SPOC)

Article 8(3) of NIS2 states that where a member state designates only one competent authority, that body shall also serve as the single point of contact [1]. Since France designated ANSSI as its sole NCA, ANSSI automatically fills the SPOC function. It is France’s liaison with other EU member states, the European Commission, and ENISA for all cross-border NIS2 matters. If your organisation is headquartered in another EU country but provides services into France, ANSSI is the coordinating contact for jurisdiction questions under Article 26 of the directive.

Role 3 — National CSIRT (CERT-FR)

Under Article 10 of NIS2, each member state must designate or establish one or more Computer Security Incident Response Teams [2]. France’s designated national CSIRT is CERT-FR — ANSSI’s 24/7 incident response division, contactable at cert-fr.cossi@ssi.gouv.fr. Article 10 explicitly permits CSIRTs to operate within competent authorities [2], making ANSSI the institutional home of all three functions. The European Commission’s official NIS2 designation list confirms ANSSI as France’s SPOC and competent authority, and CERT-FR as France’s national CSIRT [3].

Why the triple role matters for your organisation: when a significant incident triggers Article 23 notification obligations, you report to CERT-FR. When ANSSI’s NCA function opens a compliance investigation, it draws on threat intelligence CERT-FR has gathered. When cross-border supervision is needed, ANSSI’s SPOC role activates. The same institution handles all three interactions — but each has a different legal basis, a different timeline, and different evidence requirements. For a detailed breakdown of what to report and when, see our Article 23 incident notification guide.

What ANSSI Can Do If You Don’t Comply

ANSSI’s enforcement powers depend on whether you are classified as an essential or an important entity. The distinction matters: essential entities face ongoing proactive supervision; important entities face reactive oversight triggered by evidence of non-compliance.

For essential entities, ANSSI exercises proactive, ex-ante supervision. It can conduct on-site or remote inspections without advance notice, order security audits by approved third-party bodies, issue binding instructions requiring specific security measures, and — for persistent non-compliance — pursue a temporary prohibition on a person exercising management responsibilities at chief executive or legal representative level. That personal liability mechanism flows from Article 20(1) of the directive, which makes governing bodies responsible for approving and overseeing cybersecurity risk management. Board members should take note: the liability is not confined to the organisation’s legal entity.

For important entities, supervision is reactive (ex-post): ANSSI generally acts on evidence of a violation before opening formal proceedings. Triggers include failure to notify a significant incident, evidence of systemic non-compliance with Article 21 measures, or a significant breach affecting service continuity.

The penalty structure under Article 34 of Directive 2022/2555 [1]:

Entity type	Maximum administrative fine
Essential Entity	€10,000,000 or 2% of total worldwide annual turnover, whichever is higher
Important Entity	€7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher

These are statutory maxima. ANSSI will determine the actual fine based on severity of the violation, whether the entity cooperated, prior compliance history, and whether any economic advantage was gained from the breach. For the full range of supervisory tools available to ANSSI and other EU competent authorities, see our guide to NIS2 supervisory measures.

The Cyber France Reference Framework (ReCyF): ANSSI’s Voluntary Readiness Tool

Because France’s national law has not yet passed, ANSSI cannot formally compel entities to implement specific security controls under NIS2. The Référentiel Cyber France — published on 17 March 2026 as a working document at Campus Cyber — is ANSSI’s answer: a structured framework that translates NIS2’s abstract Article 21 obligations into 20 concrete security objectives, telling entities exactly what ANSSI will look for when formal supervision begins [4].

ReCyF’s four objective families:

Family	Objectives	Focus areas	Applies to
Governance & Steering	1–5	Scope definition, roles and responsibilities, security policies, compliance monitoring, third-party security management	Essential + important entities
IT Protection	6–11	Access control, network segmentation, remote access governance, anti-malware, identity and access management	Essential + important entities
Detection, Response & Resilience	12–15	Incident management, backup and recovery, crisis management, testing and exercises	Essential + important entities
Enhanced Requirements	16–20	Formal risk management, independent audits, system hardening, dedicated security administration	Essential entities only

How ReCyF differs from the directive text: NIS2 Article 21 specifies ten categories of security measures (the “what”). ReCyF goes further — for each objective, it defines the security goal ANSSI expects the entity to achieve, and then specifies acceptable compliance means: the concrete measures ANSSI will accept as evidence of achieving that goal during an inspection. ANSSI positions ReCyF as non-obligatory per se, but as the recognised compliance pathway for demonstrating conformity when formal supervision begins [4].

The proportionality principle in practice: Objectives 1–15 apply to both essential and important entities, scaled to organisational size and resources. Objectives 16–20 apply to essential entities only — a medium-sized important entity is not expected to meet the same audit depth and formal risk governance requirements as a major infrastructure operator.

The ISO 27001 gap: many French organisations hold ISO 27001 certification and assume it covers their NIS2 exposure. It doesn’t. As a general guideline, ISO 27001 certification addresses approximately 2 of ReCyF’s 20 objectives for essential entities. ISO 27002:2022 controls applied broadly can support around 80% coverage — but the gap sits primarily in the enhanced requirements (Objectives 16–20) that certification alone does not demonstrate [6]. See our NIS2 vs ISO 27001 comparison for the detailed control mapping.

Why France’s NIS2 Law Is Still Pending

France missed the EU transposition deadline by two days: the Projet de Loi Résilience was presented to the Council of Ministers on 15 October 2024, against the 17 October 2024 deadline [7]. The legislative journey since then has been longer than expected.

Date	Event
15 October 2024	Projet de Loi Résilience presented to Council of Ministers
17 October 2024	EU NIS2 transposition deadline missed [7]
12 March 2025	French Senate adopted the bill with amendments [7]
7 May 2025	European Commission issued a reasoned opinion for non-compliance [3]
10 September 2025	National Assembly special commission voted on revised text (244 amendments adopted)
July 2026	Final parliamentary adoption expected

The bill transposes NIS2, the CER (Critical Entities Resilience) Directive, and DORA elements in a single package. Its primary operational anchor for NIS2 is Article 14.

What is causing the delay: the bill has broad parliamentary support, but one provision introduced by the Senate has become a political flashpoint. Article 16 bis prohibits requiring encryption service providers to create backdoors or deliberate vulnerabilities in messaging systems. France’s domestic intelligence service (the DGSI) objects to this provision, which would restrict its ability to access encrypted communications. This tension between cybersecurity law — which seeks to protect encryption — and law enforcement access — which seeks entry points into it — is slowing a text otherwise considered consensual and urgent given the European context.

What the EU infringement proceeding means for you: the European Commission’s reasoned opinion is the second step in the EU infringement procedure. It creates legal and political pressure on France to transpose the directive faster, but it imposes no direct obligation on private-sector or public-sector entities. Your compliance obligations flow from the French national law once it is enacted — not from the infringement proceedings themselves.

Five Steps to Take Before the National Law Passes

Waiting for the law to enter force before starting preparation is legally defensible. It is, however, financially expensive. Government estimates indicate initial compliance costs of €100,000–€200,000 for important entities and €450,000–€880,000 for essential entities, plus approximately 10% of the initial investment annually [6]. Starting now distributes that cost over a longer window, builds institutional knowledge before deadlines arrive, and avoids the supplier contract renegotiation backlog many German entities encountered when that country’s NIS2 law came into force in 2025.

Step 1: Pre-register on MonEspaceNIS2

ANSSI opened voluntary pre-registration on 24 November 2025 at the portal accessible via messervices.cyber.gouv.fr/nis2 [8]. The guided form takes 5 to 10 minutes and collects your organisation’s SIREN number, sector of activity, employee count, annual turnover, EU operational footprint, and cybersecurity incident management contact details. Pre-registration is not legally required today, but it positions your organisation for a smoother formal registration process once the law passes and signals proactive engagement to ANSSI.

Step 2: Use the scope simulator to confirm your classification

The same portal includes a scope simulator that processes your sector, size, and service type and returns a preliminary assessment of whether you are likely to qualify as an essential entity, an important entity, or out of scope. The result determines which ReCyF objective set applies — all 20 for essential entities, or Objectives 1–15 for important entities.

Step 3: Conduct a ReCyF gap assessment against Objectives 1–15

Map your current security posture against ReCyF’s first 15 objectives. Objectives 1–5 (governance and steering) are where most organisations find significant gaps: documented scope definition, ownership assignments, and third-party security requirements are commonly missing. Objectives 6–11 (IT protection) often have partial coverage from existing ISO 27001 programmes but with undocumented areas. Objectives 12–15 (detection, response, resilience) are the most common shortfall — incident response plans that have never been tested, backup procedures without documented recovery time objectives, and business continuity arrangements that exist on paper but have not been exercised. Use the gap results to build a prioritised remediation plan. For structural guidance, see our NIS2 gap analysis guide.

