France NIS2 Law Is Coming: What ANSSI's ReCyF Means for IT Suppliers and MSPs

France is about to flip the NIS2 switch — and the timeline is tight.

The French parliament is expected to vote on the law on the resilience of critical infrastructures and cybersecurity strengthening in July 2026. Once passed, the law will bring roughly 15,000 entities under formal NIS2 obligations — a tenfold increase from the ~500 organisations regulated under France's previous NIS1 framework. For IT consultants, MSPs, and vCISOs serving French clients or supplying into French-regulated organisations, the window to get ahead of this is closing fast.

Here's what's changed, what ANSSI has published, and what it means for your work.

France Was Late — But Now It's Moving Fast

France missed the October 2024 EU deadline for NIS2 transposition, joining 18 other member states that were formally warned by the European Commission. The legislative process ran slower than expected, partly due to political instability and partly due to the complexity of France's existing critical infrastructure framework, known as the SAIV (Secteurs d'Activités d'Importance Vitale) regime.

That delay is no longer a reason to wait. In March 2026, ANSSI — Agence Nationale de la Sécurité des Systèmes d'Information, France's national cybersecurity authority — published the Référentiel Cyber France (ReCyF v2.5). This is a 152-measure security framework that defines what NIS2 compliance looks like in practice under French law. Entities do not need the final law to start using it. The ReCyF is live, ANSSI is already guiding organisations toward it, and auditors will use it as their benchmark.

The French version of NIS2 is not a simplified copy of the EU directive. It layers national-specific measures on top of the directive's base requirements, which means purely directive-based gap analyses will miss French-specific obligations.

NIS2 Implementation Status by Country (2025–2026)
✅
Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋
Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳
In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

What the ReCyF Actually Covers

The ReCyF organises 152 security measures across 20 security objectives. Both Important Entities (EI) and Essential Entities (EE) are subject to objectives 1 through 15, covering the fundamentals of cybersecurity:

• Asset inventory and classification
• Governance, accountability, and board-level security policy
• Access control, identity management, and privilege management
• Technical protection — patching cadence, configuration hardening, endpoint controls
• Crisis management, incident response, and business continuity

Essential entities additionally face requirements under objectives 16–20, covering more advanced resilience, continuity, and cross-sector coordination measures. These map roughly to the "significant" risk management obligations in NIS2 Article 21, but with French-specific detail and ANSSI's own controllable, auditable criteria layered on top.

Importantly, the ReCyF is designed as an operational benchmark — not a principles-based checklist. Each measure is defined with enough specificity that auditors can verify it. That means vague statements about "having a security policy" won't satisfy ANSSI inspectors. If you're advising a French entity on NIS2 readiness, the ReCyF is your working document.

Article 21 — 10 NIS2 Cybersecurity Measures
🛡️
Article 21
10 Cybersecurity Measures
📊
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
🚨
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
🔗
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
🔐
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
👥
People & Assets
7Cyber hygiene & training
9HR security & access control

Who Falls In Scope

France's law will classify entities into two tiers — Essential Entities (EE) and Important Entities (EI) — mirroring the NIS2 Directive structure directly. Sector coverage follows Annex I and Annex II of NIS2.

Under Annex I (Essential Entities), this includes energy, transport, banking and financial market infrastructure, healthcare, drinking water, wastewater, and digital infrastructure such as cloud providers, data centres, and internet exchange points.

Under Annex II (Important Entities), this includes:

• Managed service providers and IT managed security services
• Postal and courier services
• Waste management
• Manufacturing of medical devices, electronics, machinery, and motor vehicles
• Digital marketplaces and search engines
• Food production and distribution

For MSPs and IT consultants operating in France or supplying French-regulated clients: your clients are in scope. That makes you a critical node in their compliance chain. French procurement contracts will increasingly require suppliers to demonstrate their own cybersecurity posture aligned to ReCyF measures.

The scope expansion is significant. France is moving from roughly 500 regulated entities to approximately 15,000. The vast majority are Important Entities in sectors that have never dealt with mandatory cybersecurity audits before — which means the compliance support market is about to grow sharply.

