ANSSI France NIS2 competent authority cybersecurity shield with French flag and EU stars

Operating in France Under NIS2? What ANSSI Requires That Your EU Compliance Plan Likely Misses

ByMichael Rewers

France’s NIS2 transposition law is still working through parliament, but ANSSI launched its entity pre-registration portal in November 2025 and published a 20-objective national compliance framework in March 2026. For English-speaking organisations with entities or operations in France, the compliance gap is concrete: a standard EU-wide NIS2 programme typically addresses the directive’s ten broad security domains under Article 21. France’s Référentiel Cyber France (ReCyF) translates those ten domains into 20 specific, auditable objectives — and ISO 27001 certification directly covers two of them.

This guide covers four compliance dimensions that a generic EU programme will not address: ANSSI’s role as France’s combined competent authority, CSIRT, and standards body; the current transposition timeline and what is stable enough to act on now; the OIV/LPM obligation that runs parallel to NIS2 for critical operators; and ReCyF’s France-specific requirements. It also covers the MonEspaceNIS2 pre-registration process and the practical compliance steps for 2026.

Who Falls Under French NIS2? Entity Scope at a Glance

France’s NIS2 implementation is expected to bring approximately 15,000–18,000 entities into regulatory scope — up from roughly 500 under NIS1. That expansion reflects NIS2’s wider sector coverage (18 sectors versus NIS1’s 7) and France’s inclusion of mid-size organisations. Establish which category applies to your French entity before reading further.

Category Size Threshold Representative Sectors Supervision Model
Essential Entity (EE) ≥250 employees or significant revenue in critical sectors Energy, transport, banking, healthcare, drinking water, digital infrastructure, space Proactive — mandatory audits, on-site inspections, penetration testing (Article 32)
Important Entity (IE) ≥50 employees or ≥€10 million annual turnover Postal services, waste management, chemicals, food production, manufacturing, digital providers Ex-post — triggered by evidence of non-compliance (Article 33)
OIV (dual obligation) Designated by ministerial order under the 2013 LPM All 16 SAIV sectors: energy, defence, finance, telecoms, healthcare, food, public research LPM controls + NIS2 supervision — both apply independently

For the full NIS2 scope criteria across EU member states — including the micro-enterprise exemptions and sector-specific thresholds under Annexes I and II — see our scope guide. ANSSI also provides an online classification simulator via the MonEspaceNIS2 portal for entities unsure of their status.

ANSSI and CERT-FR: France’s Combined NIS2 Authority

ANSSI — Agence nationale de la sécurité des systèmes d’information — serves as France’s single point of contact for NIS2. Unlike most EU member states that distribute supervisory and incident response functions across separate bodies, ANSSI concentrates three functions in one agency.

Supervisory and enforcement authority: ANSSI oversees compliance of both essential and important entities. It conducts audits, issues compliance orders, and levies administrative fines. For essential entities, supervision is proactive and ongoing. For important entities, it is triggered by evidence of non-compliance or a reportable incident.

National CSIRT: CERT-FR, operated within ANSSI, handles cybersecurity incident response coordination 24 hours a day. Significant cybersecurity incidents under the French NIS2 regime are reported here — not to a separate body. Contact: cert-fr.cossi@ssi.gouv.fr | +33 (0)1 71 75 84 68.

Technical standards body: ANSSI publishes ReCyF, the national framework that operationalises NIS2 Article 21 into France-specific security objectives. No other EU member state has produced an equivalent national-level compliance framework at this level of specificity. ANSSI also endorses the EBIOS Risk Manager methodology as the preferred approach for risk assessment under ReCyF Objective 16.

The practical implication of this concentration: your French entity has one agency for compliance questions, audit responses, incident reporting, and technical standards. General NIS2 queries go to nis@ssi.gouv.fr. The MonEspaceNIS2 portal at messervices.cyber.gouv.fr/nis2 is the primary channel for entity registration and guidance.

French NIS2 Transposition: Timeline and Current Status

France missed the EU’s October 17, 2024 transposition deadline. On May 7, 2025, the European Commission issued a reasoned opinion — a formal step toward infringement proceedings. The delay stems partly from France’s strategic decision to bundle NIS2 and the Critical Entities Resilience (CER) Directive into a single legislative instrument — the Loi relative à la résilience des infrastructures critiques et au renforcement de la cybersécurité — rather than enacting separate laws for each directive as most member states did.

