Home

Internal

Global

Contact

de|en|it

RÖDL strengthens its market position in Austria with the Causa team of 28 professionals |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

NIS2 Directive in France: When cybersecurity goes hand in hand with executive responsibility

published on 24 February 2026 | reading time approx. 5 minutes

For a long time now, with the increase and spread of cyberattacks and the resulting losses, but also with the economy of ‘valuable data’, cybersecurity is no longer just a matter for specialists and IT departments, nor is it a subject solely for tech companies.

Furthermore, over the years, French courts – but also insurers – have become increasingly reluctant to accept claims for compensation from companies that have left ‘left the door open’ to hackers and negligence, pointing to the countless recommendations and guidelines issued by the relevant authorities (ANSSI and CNIL) on the subject, which should be implemented within companies, while the media reports on increasingly targeted and massive attacks, often with dramatic consequences.

With the NIS2 Directive, which is gradually being transposed into French law, cybersecurity is taking another step forward, a silent revolution that is creating new and binding legal obligations for a much larger number of companies.

But cybersecurity, by taking on the guise of a standard, is becoming above all a matter of governance and personal responsibility for managers. And with it, concrete legal and financial consequences in the event of a breach of IT security.

NIS2, a huge expansion of the concerned entities

NIS2 significantly expands the scope of obligations to industrial and commercial sectors not previously subject to these obligations, including:

manufacturing industries;
critical sectors (energy, transport, health, banking, water, research, etc.);
distribution players (particularly e-commerce and logistics);
digital service providers;
certain IT service providers and platforms hosting critical services.

but also their subcontractors, for whom these entities are responsible and must ensure compliance with the new ‘cybersecurity’ standard.

From 300 critical organisations covered under NIS1, the number has now risen to more than 10,000. From six sectors of activity, the number has risen to 18, either critical or sensitive! All companies with at least 50 employees or generating more than €10 million in annual turnover fall within the scope of the Directive.

In France, transposition is being led by the ANSSI, which has begun work on the practical implementation of the obligations for the entities concerned, with circulars and points of attention published between 2024 and 2026, and an online mini-audit platform, enabling companies to begin checking whether or not they are subject to this new standard. Its new role now includes imposing binding measures and imposing sanctions.

Governance that involves executive management

Beyond the responsibility of companies themselves, the explicit accountability of senior management is one of the elements most commented on by the French media and legal scholars.

Unlike purely technical compliance regimes (ISO, etc.), NIS2 places a legal obligation on managers to achieve results, depending on the level of risk defined by the Directive:

they must ensure the adoption and implementation of a cyber risk management policy;
they must sanction deviations, document decisions, and arbitrate between security and business continuity;
they must ensure operational monitoring and internal reporting.

Actions to be taken

The NIS2 Directive imposes a dozen mandatory measures.

First and foremost, it requires a well-documented cyber risk map:

identification of critical assets (SCADA systems, ERP, supply chain);
vulnerability analyzis;
mitigation plans;
documentation of decisions.

This requirement for upstream compliance is a revolution compared to traditional approaches that are more focused on crisis management and pragmatic anticipation.

Once risks have been identified and covered, at the other end of the chain, incidents must be reported within strict deadlines to the authority in charge, ANSSI. This requires internal organisation and capacity to:

prevent risks, particularly in terms of training and equipment;
detect and classify incidents;
decide on the notification threshold and comply with the short deadlines imposed;
respond to a formal schedule.

This procedure and these deadlines must now be incorporated into the compliance standards of senior management.

Harmonized penalties

NIS2 imposes a harmonized framework of penalties for non-compliance:

significant administrative penalties, which France is beginning to specify in its draft transposition decrees; depending on the company and the risk, these penalties can range from €7 million to €10 million, or 1.4 per cent to 2 per cent of the company's global turnover;
increased liability for managers in the event of serious or repeated failure to implement mandatory measures;
the risk of legal action by customers or partners in the event of data loss or failure to comply with the required governance.

The advantage of the Directive is that it differentiates the level of obligations according to risk categories and types of companies: entities considered ‘essential’ to the country's economic activity and security, but above all ‘important’ entities, which now include a large number of commercial companies that were not previously affected. And finally, critical suppliers in the supply chain. Industrial SMEs and mid-cap companies (and their suppliers), which were previously excluded, may now be affected due to their critical industrial role.

Ultimately, governance must be cross-functional and shared between departments, going beyond the usual scope of the IT department:

executive management, for decision-making and legal responsibility;
legal/compliance departments, for the integration of risks into contracts and their negotiation, the documentation of decisions and regulatory compliance;
finance departments, for the allocation of resources;
operations departments, for the execution of security plans;
human resources, for awareness-raising, training and behaviour management, which are essential elements in risk control!

In France and Europe, this new cybersecurity standard obviously interacts with other binding regulations:

the General Data Protection Regulation (GDPR) for breaches involving personal data;
the AI Act, insofar as AI is an obvious factor in increasing or decreasing cyber-risk;
locally, the Defence Code, but more generally the sectoral texts applicable to each category of activity (energy, transport, digital, etc.);
contractual skills, since contracts must include specific clauses, e.g. on notification, security and contractual penalties.

These global and local regimes interact in a complex manner, requiring closer legal coordination between compliance, DPO, legal, IT, financial and, of course, operational teams.

For French SMEs and mid-cap companies, now potentially covered by NIS2, the Directive represents a necessary structural transformation of risk management in 2026, to which they are not accustomed. They must move from a technical or crisis-based approach to one of legal, technical and organizational compliance; from pragmatic internal best practices to a regulated obligation punctuated by significant penalties; and from a purely IT or strategic dimension to a global responsibility assumed by senior management.

Beyond a regulatory constraint, NIS2 becomes a lever for trust and differentiation for companies with customers, sponsors and partners — provided it is implemented proactively, documented and comprehensively.

Transposition in France is still ongoing, but some EU countries have already implemented it! It is therefore essential to monitor the texts to come in 2026. However, given the political situation in France, this transposition is behind schedule, and the Directive may therefore apply directly in certain cases, so it is essential not to delay your organization in this perspective!