NIS2 France: ANSSI Compliance Requirements, Enforcement Timeline, and What French Entities Must Do in 2026

France’s Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has emerged as one of the most active national cybersecurity supervisors in the EU’s NIS2 enforcement landscape. Since Q3 2025, ANSSI has issued formal notice procedures to in-scope entities, conducted on-site supervisory visits, and established the compliance architecture that French organizations — both essential and important — must now meet. For any entity operating in France under NIS2 jurisdiction, the question is no longer whether ANSSI will enforce, but whether your organization will be ready when it does.

This guide covers the French transposition of NIS2, ANSSI’s enforcement approach, the specific obligations for Opérateurs de Services Essentiels (OSE) and Opérateurs de Services Importants (OSI), and the practical steps your organization should take now.

France’s NIS2 Transposition: The Legal Framework

France transposed NIS2 through an amendment to the Loi de Programmation Militaire (LPM) and the implementation of decrees under the French Cybersecurity Act framework. The transposition maintains NIS2’s two-tier structure while adapting terminology to France’s existing cybersecurity vocabulary:

• OSE (Opérateurs de Services Essentiels): Equivalent to NIS2 “essential entities” — large organizations in critical sectors including energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space. Threshold: 250+ employees OR €50M annual turnover + €43M balance sheet total.

• OSI (Opérateurs de Services Importants): Equivalent to NIS2 “important entities” — medium-sized organizations in the same sectors plus postal services, waste management, chemicals, food, medical devices, manufacturing (computers, electronics, machinery, motor vehicles), and digital providers. Threshold: 50-249 employees OR €10M-€50M annual turnover.

Key transposition differences from the original NIS1 framework include the removal of the prior designation process. Under NIS1, ANSSI had to individually designate OSEs. Under NIS2, organizations are automatically in scope based on size and sector criteria — no designation letter required (ANSSI, 2025; European Commission, 2026).

ANSSI’s Enforcement Approach

ANSSI’s enforcement posture in 2026 reflects three developments:

1. Formal Notice Procedures: ANSSI issued its first formal notices (mises en demeure) under the NIS2 framework in Q3 2025, requiring in-scope entities to demonstrate compliance within specified timelines. These notices target organizations that failed to register with ANSSI’s portal or that submitted incomplete security documentation (ANSSI, 2025).

2. On-Site Supervisory Visits: ANSSI has conducted on-site inspections at critical infrastructure operators, particularly in the energy and transport sectors. These visits examine documentation, interview security personnel, and assess technical controls against Article 21 requirements. Unlike NIS1’s lighter-touch approach, NIS2 grants ANSSI unannounced inspection rights for essential entities (Article 27 of the Directive).

3. Enforcement Cooperation: ANSSI actively participates in the EU’s Coordinated Supervisory Framework alongside BSI (Germany), INCIBE (Spain), and other national authorities. The European Commission’s January 2026 implementation report confirmed that cross-border enforcement coordination is now operational across 19 member states (European Commission, 2026). French entities with cross-border operations face coordinated scrutiny from multiple supervisors simultaneously.

What ANSSI Audits: The Five Domains

ANSSI’s audit methodology aligns with Article 21 of NIS2 but is operationalized through France-specific guidance documents and the ANSSI referential. In practice, ANSSI examiners focus on five domains:

1. Governance and Board Accountability (Article 20)

ANSSI expects documented evidence that management bodies have:

• Approved cybersecurity risk management measures
• Overseen implementation through regular reviews
• Completed cybersecurity training (Article 20(2))

For French entities, this translates to board-level documentation: Procès-verbaux (PV) of board meetings where cybersecurity was discussed, signed security policies, and training certificates for directors. ANSSI treats the absence of governance documentation as a compliance failure, not a documentation gap.

This aligns with the broader EU trend toward personal liability for management. See our analysis of NIS2 Board Liability: Personal Fines and Management Exposure for the full picture on Article 20 enforcement across member states.

2. Risk Management Measures (Article 21)

Article 21 requires implementation of “appropriate and proportionate” technical, operational, and organizational measures. ANSSI interprets this through its established security baseline (Référentiel d’Exigences), which maps to the following Article 21(2) elements:

• Risk analysis and information system security policies
• Incident handling (detection, analysis, response)
• Business continuity, backup management, and disaster recovery
• Supply chain security (critical ICT vendor assessments)
• Security in acquisition and development
• Cryptographic controls aligned with ANSSI’s cryptographic guidance (ANSSI Guide d’utilisation des mécanismes cryptographiques)
• Employee security awareness and hygiene practices
• Human resource security (screening, access revocation)

For a deeper dive into the specific technical measures required, see our NIS2 Compliance Guide which covers Article 21 measures in detail.

3. Incident Reporting (Article 23)

ANSSI operates the government incident reporting portal (SIGNALEMENT) through which entities must submit three-phase incident reports:

• Early Warning (within 24 hours): Initial notification of significant incident via SIGNALEMENT. Must include whether the incident is suspected to be caused by unlawful or malicious acts, or cross-border impact.
• Incident Notification (within 72 hours): Updated assessment including initial indicators of compromise, severity assessment, and cross-border relevance.
• Final Report (within 1 month): Complete incident analysis, root cause, impact assessment, and remediation measures taken or planned.

Failure to meet reporting deadlines is treated as a separate compliance violation. ANSSI’s 2025 enforcement actions included formal notices specifically for late reporting, independent of the underlying incident severity (ANSSI, 2025).

4. Supply Chain Security (Article 21(2)(d))

ANSSI’s supply chain scrutiny is particularly rigorous for OSEs. Entities must:

• Maintain a complete register of ICT third-party relationships
• Identify critical suppliers and assess their security posture
• Contractually require security standards from suppliers
• Conduct periodic supply chain security reviews

For entities with complex vendor ecosystems, ANSSI expects evidence of a structured supply chain risk management process — not just a spreadsheet of vendor names.

5. Registration and Notification Obligations

Under the French transposition, all in-scope entities must:

• Register with ANSSI through the designated portal
• Provide complete entity identification, sector classification, and contact information
• Notify ANSSI of any material changes to their security posture, organizational structure, or contact details within 30 days

Non-registration itself is a standalone violation. ANSSI’s first enforcement wave in 2025 specifically targeted entities that had not completed registration (ANSSI, 2025).

Penalties: What French Entities Face

France’s penalty framework mirrors NIS2’s maximum thresholds:

Entity Type	Maximum Fine	Basis
OSE (Essential)	€10,000,000 or 2% of global annual turnover	Whichever is higher
OSI (Important)	€7,000,000 or 1.4% of global annual turnover	Whichever is higher

Beyond financial penalties, ANSSI can impose:

• Temporary bans on management personnel from holding director positions (Article 20 liability)
• Mandatory security remediation orders with binding timelines
• Public disclosure of enforcement actions

For a comprehensive breakdown of penalties across entity types, see our NIS2 Penalties and Fines Guide.

Sector-Specific Considerations for France

Energy Sector

France’s heavy reliance on nuclear energy (approximately 70% of electricity generation) places EDF and related operators under heightened ANSSI scrutiny. The energy sector was among the first to receive formal notices, and ANSSI’s audits of energy OSEs are among the most technically rigorous — examining SCADA systems, industrial control systems (ICS), and OT/IT convergence security.

Financial Services

The ACPR (Autorité de Contrôle Prudentiel et de Résolution) coordinates with ANSSI for financial sector entities, creating a dual-supervision framework. Banks and financial market infrastructure operators face both ACPR prudential requirements and ANSSI cybersecurity requirements simultaneously. Entities should expect joint supervisory activities.

Healthcare

French healthcare entities — particularly hospitals and health data processors — face ANSSI scrutiny under both NIS2 and the existing HDS (Hébergeur de Données de Santé) certification framework. Compliance requires meeting both NIS2 Article 21 requirements and HDS-specific data protection standards.

Digital Infrastructure

France’s significant data center and cloud hosting industry falls directly under NIS2’s digital infrastructure sector. ANSSI has been particularly active in supervising these entities, given their role as upstream dependencies for thousands of downstream organizations. If you operate digital infrastructure in France, expect early and detailed ANSSI engagement.

Practical Compliance Steps for French Entities

Based on ANSSI’s enforcement actions and published guidance, here is a prioritized compliance roadmap:

Step 1: Registration (Immediate) Register with ANSSI’s portal if not already done. Non-registration is a standalone violation that triggered the first enforcement wave.

