Skip to main content
ImplementedNIS2

NIS2 in France

France transposed NIS2 through Loi n°2024-1177 (the RGCP law) in January 2025. ANSSI leads supervision with a graduated enforcement approach.

Transposition law
Loi n°2024-1177 relative à la résilience des infrastructures critiques et au renforcement de la cybersécurité
In force
10 January 2025
Competent authority
ANSSI: Agence nationale de la sécurité des systèmes d'information
Max fine (Essential)
€10 million or 2% of global annual turnover
Max fine (Important)
€7 million or 1.4% of global annual turnover
Full enforcement
April 2025

Key Deadlines

Law enacted
10 January 2025
Registration opens
1 February 2025
Full enforcement
1 April 2025

Competent Authority

ANSSI: Agence nationale de la sécurité des systèmes d'information
Lead NIS2 supervisory authority for all sectors
https://www.ssi.gouv.fr

ANSSI adopts a risk-based approach with a phased onboarding. Entities self-declare via MonEspaceANSSI, after which ANSSI assigns a supervision tier. Audits are conducted on a rolling schedule starting with critical infrastructure.

Registration Process

Register at monespace.anssi.gouv.fr. You will need your SIREN number, sector and sub-sector classification, a designated NIS2 contact, and a signed declaration by a company officer (dirigeant).

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Declaration via MonEspaceANSSI portal within 3 months of becoming in-scope
  • 2Cyber incident notification within 24 hours (early warning) and 72 hours (full notification)
  • 3Annual cybersecurity audit for Essential Entities every 3 years
  • 4Cyber crisis management plan (PCA/PRI) mandatory
  • 5CISO designation required for Essential Entities
  • 6Supply chain security assessments
  • 7Employee cybersecurity training programme

National Additions

France retains specific sectors from OIV (Opérateurs d'importance vitale) status under SAIV legislation, which adds physical security obligations on top of NIS2
Public administrations at regional and local level are included from 2026
France has introduced specific deadlines for the healthcare sector following major ransomware attacks

FAQ: NIS2 in France

What is MonEspaceANSSI?
MonEspaceANSSI is the dedicated online portal where French entities self-declare their NIS2 status, receive their supervision tier, submit incident notifications, and communicate with ANSSI throughout the compliance lifecycle.
Does NIS2 replace the former NIS1 (LPM) obligations in France?
Partially. OIV entities remain subject to SAIV/LPM obligations (physical and logical security), while NIS2/RGCP adds additional cybersecurity requirements. For most mid-market companies the RGCP is the primary framework.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment