France's NIS2 Transposition: Inside the Resilience Bill

France missed the 17 October 2024 NIS2 transposition deadline and was among the eleven Member States that received a Commission reasoned opinion on 7 May 2025 for failure to notify full transposition. Rather than rush a narrow transposition law, France elected to combine NIS2 with two other EU instruments — the Critical Entities Resilience (CER) Directive and DORA-related provisions — into an omnibus "Resilience" bill (officially the projet de loi de résilience des infrastructures critiques et de renforcement de la cybersécurité). The Senate adopted its text on 12 March 2025; the National Assembly continues its examination through 2026, with final promulgation expected in mid-2026. In the meantime, ANSSI has begun running the regime through soft-law guidance, including the Cyber France Reference Framework made available from March 2026 and a pre-registration platform open since November 2025.

What is the legal structure?

The French legislator made a deliberate choice to integrate transposition. NIS2 (Directive (EU) 2022/2555) and the parallel CER Directive (Directive (EU) 2022/2557) cover overlapping populations of regulated entities — many critical entities are also operators in NIS2-regulated sectors — and France found it administratively cleaner to amend the Code de la défense, the Code des postes et des communications électroniques, and several sectoral codes in a single legislative vehicle.

The Resilience bill is structured in five Titles:

• Title I: Strategic and operational governance for critical infrastructure resilience (CER transposition).
• Title II: Cybersecurity obligations on essential and important entities (NIS2 transposition).
• Title III: ANSSI's powers, including sanctions and information requests.
• Title IV: DORA-coordination provisions for financial entities (most of DORA applies directly as a regulation; this Title addresses national-competent-authority designation and overlap with NIS2).
• Title V: Final provisions, transitional measures, and entry into force.

Title II is the substantive NIS2 transposition. It mirrors the directive's two-tier structure ("entités essentielles" and "entités importantes"), the ten risk-management measures, the incident reporting cadence, and the registration obligation. France adds a national specificity: a third operational tier of "opérateurs d'importance vitale" (OIVs) under the Code de la défense, which predates NIS2 and continues to apply with strengthened obligations for the most strategic infrastructure.

Who is in scope?

ANSSI estimates that the Resilience bill will bring approximately 15,000 French entities into the NIS2 regime, up from roughly 500 OIVs under the legacy CIIP framework and 270 OSEs and 50 DSPs under the original NIS regulations. The scope expansion is driven by:

• The medium-enterprise threshold rule.
• The inclusion of new sectors not present in the original NIS framework, including waste management, food production, postal services, public administration above a defined scale, and ICT services management entities.
• Specific size-cap exceptions for DNS providers, qualified trust service providers, MSSPs, public administration entities, and others, who fall in scope regardless of size.

The OIV layer is preserved and reinforced. OIVs continue to operate under the Code de la défense's stricter regime, with the Resilience bill adding several CER-derived obligations including a continuity-of-essential-functions plan and a coordinated risk assessment.

What is ANSSI's role?

ANSSI is designated as the single national competent authority for the NIS2 regime, the national CSIRT, and the single point of contact for cross-border coordination. France's choice of a unified competent authority — rather than the distributed sectoral-regulator model adopted in some Member States — reflects the historical strength of ANSSI and its standing as the cybersecurity authority of the French state.

Several operational consequences flow from this:

• All NIS2 incident reports flow to ANSSI through a single platform. The pre-registration platform launched in November 2025 is the first phase; the full incident reporting interface is being built in parallel.
• ANSSI is the supervisory authority for both essential and important entities, with a tiered supervisory regime — ex-ante supervision for essential entities (including audits initiated by ANSSI) and ex-post for important entities (triggered by incidents, complaints, or risk-based selection).
• The Cyber France Reference Framework, available from March 2026, is ANSSI's operational reference for "appropriate and proportionate" risk-management measures. It is not binding but is treated by regulated entities and auditors as the de facto compliance baseline.

What does the Cyber France Reference Framework require?

The Cyber France Reference Framework — Référentiel Cyber France in the French formulation — is structured around the NIS2 Article 21 ten measures and aligned with ANSSI's existing controls libraries, including the EBIOS Risk Manager methodology and the existing OIV reference framework. It is calibrated to four levels of severity, with the highest level reserved for essential entities and OIVs.

| Domain | Reference Framework chapter | Measures count (approx.) | |---|---|---| | Governance and risk analysis | Chapter 1 | 18 | | Asset and inventory management | Chapter 2 | 12 | | Network and system security | Chapter 3 | 24 | | Identity and access management | Chapter 4 | 15 | | Vulnerability and incident response | Chapter 5 | 19 | | Supply chain security | Chapter 6 | 14 | | Business continuity and crisis management | Chapter 7 | 13 | | Training and awareness | Chapter 8 | 7 | | Encryption and data protection | Chapter 9 | 11 | | Compliance and audit | Chapter 10 | 9 |

Supply chain security receives a dedicated chapter aligned with ANSSI's existing supply chain guidance and the ENISA cross-Union procurement recommendations. Notable obligations include continuous monitoring of direct suppliers (not annual questionnaires), evidence-based assessment of supplier security postures, and contractual flow-down of incident reporting obligations.

What are the penalties?

The Resilience bill mirrors the NIS2 ceiling: for essential entities, fines up to €10 million or 2% of total worldwide turnover; for important entities, up to €7 million or 1.4% of turnover. Additional measures include binding orders, temporary suspension of authorisations or certifications, and individual responsibility of managers for serious or repeated breaches.

France differs from Germany on personal liability. The Resilience bill does not include the kind of explicit personal liability clause for board members that Germany's BSI Act now contains. Instead, the French approach relies on existing corporate-law concepts of director responsibility and the criminal regime for serious cybersecurity offences.

What should defenders do now?

For French and France-supplying entities, four actions cover the gap before final adoption:

• Pre-register through ANSSI's November 2025 platform. The registration is technically voluntary until the law is enacted but is treated as the de facto baseline for supervisory attention.
• Map your control library to the Cyber France Reference Framework. Most large organisations already have measures equivalent to the Framework chapters; the gap is usually evidence, not control existence.
• Build the direct-supplier risk inventory required by Chapter 6 — Supply chain security — and produce structured evidence for each tier-1 supplier.
• Stand up the 24/72/30-day incident reporting workflow in the form ANSSI is expected to require, including the structured JSON template ANSSI has signalled it will publish in 2026.

For non-French entities that supply French regulated customers, the operational implication is contractual: expect French customers to demand evidence packages aligned to the Cyber France Reference Framework, and to flow supply chain duties under Chapter 6 explicitly into procurement contracts.

How Safeguard Helps

Safeguard generates SBOMs and dependency graphs that satisfy the Cyber France Reference Framework's Chapter 6 supply chain evidence requirements — the data ANSSI expects to see in supervisory inspections of essential entities. TPRM workflows score direct suppliers against the Framework's structured criteria and surface drift continuously, eliminating the annual-questionnaire cycle that the Framework explicitly disfavours. Griffin AI reachability filters incident triage so the 24-hour ANSSI clock starts on exploitable conditions rather than alert noise. Policy gates can enforce Chapter 6 contractual flow-downs at deployment time, blocking releases that depend on components without a vendor security attestation. Compliance automation produces the structured JSON evidence packages ANSSI is expected to demand, with audit trails that survive the regulator's expected supervisory cycle.