Date Event
October 17, 2024 EU transposition deadline — France misses it
March 12, 2025 French Senate adopts the bill (first reading)
May 7, 2025 European Commission issues reasoned opinion for non-transposition
September 10, 2025 National Assembly committee vote
Q1–Q2 2026 Final adoption and presidential promulgation expected
Q2 2026 ANSSI publishes implementing technical decrees (arrêtés)
Q3 2026 Mandatory entity registration phase opens via MonEspaceNIS2

ANSSI has publicly encouraged entities to begin compliance work now rather than waiting for final law. The ReCyF framework and entity scope criteria are stable — the implementing arrêtés will add technical specificity, not new conceptual requirements. Organisations that wait for promulgation before starting gap assessments will face a compressed timeline when registration deadlines are announced.

For organisations already familiar with the NIS2 directive at the EU level, the French transposition follows the directive’s structure closely — with the significant addition of ReCyF as a France-specific implementation layer applied on top of Article 21’s ten broad domains.

OIV and LPM: The Dual-Compliance Challenge

France’s Loi de Programmation Militaire (LPM), enacted in 2013, designated approximately 300 organisations as Opérateurs d’Importance Vitale (OIV) — operators whose activities are indispensable to national survival. These operators must protect their designated Systèmes d’Information d’Importance Vitale (SIIV) under rules administered by ANSSI, organised across 16 Secteurs d’Activité d’Importance Vitale (SAIV). The SAIV sectors — energy, defence, finance, food production, healthcare, telecoms, public research, and others — substantially overlap with NIS2’s Annex I.

An OIV that also meets NIS2 scope criteria does not get to choose between frameworks. Both apply in full.

Requirement LPM / OIV Regime NIS2 Essential Entity Regime
Legal basis National law (Defence Code, LPM 2013) EU Directive 2022/2555 / French transposition law
Scope determination Ministerial designation by sector Sector + size threshold (self-assessment + ANSSI confirmation)
Risk management SIIV-specific 20-point security rules across governance, risk, protection, incident response, and system control ReCyF objectives 1–20 (operationalising Article 21)
Incident notification To ANSSI under national law To ANSSI (CERT-FR) within 24–72 hours
Security controls ANSSI-controlled mandatory audits Proactive supervision — audits, on-site inspections, penetration testing
Operational consequence of non-compliance SIIV cannot operate — ANSSI certification required before resuming activity Administrative fines up to €10M or 2% global turnover — operations continue during enforcement

The certification requirement under LPM carries an immediate operational consequence that NIS2 does not: a SIIV that fails ANSSI’s compliance review cannot legally operate until validated. Under NIS2, enforcement is administrative — fines and orders are issued, but operations are not halted. For OIV-designated organisations, the LPM risk is therefore more operationally acute than NIS2’s financial penalties, even though both are significant.

ANSSI has stated its intention to progressively harmonise the OIV and NIS2 frameworks. That harmonisation has not been enacted as of mid-2026. Compliance teams at dual-designated organisations should maintain separate documentation, separate incident notification procedures, and separate audit trails for each regime until the implementing decrees confirm any unified approach.

Former OSE designations do not carry over. If your French entity held NIS1 Opérateur de Services Essentiels (OSE) status, that designation is superseded by the new EE/IE classification. OSE status does not automatically convert — you must conduct a fresh assessment against NIS2 thresholds and register via MonEspaceNIS2.

ReCyF: What France’s 20 Security Objectives Actually Require

The Référentiel Cyber France (ReCyF), published in version 2.5 on March 17, 2026, is ANSSI’s operationalisation of NIS2 Article 21. Where the directive specifies ten broad security domains, ReCyF translates these into 20 concrete, auditable security objectives — each with defined acceptable compliance means that ANSSI will recognise as satisfying the requirement.

The starting point for most compliance teams: ISO 27001 certification directly satisfies approximately 2 of the 20 objectives. ISO 27002 implementation bridges to roughly 80% coverage. The remaining gap is significant and France-specific — it does not exist in most other EU member state implementations.

ReCyF divides into two tiers by entity classification:

  • Objectives 1–15 apply to all entities — both Important and Essential. These cover foundational governance, system protection, incident response, and resilience.
  • Objectives 16–20 currently apply only to Essential Entities. ANSSI has indicated these will be extended to Important Entities within a few years as the threat landscape evolves. Scalable implementation from the outset is advisable.

