I’ve spent a lot of time lately speaking with CISOs who feel like they’re waiting for a storm that’s already raining on their neighbors. While some European countries have crossed the finish line, the NIS2 France transposition is still moving through the legislative gears.
As of January 2026, France is in the final stretch of adopting the Loi relative à la résilience des infrastructures critiques et au renforcement de la cybersécurité (often called the “Loi Résilience”).
This isn’t just a minor update; we’re looking at a massive expansion that will pull nearly 15,000 entities into the regulatory spotlight. I’ll try to unwrap it all below.
TL;DR: What You Need to Know
France is currently finalizing its national version of the France NIS2 directive through a draft law that recently cleared a major hurdle in the National Assembly. While the official EU deadline passed in 2024, the French regime is expected to fully enter into force in early to mid-2026 once the final decrees are published.
- Scope: Expansion from ~500 to nearly 15,000 entities across 18 sectors.
- Categories: “Essential” (stricter oversight) vs. “Important” (lighter oversight).
- Fines: Up to €10M or 2% of global turnover for the most critical players.
- Preparation: Focus on governance, supply chain security, and rapid incident reporting (24h/72h).
I recommend focusing on your supply chain and incident response playbooks now, rather than waiting for the final gavel to fall.
Timelines and Legislative Milestones
The journey of the France NIS2 implementation has been a marathon, not a sprint. I’ve tracked the progress from the initial draft in late 2024 to the high-stakes commission votes we saw just a few months ago.
The “Loi Résilience” (PRMD2412608L) officially entered the spotlight on October 15, 2024, when it was presented to the Council of Ministers. By March 2025, the Senate had adopted the bill, and it moved to the Assemblée nationale (National Assembly).
A pivotal moment occurred on September 10, 2025, when the special commission at the National Assembly voted on a new version of the text.
As we move through January 2026, we are awaiting the final promulgation and the specific décrets en Conseil d’État that will define the technical “how-to” for every impacted business.
| Date | Milestone | Status |
| Oct 15, 2024 | Bill presented to the Council of Ministers | Completed |
| Mar 12, 2025 | Senate adoption in first reading | Completed |
| Sep 10, 2025 | National Assembly special commission vote | Completed |
| Early 2026 | Final adoption and Promulgation | In Progress |
| Mid 2026 | Entry into force of technical decrees | Expected |
Structure and National Specificities
The NIS2 France framework isn’t a carbon copy of the EU text; it’s a bespoke French suit tailored by ANSSI (Agence nationale de la sécurité des systèmes d’information). One thing I want to highlight is the shift from “essential systems” to “entity-wide” duties.
Under the old rules, you might only have had to secure a specific server; now, the law generally applies to your entire information system by default.
The French draft creates a two-tier system: Entités Essentielles (EE) and Entités Importantes (EI). I’ll break this down simply: EEs are the heavy hitters in highly critical sectors like energy or transport, while EIs cover a broader range of “important” sectors like food, waste management, and even certain local authorities.
ANSSI will act as the central authority, managing the lists of these entities and overseeing enforcement. You won’t need a law degree to see that the goal here is total visibility into the French digital ecosystem.
| Category | Typical Criteria | Supervisory Intensity |
| Essential (EE) | ≥ 250 staff or high turnover; highly critical sectors | Ex-ante: Proactive audits and constant monitoring |
| Important (EI) | ≥ 50 staff or €10M turnover; critical sectors | Ex-post: Investigation only after an incident occurs |
High-Stakes Enforcement and Administrative Fines
If you think this is just about paperwork, the sanctions section will change your mind. The French NIS2 transposition introduces administrative fines that could make even a CFO sweat.
These aren’t just “suggestions”. Instead, they are designed to be “effective, proportionate, and dissuasive.” The draft sets maximum administrative fines that align closely with the EU’s top-tier requirements.
For Essential entities, the potential penalty is massive. Meanwhile, important entities get a slightly lower cap, but the figures are still enough to disrupt even the most stable balance sheet.
| Entity Type | Maximum Fine (Fixed Amount) | Maximum Fine (% of Turnover) |
| Essential (EE) | €10,000,000 | 2% of annual worldwide turnover |
| Important (EI) | €7,000,000 | 1.4% of annual worldwide turnover |
Beyond the money, the “Commission des sanctions” can issue public warnings and binding instructions. This means if you fail to comply, ANSSI might force you to publicly admit it, which is the part most teams miss when calculating risk.
It’s not just about monetary losses. Non-compliance can hurt your reputation as well.
Estimated Implementation Roadmap (2026)
Timing is everything. Even though France missed the original 2024 EU deadline, the momentum in early 2026 is undeniable. I’ve mapped out the likely path forward so you can align your internal projects accordingly.
- Q1 2026: Final Promulgation. The Loi Résilience is expected to be signed and published in the Journal Officiel.
- Q2 2026: Technical Decrees. ANSSI will release the décrets and arrêtés that specify the exact technical standards (the “référentiel”) you must follow.
- Q3 2026: Registration Phase. Entities will likely be required to register through the “MonEspaceNIS2” portal to confirm their status as EE or EI.
- Q4 2026 and Beyond: Full Enforcement. Regular audits for Essential entities begin, and the 24-hour incident reporting window becomes strictly enforceable.
How to Prepare: Your Action Checklist
Even though the final decrees are still in the oven, the ingredients are already on the table. You shouldn’t wait for the law to be fully promulgated to start your France NIS2 directive journey. Here is a short checklist to get your house in order.
- Screen for Scope: Use the sector and size thresholds to determine if you are an EE or EI. Don’t forget that some smaller entities can be designated if they are “sole providers” in their region.
- Stand Up Governance: Management bodies are now personally accountable. Set up a training plan for leadership so they understand their legal duties.
- Supplier/Subcontractor Controls: Integrate security requirements into procurement. Subcontracting is explicitly in scope, so your vendors’ risks are now your risks.
- Incident Readiness: Ensure you can detect, triage, and report significant incidents within 24 hours (early warning) and 72 hours (intermediate report).
- Monitor official updates: Keep a close eye on ANSSI’s “MonEspaceNIS2” for the finalized technical requirements.
The move toward NIS2 France compliance is a major lift, but it’s also an opportunity to harden your defenses against a rising tide of threats. This is exactly where Copla shines—by automating your visibility and audit readiness, it turns a complex regulatory burden into a streamlined, manageable process.
Make NIS2 Compliance a Calm, Continuous Operating System, Not a Last-Minute Audit Project
Copla is built for teams that need NIS2 compliance without burning out staff or blowing the budget. It combines an automation-first GRC platform with experienced CISO oversight. That gives you four clear advantages:
- Cuts compliance workload by up to 80%
- Automates key NIS2 tasks across controls, evidence, and registers
- Guides execution step by step with clear ownership and built-in prompts
- Gives you CISO-level leadership without hiring a full internal team
On top of that, teams typically save €60K+ per year versus adding in-house capacity for the same workload, while staying continuously audit-ready, not “ready when the audit starts.”
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