The Enforcement Timeline

France's NIS2 law, once passed in July 2026, will not trigger immediate enforcement. Here is the realistic timeline:

• July 2026: Law passed, enters into force
• Q4 2026: ANSSI begins formal supervision and entity registration via the MesServicesCyber platform
• 2027: Regular audit cycles begin for essential entities; the 24-hour initial incident notification and 72-hour full assessment windows become strictly enforceable
• 2027 onwards: Penalties apply — up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% of global turnover for important entities

That may look like there's time. But registration and classification alone takes months. Organisations that haven't started their gap analysis will be scrambling to catch up once the law takes effect — especially those that discover they fall under the Essential Entities tier and face more stringent requirements than anticipated.

NIS2 Incident Reporting Timeline
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
Step 1
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
Step 2
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.
Step 3
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

ANSSI's MesServicesCyber Platform

ANSSI has built a self-registration and compliance tracking portal at messervices.cyber.gouv.fr. This is where in-scope entities will register, self-assess, and submit incident notifications.

For IT consultants and MSPs, this platform is useful now — before the law passes. ANSSI has made the NIS2 self-assessment questionnaire publicly available. It gives you a structured baseline for gap analyses with French clients, lets you identify which tier a client is likely to be classified under, and surfaces the specific ReCyF measures that are highest priority for their sector.

The ReCyF document itself is downloadable and can serve as an audit checklist. ANSSI designed it to be practical: objective by objective, measure by measure, with clear pass/fail criteria. This is as concrete as cybersecurity compliance frameworks get in the EU.

Supply Chain Exposure: Your Clients' Problem Becomes Your Problem

Under NIS2 Article 21, regulated entities must manage the security of their supply chain. That obligation includes assessing the cybersecurity practices of IT suppliers and service providers — and flowing down requirements contractually.

For MSPs serving French entities, this means French clients will start including cybersecurity requirements in service agreements, requesting evidence of security controls aligned to ReCyF measures, and conducting supplier assessments as part of their own audit preparation. The timeline pressure on your clients flows directly to you.

We've seen this dynamic play out already in Germany, Belgium, and the Netherlands, where NIS2 transposition is further along. Dutch and German entities regulated since late 2024 are already asking their MSPs for documented security controls and incident response procedures. French procurement will follow exactly the same trajectory — and it will move faster than those earlier implementations because ANSSI has published clearer operational guidance.

To understand how supply chain obligations cascade — from regulated entity down to their IT suppliers — see our post on NIS2 supply chain security.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
▼
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
▼
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

What to Do Right Now

If you serve French clients or operate in France, there is no reason to wait for the July vote before starting.

Map your client base against NIS2 Annex I and II. Identify which clients are likely to fall in scope as essential or important entities. Healthcare, digital infrastructure, manufacturing, and IT services are the highest-probability sectors. For each client, note whether they're likely EE or EI — that determines which ReCyF objectives apply.

Download the ReCyF. Review the 152 measures against your current service delivery. Identify gaps between what you deliver and what clients will need to demonstrate. If you provide managed endpoint security, patch management, or incident response services, you are likely already covering several objectives — but probably not all of them.

Run a structured gap analysis. Don't wait for the law. The ReCyF is the operational framework ANSSI will use to assess compliance. A gap analysis now gives clients a concrete baseline and a remediation roadmap before the registration window opens. For a step-by-step approach, see our NIS2 gap analysis guide.

Review your own obligations. If you are an MSP operating in France, you may fall under the Important Entities category directly — not just indirectly through your clients. That means you have your own NIS2 obligations: incident reporting, risk management measures, and eventually registration with ANSSI.

Get ahead of contract language. Review your service agreements. French clients subject to NIS2 will need to flow down cybersecurity requirements to their suppliers. It is better to have that conversation proactively than to be handed a contract rider with a 30-day compliance deadline.

If you want a quick read on where your clients stand today, run the NIS2 quick scan at NIS2Certify — a structured compliance posture assessment covering the Article 21 measures, completed in under 15 minutes.

The Bottom Line

France's NIS2 law is weeks away from passing. ANSSI has already published its 152-measure operational framework and built the registration infrastructure. For IT consultants and MSPs, the direction of travel is clear: map scope, run gap analyses against the ReCyF, and get ahead of supply chain requirements before French clients start asking for evidence.

Waiting for the final law before starting work is the wrong call. The framework is live. The timeline is set. The work starts now.