Compliance

NIS2 compliance for French and European companies in 2026

The NIS2 Directive (EU 2022/2555) has been transposed in France in 2025. Companies in 18 strategic sectors must achieve compliance before October 2026. Here is the operational guide for European SMBs and scale-ups.

10 min

The NIS2 Directive (Network and Information Security 2) is the European framework for cybersecurity in critical sectors, published in December 2022 and applicable in member states from October 17, 2024. France transposed in 2025 with mandatory ANSSI registration in progress.

Unlike NIS1 (2016), the scope is dramatically expanded: 18 strategic sectors, broader applicability, personal liability of management bodies.

Are you concerned by NIS2?

Two cumulative criteria:

Criterion 1: strategic sector. The 18 sectors covered by Annexes I and II of the Directive include: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, registries, cloud, datacenters, content delivery, trust services, public e-com), ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing of critical products, digital providers, research.

Criterion 2: size threshold. SMB threshold: 50+ employees OR €10M+ annual turnover. Some sectors are concerned regardless of size (digital infrastructure, registrars).

If both criteria match, you are an entity essential (EE) or important (EI) depending on the sector and size.

Indirect supply chain effect

Even if you don't meet both criteria directly, you may be indirectly subject. NIS2 Article 21.2.d requires essential and important entities to manage their supply chain cybersecurity. In practice, your enterprise client (a bank, a healthcare provider, an energy company) will require contractual cybersecurity obligations from you. Refuse them = lose the client.

Article 21 — the 10 mandatory measures

The mandatory common core for any regulated entity, proportional to its size and risk exposure:

  1. Risk analysis and information system security policies.
  2. Incident management.
  3. Business continuity (backups, disaster recovery, crisis management).
  4. Supply chain security (including direct suppliers and providers).
  5. Acquisition, development, maintenance security of network and information systems (vulnerability management, secure coding).
  6. Policies and procedures to assess effectiveness of cybersecurity risk management.
  7. Cyber hygiene basic practices and cybersecurity training.
  8. Cryptography and encryption policies.
  9. Personnel security, access control policies, asset management.
  10. Multi-factor authentication or continuous authentication, secure voice/video/text communications, secure emergency communications.

Incident notification — three deadlines

Article 23 imposes three escalating deadlines:

  • Early warning: within 24 hours of becoming aware of the incident. Description, severity, immediate measures.
  • Incident notification: within 72 hours. Initial assessment, severity, impact, indicators of compromise.
  • Final report: within 1 month. Detailed description, root cause, mitigation measures, lessons learned.

Notifications go to the national CSIRT (CERT-FR in France) and the competent authority (ANSSI for essential entities). Significant cross-border incidents are also reported to ENISA.

Sanctions and personal liability

Sanctions for non-compliance:

  • Essential entities: up to €10M or 2% of worldwide turnover.
  • Important entities: up to €7M or 1.4% of worldwide turnover.

The directive's significant innovation: management body members can be personally sanctioned (suspension of duties). The CISO function and cybersecurity training of executives become regulatory imperatives, not optional best practices.

Roadmap to October 2026 compliance

For an organization starting in early 2026:

  • Months 1-2 — Eligibility analysis and registration. Confirm sector, size threshold, role (essential vs important). Register with ANSSI via MesServicesCyber.fr.
  • Months 2-4 — Gap analysis vs Article 21. Map current state against the 10 mandatory measures. Identify gaps. Build action plan.
  • Months 4-9 — Implementation. Document policies, deploy technical controls (MFA, EDR, immutable backups, vulnerability management, monitoring), establish incident management procedures, train management bodies.
  • Months 9-12 — Operational rehearsal. Tabletop exercises (incident response), test backups restoration, refine notification procedures, train teams.

Articulation with other frameworks

NIS2 is not isolated. It articulates with:

  • ISO 27001:2022 — covers ~70% of Article 21 requirements. Strong foundation.
  • DORA — for financial entities, lex specialis (DORA prevails over NIS2 per Article 1 DORA).
  • CRA — for product publishers, parallel obligation set.
  • EU AI Act — for AI systems, parallel obligation set.
  • GDPR — incident notification timelines partially overlap (72h GDPR vs 72h NIS2 vs 24h CRA — coordination required).

Common mistakes to avoid

Mistake 1: assuming NIS2 doesn't apply. The 18 sectors are broad and the supply chain effect catches many SMBs. A scope analysis is essential before concluding non-applicability.

Mistake 2: delegating to legal only. NIS2 has a heavy technical component (Article 21 mandatory measures). Legal teams alone can't operationalize. Cross-functional team (legal + technical + security) is required.

Mistake 3: treating NIS2 as a one-time project. NIS2 is continuous: annual reviews, supply chain re-assessments, evolving threat intel, regulatory updates. Plan for sustained operational effort, not a sprint.

Frequently asked questions

Is my company concerned by NIS2 in France?

Two cumulative criteria: (1) strategic sector (18 sectors in Annexes I and II — energy, transport, banking, healthcare, water, ICT services, etc.); (2) SMB threshold: 50+ employees OR €10M+ turnover. Some sectors are concerned regardless of size (digital infrastructure). Even sub-threshold companies may be indirectly subject through supply chain effect.

What are the NIS2 incident notification deadlines?

Three escalating deadlines: early warning within 24h, formal notification within 72h, final report within 1 month. Notifications go to the national CSIRT (CERT-FR in France) and the competent authority (ANSSI for essential entities). Significant cross-border incidents also reported to ENISA.

What technical measures does NIS2 require?

Article 21 lists 10 mandatory measures: risk analysis, incident management, business continuity, supply chain security, secure development, MFA, encryption, training, asset management, and effectiveness assessment. Proportional to size and exposure. ISO 27001 covers ~70% of these.

What sanctions apply for NIS2 non-compliance?

For essential entities: up to €10 million or 2% of worldwide turnover. For important entities: up to €7 million or 1.4%. Management body members can be personally sanctioned (suspension of duties). In France, ANSSI has inspection and injunction powers.

How does NIS2 articulate with DORA, CRA and ISO 27001?

DORA prevails over NIS2 for financial entities (lex specialis, Article 1 DORA). CRA covers product cybersecurity (complementary, not overlapping). ISO 27001 covers ~70% of Article 21 requirements. EU AI Act is a parallel obligation set for AI systems. Pooled compliance approaches save 30-40% vs separate efforts.

A connected topic at your company?

A 20-minute scope call. No cold commercial pitch.

Book on Calendly