Objectives 1–15 (all entities):

  • Governance (1–4): IS asset inventory and perimeter definition; governance framework and information security policy (PSSI); third-party and supplier security management; HR security integration across the employee lifecycle
  • Protection (5–11): Physical access controls to sensitive areas; network segmentation and architecture; remote access security; anti-malware and endpoint protection; identity and access management; account privilege management and security; system administration procedures
  • Defence (12): Incident identification, response, and reporting processes — maps directly to NIS2 Article 21(2)(b)
  • Resilience (13–15): Backup and data recovery planning; business continuity and crisis management; regular exercises and resilience testing

Objectives 16–20 (Essential Entities only):

  • Objective 16 — Risk-based management: A formal, structured cyber risk assessment methodology. ANSSI endorses EBIOS Risk Manager. This is the most significant departure from ISO 27001, which permits organisations to choose their own risk management approach. ReCyF Objective 16 specifies a structured methodology — compliance inseparable from structured cyber risk assessment.
  • Objective 17 — Security audits: Regular security audits conducted or commissioned by ANSSI. These are not voluntary self-assessments — they are ANSSI-controlled reviews of the entity’s compliance posture.
  • Objective 18 — Configuration hardening: Documented hardening of system configurations against known vulnerabilities, applying ANSSI-defined benchmarks.
  • Objective 19 — Dedicated administration: Administration of critical systems from dedicated, isolated resources — not from general-purpose workstations or shared admin accounts.
  • Objective 20 — Continuous oversight: An ongoing security oversight function — not periodic review. In practice, this maps to a Security Operations Centre (SOC) function or equivalent continuous monitoring capability.

ReCyF also introduces a France-specific physical-cyber convergence requirement. Physical access controls under Objective 6 are treated as a cybersecurity control, not a facilities management matter. French APSAD certification frameworks (D32, D83, R31, R81, R82 — attestation standards for physical access control and surveillance systems) are recognised as acceptable compliance means for specific ReCyF objectives, creating an additional certification layer not found in other EU member state implementations.

MonEspaceNIS2: How to Pre-Register with ANSSI

Since November 24, 2025, ANSSI has operated the MonEspaceNIS2 pre-registration portal at messervices.cyber.gouv.fr/nis2 (the original monespacenis2.cyber.gouv.fr domain now redirects here). Pre-registration is currently voluntary but will convert to mandatory registration once the transposition law takes effect and ANSSI opens the formal registration phase, expected in Q3 2026.

The pre-registration form takes approximately 5–10 minutes to complete. The data it requires, however, takes considerably longer to assemble in most organisations. Preparing the following now avoids a compliance scramble when mandatory registration opens:

  • Entity identification: French registered office address, SIREN/SIRET number
  • Sector classification: Primary sector and sub-sector per NIS2 Annexes I and II
  • Size data: Employee headcount, annual turnover, balance sheet total
  • Geographic scope: EU member states where the entity provides services
  • Incident contact: Named contact for cybersecurity incidents — name, role, direct phone, email
  • Network infrastructure: IPv4 and IPv6 address ranges, domain names, Autonomous System Numbers (ASNs) — this data requires coordination with your network team and may take days to compile accurately

The portal also includes a self-assessment simulator that helps entities determine their likely EE or IE classification based on sector and size inputs. Running this assessment before formal registration gives your team time to challenge an unexpected classification before it is submitted to ANSSI.

Supervision and Penalties in France

ANSSI’s supervisory powers under the draft French law align with NIS2 Articles 32 and 33, with authority to commission third-party audits and conduct penetration testing on essential entities.

Essential Entity supervision (proactive): Regular on-site inspections, off-site document audits, mandatory security audits commissioned by ANSSI, and penetration testing. ANSSI can initiate these without evidence of non-compliance — they are a routine feature of EE oversight, not an indication of suspected wrongdoing.

Important Entity supervision (ex-post): Triggered by evidence of non-compliance, following a reportable incident, or based on sector-wide risk assessments. ANSSI does not conduct routine proactive audits of IEs but retains full authority to request documentation and conduct investigations.

Entity Type Maximum Fixed Fine Maximum % of Global Annual Turnover
Essential Entity €10,000,000 2.0%
Important Entity €7,000,000 1.4%

Management accountability: NIS2 Article 20 holds senior management personally responsible for approving and overseeing cybersecurity risk management measures. The French transposition preserves this accountability framework. Board-level sign-off on the security policy is a documented obligation that ANSSI will look for in audits — not a procedural formality. Organisations that route security governance exclusively through IT without board-level documentation face specific exposure under this provision.