Step 2: Governance Documentation (Week 1-2)

• Obtain board approval of cybersecurity risk management policy
• Schedule board cybersecurity briefing
• Document management body cybersecurity training
• Name a responsible security officer with direct management body reporting line

Step 3: Risk Assessment (Week 2-6)

• Conduct or update comprehensive risk assessment covering all Article 21(2) elements
• Document risk treatment decisions
• Link risk assessment to asset inventory

Step 4: Incident Response (Week 2-4)

• Document incident response procedures aligned with ANSSI’s SIGNALEMENT portal requirements
• Define internal escalation paths for 24-hour early warning
• Conduct tabletop exercise and document results
• Train incident response team on SIGNALEMENT reporting workflow

Step 5: Supply Chain Register (Week 3-6)

• Complete ICT third-party register
• Identify and classify critical suppliers
• Initiate security assessments for top-tier vendors
• Review and update supplier contracts for security clauses

Step 6: Technical Controls Verification (Week 4-8)

• Verify cryptographic controls meet ANSSI guidance
• Confirm business continuity and backup procedures are tested
• Validate access control and identity management policies
• Test network segmentation and monitoring capabilities

Step 7: Documentation Package (Week 6-10) Compile the complete evidence package that ANSSI will request during a supervisory visit:

• Board governance documentation (PV, policies, training records)
• Risk assessment and treatment plan
• Asset inventory with last-update dates
• Incident response plan with test history
• Supply chain register with vendor assessments
• Technical control verification reports

For a structured approach, download our NIS2 Compliance Checklist PDF which covers all 15 compliance domains with actionable items.

How This Affects Cyber Insurance in France

ANSSI’s enforcement creates direct implications for cyber insurance underwriting in the French market:

1. Compliance as Insurability: French entities that cannot demonstrate NIS2 compliance to ANSSI will increasingly struggle to obtain or renew cyber coverage. Insurers are already requesting evidence of ANSSI registration and compliance status at renewal.

2. Penalty Coverage Questions: While NIS2 administrative fines are generally not insurable under French law (penal fines exclusion), the business interruption and remediation costs following a compliance failure are covered. The distinction matters for policy wording.

3. Increased Demand: As ANSSI escalates enforcement, demand for cyber insurance from French mid-market companies is accelerating. Brokers who understand the NIS2-ANSSI compliance landscape can position coverage more effectively.

For brokers placing French cyber risk, see our Cyber Insurance Buying Guide 2026 and NIS2 Underwriting Questions for Brokers for the full question set to use with French clients.

Comparison: ANSSI vs BSI Enforcement

France and Germany represent the two largest NIS2 enforcement jurisdictions in the EU. While both authorities follow Article 21 requirements, their enforcement styles differ:

Aspect	ANSSI (France)	BSI (Germany)
First enforcement	Q3 2025 formal notices	Late 2025 audit criteria
Approach	Formal notices + supervisory visits	Risk-based audit program
Incident portal	SIGNALEMENT	BSI Meldestelle
Supply chain focus	High — requires structured vendor register	High — requires ICT supplier assessments
Sector priority	Energy, digital infrastructure, healthcare	Energy, transport, banking
Cross-border coordination	Active in EU Coordinated Framework	Active in EU Coordinated Framework

For the German perspective, see our BSI NIS2 Enforcement Guide.

The Bottom Line

ANSSI is not waiting for organizations to catch up. The formal notices are already being issued, supervisory visits are underway, and the penalty framework is enforceable. French entities that treat NIS2 as a future obligation are already behind.

The minimum standard is clear: registered with ANSSI, governance documented, risk assessment current, incident response tested, supply chain mapped. If any of these are missing, the clock is not just ticking — it has already run out for some.

Next steps:

• Check your NIS2 compliance status with our free NIS2 readiness assessment
• Download the NIS2 Compliance Checklist PDF — 15-point guide covering all Article 21 requirements
• Calculate your cyber risk exposure for insurance purposes

---

Sources:

• ANSSI (2025). Mise en œuvre de la directive NIS2 en France — Guide à destination des entités essentielles et importantes. Paris: ANSSI.
• European Commission (2026). Report on the implementation of the NIS2 Directive across Member States. Brussels: EC.
• ENISA (2024). ICT Supply Chain Security — Guidelines for NIS2 Compliance. Athens: ENISA.