NIS2 Directive: understanding the new European cybersecurity framework and its impact on businesses in France

By 2025, more than 40% of companies will have suffered at least one significant cyber attack*. Faced with this threat, the European Union has chosen to strengthen the cybersecurity of its organizations by introducing obligations designed to raise the level of cyber maturity of the entire economic fabric, as well as public administrations and local authorities.

What is NIS2?

The NIS2 (Network and Information Security 2) directive, which aims to ensure a high, common level of cybersecurity throughout the European Union, thus becomes the European reference text in this field. Adopted on December 14, 2022 and coming into force on October 18, 2024, it repeals and replaces the first NIS Directive, adopted in 2016.

NIS2 objectives

NIS2 has three main aims:

1. Extend the scope of entities subject to cybersecurity obligations to include new sectors deemed critical to the economy and society;
2. Harmonize requirements between member states to ensure a high, consistent level of safety across Europe;
3. Strengthen cooperation between national authorities and EU-wide incident response mechanisms.

In concrete terms, NIS2 requires the entities concerned to implement cyber risk management measures in line with the 20 security objectives defined in the directive, to report significant incidents to the relevant authorities, and to engage the responsibility of senior management in cybersecurity governance.

The entities concerned

NIS2 no longer only targets vital operators, but thousands of SMEs, ETIs and large corporations. Organizations are classified as either Essential Entities (EE) or Important Entities (El), depending on the criticality of their activity and their size. EEs are subject to stricter cybersecurity requirements than Els.

The directive identifies two types of sector: highly critical (Annex I of the directive) and critical (Annex || of the directive).

• Highly critical sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space.

• Critical sectors include postal services, waste management, chemical manufacturing, food processing, manufacturing, digital service providers and research.

Classification into EE and El follows this logic:

There are a few cases outside this classification, notably for digital infrastructure providers. Numeum offers a mapping tool to help you determine whether or not your company is subject to these regulations, and under which category. You can also use the NIS2 simulator proposed by ANSSI.

Please note: the NIS2 directive is currently being revised at European level. It introduces a new category of company: small mid-caps with 1,000 employees, sales of 200 million euros or total assets of 172 million euros. The threshold applicable to essential entities (EE) would therefore be raised from medium-sized companies to small mid-caps.

In France

In France, almost 15,000 entities are concerned by the NIS2 directive. The competent authority for control and supervision is the Agence nationale de la sécurité des systèmes d’information (ANSSI).

Since it is a directive, NIS2 needs to be transposed into national law to be fully applicable. To this end, the government has presented the “Resilience” bill, designed to transpose several European texts relating to cybersecurity: NIS2, DORA and REC.

This bill passed its first reading in the Senate in 2025 and is currently awaiting review by the French National Assembly. Numeum’s contributions on this text can be consulted on this Ensemble thread. You will also be able to follow future news on its examination.

Implementing NIS2

Despite the absence of any transposition to date, ANSSI is calling on all entities subject to the law not to wait to begin compliance. Indeed, the ANSSI points out that the primary objective is to protect your organization against cyberthreats, which don’t wait.

Please note that companies in the digital sector** are not affected by national transposition. In view of the cross-border nature of their activities, animplementing regulation has been proposed by the European Commission. This implementing regulation details the technical and methodological requirements for cybersecurity risk management measures for these entities. This is the reference framework to be followed.

For other sectors, on March 18 ANSSI launched a “collective security movement” with the publication of the ReCyF*** security reference framework, enabling entities subject to the law to comply. It is also providing entities with a number of tools to help them achieve compliance on MonEspaceNIS2(tool for comparing existing cybersecurity reference frameworks with ReCyF; FAQ; educational content, etc.).

ANSSI calls on all concerned entities to pre-register and report their incidents now on club.ssi.gouv.fr.

Please find attached the ANSSI presentation on the ReCyF reference framework and compliance paths. Numeum also offers you a webinar with our partner lawyer Maitre Ledieu.

NIS2, an opportunity for the cybersecurity industry

With 15,000 entities subject to the NIS2 directive in France, the cybersecurity industry will have to be ready to support the securing of these entities.

Numeum plays a full role in supporting the industry by following the ANSSI’s working groups on the future NIS2 trust label, and by sharing regular updates on the directive and the support policy planned by the ANSSI. To follow our actions in this area, we invite you to follow the Cybersecurity Commission on Ensemble.

* CESIN’s 11th annual barometer(link)

** DNS service providers, top-level domain name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking service platforms, and trust service providers (the relevant entities).

*** The ANSSI offers this reference framework as a “recipe” to help entities subject to the directive, but its use is not mandatory. Only the achievement of the security objectives defined in the directive is mandatory. This approach facilitates compliance work for entities already using other standards (e.g. ISO27001; NIST…). A comparison tool is provided to identify overlaps and shortcomings in relation to NIS2 requirements.