Does This Apply to My French Entity? Decision Framework

Question If Yes If No
Does your French entity operate in a sector listed in NIS2 Annexes I or II? Continue assessment Likely out of scope — verify with the MonEspaceNIS2 simulator
Does it have ≥50 employees OR ≥€10M annual turnover? Likely IE or EE — continue Likely out of scope (unless critical infrastructure regardless of size)
Does it have ≥250 employees OR operate in a highly critical sector (energy, health, transport, banking)? Likely Essential Entity — all 20 ReCyF objectives apply Likely Important Entity — objectives 1–15 apply
Is the entity already designated as an OIV under the LPM? Both LPM and NIS2 apply — maintain separate compliance documentation for each regime NIS2 only applies
Was it previously designated as an OSE under NIS1? OSE status does not carry forward — re-assess against NIS2 thresholds and register via MonEspaceNIS2 No action required on OSE basis

Compliance Roadmap for French Operations

Given the Q3 2026 expected registration deadline, here is a practical sequence for organisations not yet engaged with French NIS2 compliance.

Immediate — before the law takes effect:

  • Run the MonEspaceNIS2 self-assessment simulator at messervices.cyber.gouv.fr/nis2 to establish your likely EE or IE classification
  • Complete voluntary pre-registration — begin assembling SIREN/SIRET data, IP address ranges, ASNs, and incident contact details
  • If OIV-designated: verify with your legal team whether dual-compliance documentation is current under both LPM and NIS2 frameworks and whether SIIV designations are up to date
  • If formerly designated OSE: initiate a fresh NIS2 scope assessment — do not assume NIS1 compliance maps to NIS2 status

Gap assessment — next 60–90 days:

  • Map existing controls against ReCyF objectives 1–15 using ANSSI’s gap template; for ISO 27001-certified entities, focus on objectives not covered by your current certification scope
  • Identify board-level documentation needed for management accountability under Article 20 — most organisations are missing this even if technical controls are mature
  • Assess whether incident notification procedures meet the 24-hour early warning and 72-hour full notification timeline required for CERT-FR

Post-transposition — Q3–Q4 2026:

  • Complete formal registration once ANSSI opens the mandatory phase
  • Essential Entities: implement ReCyF objectives 16–20, with priority on Objective 16 (EBIOS risk management) and Objective 20 (continuous oversight / SOC function)
  • Establish supply chain security documentation consistent with ReCyF Objective 4 (third-party and supplier management)

As a general guideline based on practitioner estimates, initial compliance investment runs approximately €100,000–€200,000 for Important Entities and €450,000–€880,000 for Essential Entities, with roughly 10% of the initial investment required annually for ongoing maintenance. These are practitioner estimates, not official ANSSI figures.

Frequently Asked Questions

Is NIS2 already law in France?
No. As of mid-2026, the French transposition law is still completing its parliamentary process. Final promulgation is expected in 2026. ANSSI has opened pre-registration and published ReCyF — the compliance framework is stable enough to act on now, but the law itself is not yet in force.

Does ISO 27001 certification satisfy France’s NIS2 requirements?
Not substantially. ISO 27001 directly addresses approximately 2 of ReCyF’s 20 objectives. ISO 27002 implementation can reach roughly 80% coverage. Significant remaining gaps fall particularly in EBIOS-based risk management (Objective 16), ANSSI-controlled audits (Objective 17), system hardening benchmarks (Objective 18), and dedicated administration resources (Objective 19).

Do OIVs still need to comply with NIS2?
Yes, if they meet NIS2 scope criteria. The LPM framework and NIS2 are separate legal regimes — one national, one EU-derived. An OIV that meets NIS2 size and sector thresholds must comply with both. ANSSI has stated its intention to harmonise the frameworks but has not yet done so.

What is CERT-FR and when do I report to it?
CERT-FR is France’s national CSIRT, operated by ANSSI. Under NIS2, significant cybersecurity incidents must be notified to ANSSI via CERT-FR within 24 hours of becoming aware (early warning), with a full notification within 72 hours. CERT-FR operates 24/7 at cert-fr.cossi@ssi.gouv.fr.

Does a French subsidiary of a non-EU company need to comply?
Yes, if the French entity itself meets scope criteria. Classification is based on the French entity’s own employee count, turnover, and sector — not the parent company’s global profile. A large multinational’s small French subsidiary may be out of scope; a mid-size French entity in a critical sector will not be.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

Don't miss: