NIS2

NIS2 (directive 2022/2555) is the second European cybersecurity framework, replacing the 2016 NIS directive. It entered into application on 17 October 2024 and was transposed into French law by the law of 21 November 2024.

Goal: harmonize and strengthen the level of cybersecurity in the EU by imposing on entities identified as "essential" or "important" obligations on risk management, incident notification, and governance, with personal liability of executives in case of breach.

The French reference authority is ANSSI (National Information Systems Security Agency). It receives declarations and incident notifications, and conducts controls.

The scope is defined by Annexes I (essential entities) and II (important entities) of the directive. In summary:

• Annex I (essential entities): energy, transport, banks, healthcare, water, digital infrastructure, public administrations, space.
• Annex II (important entities): postal services, waste management, food, manufacturing of chemicals / medical devices / vehicles, digital services (cloud, datacenter, SaaS), R&D.

Thresholds: ≥ 50 employees OR ≥ €10m revenue is enough to fall under "important entity". Beyond 250 employees or €50m revenue, you become "essential entity" with a stricter control regime.

Important: declaration to ANSSI is self-declarative. No notification is sent by the authority, it is up to the entity to identify itself and declare. Absence of declaration is itself an offense.

• 17 October 2024: entry into application of the directive.
• November 2024: French transposition voted.
• 2025: opening of the ANSSI self-declaration portal.
• From 2026: targeted controls on actors that had a notified incident, were reported via complaint, or were identified as at-risk.

Sanctions are both administrative and personal:

• Essential entities: fine up to €10m or 2% of global annual revenue (whichever higher).
• Important entities: fine up to €7m or 1.4% of global annual revenue.
• Personal liability of executives: possibility of temporary ban from management functions.
• Complementary sanctions: compliance injunctions, suspension of authorizations, publication of decisions.

Article 21 of the directive lists 10 categories of minimum technical and organizational measures. In software translation:

• Tamper-proof and queryable audit log (every sensitive action traced, append-only, timestamped).
• Incident detection and ANSSI notification workflow within 24h alert / 72h detailed / 1-month final report.
• Register of technical subcontractors with associated certifications (SOC 2, ISO 27001, NIS2), audit dates, DPO/CISO contacts.
• Access management with MFA, privilege management, regular reviews.
• Documented business-continuity plan, tested, reviewed annually.