NIS2 transposition: legislative works begin 

French law to integrate European directive before October 17, 2024

Published on December 27, 2022, in the Official Journal of the European Union, the NIS2 directive is a revision of the July 2016 Network and Information Security (NIS) directive. All member States have until October 17, 2024, to transpose the NIS2 in their respective legal systems.

The revised directive broadly expands the scope of its predecessor. Indeed, NIS2 covers eleven areas deemed “essential” and seven areas considered “important”, thus encompassing 600 different types of organizations. In particular, the directive sets minimum cybersecurity and incident-reporting requirements. Most organizations under the scope of NIS2 were not covered by NIS; a great number of both public and private players will have to update their cyber protocols. 

In November 2023, Vincent Strubel, head of Anssi, estimated the revision would “increase the number of regulated players ten, twenty or thirtyfold” in France. Moreover, he sees the upgrade of the French ecosystem as “maybe the most structural project at Anssi.”

Legislative bodies are currently working on the vital transposition: lawmakers have a little over six months to finalize and pass a dedicated bill. NIS2 will be implemented in France no later than October 17, 2024. However, Anssi explains that “the implementation date is not necessarily the date at which all legal requirements will be implemented for the entities involved: some requirements will be implemented at once and others will be subject to a compliance upgrade timeline.”

Beyond the legal requirements, NIS2 is also the starting point for a European cyber crisis management structure. Named CyCLONe (Cyber Crisis Liaison Organization Network), the new entity will bring together member-state cybersecurity authorities. Anssi will be the representative for France.