France

(a) What is the NIS2 implementation status?

France is now in the process of transposing the NIS2 Directive into national law. The work is piloted by France’s national digital security authority, the National Cybersecurity Agency of France (ANSSI), in conjunction with the different stakeholders in France and European partners. First, a consultation phase involving the concerned industry sectors is taking place with three-fold objective of defining the in-scope, future regulated entities, the interaction mechanisms to be put in place between the ANSSI and future regulated entities, and the cybersecurity risk management requirements necessary to comply with the NIS2 Directive. Then, the ANSSI envisages moving to a second phase aimed at refining the processes and resources to be implemented to support future regulated entities (including, in particular, helping entities understand how the directive affects them, assisting entities with their reporting obligations to the supervisory authority, and providing them support through the implementation of cybersecurity risk management measures).

(b) What is the envisaged NIS2 implementation timeline?

In order to meet the European deadline of October 2024 (Member States have until 17 October 2024 to transpose the directive into their national law), the bill preparation phase is underway with a view to its presentation to Parliament in the first quarter of 2024, and the production phase for application decrees and orders is due to be completed at the end of the ongoing consultations so these can be issued in the months following the promulgation of the bill.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The relevant prior regulations in France include the Military Programming Law of 2013 which introduced the concept of Organisations of Vital Interest (OIV) which, whether private or public, operate or use facilities deemed essential to the State and are thereby subject to high security requirements. In 2018, the transposition of the NIS Directive into French law led to the implementation of a complementary regime for essential service operators (OSE) requiring measures for linking the regimes. With the NIS2 implementation, the ANSSI intends to continue its work to improve the articulation of the existing cybersecurity frameworks, with the aim of harmonising and making these consistent. NIS2 provisions will also have to interact with sector-specific EU legal acts relating to cybersecurity such as the Digital operational resilience act (DORA) regulation for the financial sector. The NIS2 Directive specifically provides that any overlap will be addressed by DORA being considered as lex specialis (i.e., a more specific law that will override the more general NIS2 provisions).

(d) Who will be the supervisory authority and how are they preparing the market?

In France the ANSSI will be the supervisory authority able to carry out checks on regulated entities and issue orders in the event of non-compliance. In this context, the agency is currently working on defining the control mechanisms adapted to the scope of NIS2. In addition to its work to transpose the NIS2 Directive into French law (described above), the ANSSI is looking at ways to facilitate its interactions with future regulated entities, notably via an online tool that will also provide security solutions.

(e) What should you be doing/on the lookout for?

The NIS2 directive will be the cornerstone of cybersecurity in Europe and most likely a “game changer” for the years to come, similarly to other digital age European acts such as the GDPR. At this stage, what needs to be done will likely depend on the concerned sector, as certain sectors have historically been subject to high security requirements for a number of years (energy, transport, banking, financial market infrastructures, healthcare, etc.), and therefore, steps towards ensuring day one compliance will not be the same for everyone. On the one hand, entities already caught within the cybersecurity regulation scope will have to scale up their compliance programs (implementation of processes, strategies, organisational and technical measures) to meet increasingly stringent requirements in terms of, for example, risk and incident management, supply chain security and cyber-accountability. On the other hand, entities less familiar with cybersecurity regulation will have to develop cybersecurity compliance exercises in order to meet the requirements. However, for all, the first preparatory steps would include gap assessments to help identify at an early stage the areas that would require the most additional investment. Then, entities can stay on the front foot by taking a proactive approach aiming to develop an achievable implementation plan. In addition, entities may have to reassess and, where necessary, renegotiate agreements with third-party ICT service providers. Entities should also be prepared for increased supervisory engagement in this area considering that the regulation provides authorities with wider mandates and powers. In conclusion, the real consideration for firms will ultimately be how they choose to approach it – as a compliance or “tick the box” exercise or a potential strategic opportunity. NIS2 will most likely be a key enabler for growth including for ICT service providers eager to embrace cybersecurity and make it a selling point to assist customers to achieve compliance.