As the future European cybersecurity framework enters its final phase of integration into French law, France’s national cybersecurity agency ANSSI, represented by Director General Vincent Strubel, addressed a National Assembly Commission to provide clarification on key points and to share the expected compliance timeline with NIS2, REC, and the DORA regulation.
This update outlines the current status of France’s transposition efforts, including timelines, cost estimates, and available support resources.
Update : 11/26/2025
NIS2 Transposition Timeline in France
- Parliamentary debates scheduled for early 2026
- Final adoption expected by Q1 2026
- Deadline for full compliance: 3 years after publication
Reminder: ANSSI warns that the threat landscape is already active. Risk assessments and system mapping can – and should – begin now.
French NIS 2 Compliance Framework
The French draft decree defines 20 security objectives for essential entities and 15 for important ones. A compliance framework will be published. France has clarified its position: ISO 27001 / 27002 certification does not automatically imply NIS2 compliance:
- ISO 27001 alone covers only 2 out of 20 objectives
- ISO 27002 can help achieve up to 80% of them
ANSSI also supports the idea of a European certification framework to harmonize cross-border implementation for organizations operating in multiple countries.
NIS 2 Compliance Costs: French Government Estimates
Initial investment figures shared by ANSSI and France’s Secretariat-General for National Defence (SGDSN) are:
- Important entities: €100–200k initial cost + ~10% annually
- Essential entities: €450–880k initial cost + ~10% annually
According to the French Court of Auditors (June 2025), the average cost of a cyberattack is estimated at 5–10% of annual revenue — regardless of size or sector.
Pre-registration on the Club SSI website
To find out whether you are in the scope of NIS 2, you can take the test on the Mon Espace NIS 2 website. If applicable, you can now do the same on the Club SSI website, the official portal providing access to the digital services offered by CERT-FR.
Here is the information that will need to be provided:
- Address of your registered head office (siège social) in France and, where applicable, SIREN number;
- Sector(s), sub-sector(s) and entity type(s) as defined in Annexes I and II of the NIS 2 directive;
- Number of employees, turnover and financial statements;
- EU Member States where the entity conducts activities (manufactures, provides products or services);
- Contact information for cybersecurity incident handling and any additional roles;
- Company name and addresses of establishments in the European Union;
- IPv4/IPv6 address ranges and, optionally, top-level domains and Autonomous System (AS) numbers.
Once the law is published, this registration will become mandatory in order to meet the obligations of providing certain information required under Articles 3 and 27 of NIS 2.
Third-Party Management and Shared Responsibility
ANSSI highlights the importance of working proactively with suppliers and service providers. This includes:
- Launching a full risk assessment and infrastructure mapping
- Including cybersecurity clauses in all new contracts
Support Resources Available in France
France has developed a range of support structures to assist organizations with NIS2 implementation:
- GIP Acyma: Guides to vetted private providers
- 17Cyber (National Gendarmerie): Rapid support and response
- Regional CSIRTs: Localized incident response and advice
- OPSN services: Mutualized cybersecurity solutions
- Qualified auditors: ANSSI-approved assessment providers
Want to assess your security posture in under 10 minutes? Try our free and anonymous Online Security Audit.
Don’t Confuse Compliance with Security
“France has built a strong national cybersecurity ecosystem combining public and private actors and over 70 industry federations. Compliance deadlines will come, but the threats are already here.” – Vincent Strubel, Director General, ANSSI
SPAC Alliance fully supports this message: compliance is a milestone, not the end goal. Building a resilient cybersecurity posture means starting now with solid groundwork:
- Conduct a risk analysis — both digital and physical — including third parties
- Map your systems and access controls
- Test your governance by simulating a successful attack
The quality of this early work will determine how smoothly — and effectively — your organization achieves compliance.
Our recommendation: rely on the expertise of SPAC Alliance members to build a future-proof security foundation with trusted partners and technologies.
Feel free to reach out for more information on the services available through our shop!
