France

(a) What is the NIS2 implementation status?

France is now in the process of transposing the NIS2 Directive into national law. The work is piloted by France’s national digital security authority, the National Cybersecurity Agency of France (ANSSI), in conjunction with the different stakeholders in France and European partners.

On 14 October 2024, the Senate began discussing a draft law. However, this discussion was interrupted due to the government being overthrown by the parliament.

(b) What is the envisaged NIS2 implementation timeline?

A new government has since been appointed, and parliamentary proceedings should return to normal. That said, for the draft law to be adopted, it must be reviewed and approved by both chambers of parliament (the Senate and the National Assembly). Given the current political uncertainty and the fragility of the government, it is unclear when members of parliament will be able to proceed with this review, let alone finalize the process.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The relevant prior regulations in France include the Military Programming Law of 2013 which introduced the concept of Organisations of Vital Interest (OIV) which, whether private or public, operate or use facilities deemed essential to the State and are thereby subject to high security requirements. In 2018, the transposition of the NIS Directive into French law led to the implementation of a complementary regime for essential service operators (OSE) requiring measures for linking the regimes. With the NIS2 implementation, the ANSSI intends to continue its work to improve the articulation of the existing cybersecurity frameworks, with the aim of harmonising and making these consistent. NIS2 provisions will also have to interact with sector-specific EU legal acts relating to cybersecurity such as the Digital operational resilience act (DORA) regulation for the financial sector. The NIS2 Directive specifically provides that any overlap will be addressed by DORA being considered as lex specialis (i.e., a more specific law that will override the more general NIS2 provisions).

(d) Who will be the supervisory authority and how are they preparing the market?

In France the ANSSI will be the supervisory authority able to carry out checks on regulated entities and issue orders in the event of non-compliance. In this context, the agency is currently working on defining the control mechanisms adapted to the scope of NIS2. In addition to its work to transpose the NIS2 Directive into French law (described above), the ANSSI is looking at ways to facilitate its interactions with future regulated entities, notably via an online tool that will also provide security solutions.

(e) What should you be doing/on the lookout for?

The NIS2 directive will be the cornerstone of cybersecurity in Europe and most likely a “game changer” for the years to come, similarly to other digital age European acts such as the GDPR. At this stage, what needs to be done will likely depend on the concerned sector, as certain sectors have historically been subject to high security requirements for a number of years (energy, transport, banking, financial market infrastructures, healthcare, etc.), and therefore, steps towards ensuring day one compliance will not be the same for everyone. On the one hand, entities already caught within the cybersecurity regulation scope will have to scale up their compliance programs (implementation of processes, strategies, organisational and technical measures) to meet increasingly stringent requirements in terms of, for example, risk and incident management, supply chain security and cyber-accountability. On the other hand, entities less familiar with cybersecurity regulation will have to develop cybersecurity compliance exercises in order to meet the requirements. However, for all, the first preparatory steps would include gap assessments to help identify at an early stage the areas that would require the most additional investment. Then, entities can stay on the front foot by taking a proactive approach aiming to develop an achievable implementation plan. In addition, entities may have to reassess and, where necessary, renegotiate agreements with third-party ICT service providers. Entities should also be prepared for increased supervisory engagement in this area considering that the regulation provides authorities with wider mandates and powers. In conclusion, the real consideration for firms will ultimately be how they choose to approach it – as a compliance or “tick the box” exercise or a potential strategic opportunity. NIS2 will most likely be a key enabler for growth including for ICT service providers eager to embrace cybersecurity and make it a selling point to assist customers to achieve compliance.