Step 4: Embed NIS2 security clauses in supplier contracts now

Article 21(2)(d) of NIS2 requires entities to address supply chain security, taking into account vulnerabilities specific to each direct supplier. Including cybersecurity clauses in new contracts and negotiating them into renewals takes time. Starting now avoids the situation many organisations face when a transposition deadline arrives with hundreds of existing supplier agreements missing NIS2-relevant provisions. Our NIS2 supply chain security guide covers what those clauses should contain.

Step 5: Document your ANSSI contact points in incident response procedures

Once registered, your organisation will interact with ANSSI through two distinct channels: the NCA arm for compliance questions (nis@ssi.gouv.fr) and CERT-FR for incident reporting (cert-fr.cossi@ssi.gouv.fr). Under Article 23 of NIS2, the notification clock starts from the moment of detection — not from when you locate the correct address. Both contacts should be documented in your incident response procedures before an incident occurs, not after.

What Each Role Should Prioritise

Role	Immediate priority (before law passes)	First obligation after law passes
CISO / IT Security Manager	Run ReCyF gap assessment against Objectives 1–15; document existing controls as evidence for future ANSSI inspection	Submit incident notifications to CERT-FR within 24h (early warning) and 72h (notification) of detection under Article 23
Compliance Officer / Legal	Pre-register on MonEspaceNIS2; determine essential vs. important classification; review and update supplier contract templates with NIS2 clauses	File entity registration with ANSSI within the statutory deadline; maintain compliance documentation for ANSSI audits
SME Owner / Non-Technical	Use ANSSI’s scope simulator; understand cost estimates (€100K–€200K for important entities, per government estimates); identify a qualified cybersecurity adviser	Approve the information security policy — Article 20(1) places this obligation on the governing body, not the IT function
Board / C-Suite	Note Article 20(1) personal accountability: the governing body is responsible for approving cybersecurity risk-management measures and can be held liable for infringements	Formally approve and document the organisation’s NIS2 risk management approach and information security policy in board minutes

Frequently Asked Questions

Is ISO 27001 certification sufficient for NIS2 compliance under ANSSI?

No. ISO 27001 certification demonstrates that your information security management system meets the standard’s requirements, but it addresses approximately 2 of ReCyF’s 20 objectives for essential entities. ISO 27002:2022 controls applied broadly can support around 80% coverage. The gap sits primarily in the enhanced requirements (Objectives 16–20): formal risk management, independent audits, system hardening, and dedicated security administration. ANSSI accepts ISO 27001 as useful evidence but not as standalone proof of NIS2 compliance [6].

Does the European Commission’s infringement proceeding create obligations for my organisation?

No. The infringement proceeding is between the European Commission and the French state. It creates legal and political pressure on France to transpose the directive faster, but it imposes no direct obligation on private-sector or public-sector organisations. Compliance obligations flow from the French national law — the Loi Résilience — once it is enacted and in force.

My organisation is based in Germany but operates in France — which authority applies?

Under Article 26 of NIS2, jurisdiction generally follows where the entity has its main establishment in the EU for entities with multiple establishments, or where its registered office is for entities with only one EU establishment. If France is your main NIS2 establishment, ANSSI is your competent authority. If Germany is your main establishment, the BSI leads — but ANSSI remains involved as SPOC for incidents affecting services in France. Entities with meaningful operations in multiple EU member states should seek qualified legal advice on their Article 26 position.

Can my organisation contact ANSSI before the law passes?

Yes. ANSSI actively engages with entities in the pre-transposition period. The MonEspaceNIS2 portal at messervices.cyber.gouv.fr/nis2 is live and accepting pre-registrations. For NIS2-related compliance enquiries, the contact is nis@ssi.gouv.fr. For cybersecurity incident coordination, CERT-FR operates 24/7 at cert-fr.cossi@ssi.gouv.fr and is available to all organisations, not only those formally in scope [3].

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Article 8 — Competent authorities and single points of contact. NIS2 Directive (EU) 2022/2555. nis2resources.eu.
2. Article 10 — Computer Security Incident Response Teams (CSIRTs). NIS2 Directive (EU) 2022/2555. nis2resources.eu.
3. NIS2 Directive implementation in France. European Commission, Shaping Europe’s Digital Future. July 2025.
4. ReCyF ANSSI: Understanding the framework and preparing for NIS 2. EGERIE. 2026.
5. NIS2 France Implementation: Timelines, Fines & Roadmap for 2026. Copla. 2026.
6. NIS2 Transposition in France — Where Things Stand. SPAC Alliance. 2026.
7. NIS 2 Directive Transposition in France. nis-2-directive.com. Updated 2026.
8. NIS 2 — MonEspaceNIS2. ANSSI official portal. messervices.cyber.gouv.fr.