NIS2 was transposed into French law by Ordinance No. 2024-821 of August 8, 2024, supplemented by implementing decrees. Implementation is progressive, but in-scope organizations have obligations now — particularly "essential" entities.
Who Is Affected?
- Essential Entities (EE) — Critical sectors: energy, transport, banking, financial infrastructure, health, water, digital infrastructure, public administration, space. Size: more than 250 employees or revenue above €50M.
- Important Entities (IE) — Important sectors: postal services, waste management, chemicals, food, manufacturing, digital services, research. Size: more than 50 employees or revenue above €10M.
The Real Timeline in France
August 8, 2024 — Publication of the transposition ordinance. Legal obligations formally exist.
Q4 2024 - Q1 2025 — Implementation decrees specifying sectors, thresholds, and ANSSI registration procedures.
2025 — ANSSI opens its registration portal. In-scope entities must identify themselves.
2026-2027 — First enforcement decisions expected for essential entities.
Key Obligations
Incident notification
- 24 hours after detecting a significant incident: initial notification to ANSSI
- 72 hours: intermediate report with preliminary assessment
- 1 month: complete final report
Management responsibility
NIS2 explicitly introduces personal liability for executives. Governing bodies must approve cybersecurity measures, undergo training, and can be held personally liable for serious violations.
Sanctions
- Essential entities: up to €10 million or 2% of total global annual turnover
- Important entities: up to €7 million or 1.4% of total global annual turnover
Presidio integrates NIS2 obligations natively — notification procedures, risk register, audit trail, COMEX dashboard. Discover Presidio.