.svg)
The NIS2 Directive will affect nearly 15, 000 French companies, compared to about 500 under the first NIS Directive. If you run an SME or a mid-sized company in one of the 18 targeted sectors, the question is no longer whether you are affected, but when you will need to be compliant—and what that means in practice.
This guide answers the three questions everyone is asking: What is NIS2? Who is affected? And how can you get compliant without waiting until the last minute? It focuses on what really matters for small and medium-sized businesses: not regulatory theory, but what you actually need to do.
What exactly is NIS2?
NIS2 (short for Network and Information Security 2) is a European directive adopted on December 14, 2022, and entered into force on January 16, 2023. It replaces the original NIS Directive of 2016 and serves as the new framework for cybersecurity in organizations within the European Union.
Its goal: to raise the overall level of cybersecurity in the face of increasingly frequent and costly cyberattacks. Whereas the 2016 NIS Directive applied to only about 500 operators in France, NIS2 extends its requirements to several thousand entities in sectors deemed critical to the economy and society.
Specifically, NIS2 requires affected organizations to:
- establish a documented and proportionate cybersecurity risk management framework;
- report major incidents to the competent authority within strict time limits;
- involve senior management in cybersecurity oversight;
- secure their supply chain and subcontractors.
In France, the agency responsible for oversight and supervision isANSSI (the National Cybersecurity Agency).
Please note: NIS2 is a directive, not a regulation. It must therefore be transposed into national law by each Member State in order to become fully enforceable. This explains the discrepancy between the European deadline and the actual date of entry into force in France.
The NIS2 Directive: What Has Changed Since NIS1
The NIS2 Directive is not merely an update. It represents a significant shift in three key areas: scope, obligations, and penalties.
The most significant change concerns the personal liability of executives. Under NIS2, a serious breach of cybersecurity obligations can now directly result in liability for senior management—a new development that makes compliance a matter for the executive committee, rather than just the IT department.
Who is affected by NIS2? Critical and significant entities
NIS2 distinguishes between two categories of organizations, based on their sector of activity and size. A company generally falls within the scope of the regulation if it operates in one of the 18 targeted sectors and employs at least 50 employees or has annual revenue exceeding €10 million.
Special case: Certain entities are affected regardless of their size —DNS service providers, domain name registries, and telecommunications operators. Size is therefore not the only criterion; the role played in the digital ecosystem also matters.
How can you tell if this applies to you? ANSSI provides the MonEspaceNIS2 platform, which offers a free preliminary assessment tool. This is the recommended starting point for determining your situation before beginning the compliance process.
NIS2 Requirements: What Should Affected Companies Do?
Beyond its scope, NIS2 sets out specific requirements. These are organized around four pillars that all affected entities must document and be able to demonstrate in the event of an audit.
1. Cybersecurity risk management. Implement proportionate technical and organizational measures: security policy, access management, encryption, tested backups and a disaster recovery plan, and a business continuity plan.
2. Incident reporting. Report any significant incident to ANSSI promptly—typically an initial alert within 24 hours and an interim report within 72 hours.
3. Governance and executive leadership engagement. Executive bodies must receive cybersecurity training and approve risk management measures. This is a requirement, not a recommendation.
4. Supply chain security. Assess and manage risks associated with suppliers and subcontractors. Your service providers’ risks become your risks.
NIS2 Compliance: Timeline and Status of Implementation in France
This is the point that causes the most confusion. NIS2 is a European directive, but it is not directly applicable in France until the implementing law is enacted.
France has missed the European deadline of October 17, 2024. The transposition is being carried out through the Resilience Bill(concerning the resilience of critical infrastructure and the strengthening of cybersecurity), which also covers the DORA and REC frameworks.
Once the law is enacted, affected companies will have a transition period (up to three years for certain categories) to achieve full compliance. ANSSI has also announced a phased approach: awareness-raising, followed by targeted audits, and then penalties for persistent violations.
Since March 17, 2026, ANSSI has made the Cyber France Framework (ReCyF) available, which details the recommended measures for achieving the security objectives set by NIS2. Although not yet mandatory, this framework allows future regulated entities to cite it in the event of an audit.
Where should you start with NIS2 compliance?
Here is a practical approach to organizing your compliance efforts without waiting for the latest regulations.
1. Check your scope. Use ANSSI’s MonEspaceNIS2 platform to determine whether you are an essential, significant, or out-of-scope entity.
2. Conduct an assessment. Evaluate your current security posture: access management, backups, monitoring, disaster recovery plan, and employee awareness.
3. Establish a governance framework. Involve senior management, appoint a lead, and schedule cybersecurity training for executives.
4. Close the gaps. Implement any missing technical measures (EDR, MFA, encryption, immutable backups, incident detection) using the ReCyF framework.
5. Oversee your subcontractors. Include security requirements in your supplier contracts.
In practical terms, what does that look like for an SME?
Here is an example of a compliance roadmap for a typical large entity (an industrial SME with approximately 120 employees).
How much does it cost, and how long does it take? It all depends on where you start, but here are some rough estimates.
This is where an experienced IT partner can save you time. At IT Systèmes, we help small and medium-sized businesses and growing companies achieve compliance through our cybersecurity solutions and managed IT services —which include 24/7 monitoring, threat detection, and oversight by an external CISO—all of which are essential components for meeting NIS2 requirements.
FAQ — Frequently Asked Questions About NIS2
What does NIS2 mean?
NIS2 stands for "Network and Information Security 2." It is the second version of the European Union's Network and Information Security Directive, adopted in December 2022 to strengthen cybersecurity within the European Union.
Does NIS2 apply to my company?
You are likely affected if you operate in one of the 18 targeted sectors and have at least 50 employees or generate more than €10 million in revenue. The free preliminary assessment on ANSSI’s MonEspaceNIS2 platform allows you to verify this with precision.
What are the penalties for non-compliance with NIS2?
Penalties can reach up to €10 million or 2% of global revenue for critical entities. NIS2 also introduces personal liability for executives in cases of serious non-compliance.
When does NIS2 take effect in France?
The directive is not yet fully in effect in France: its implementation depends on the enactment of the Resilience Act, expected in 2026. However, ANSSI recommends that companies begin preparing for compliance now.
What is the difference between a core entity and a significant entity?
Essential entities operate in the most critical sectors and are subject to proactive oversight by ANSSI. Significant entities operate in broader critical sectors and are subject to retrospective oversight, triggered by an incident or a report.
.svg)