EU NIS2 in France

Current status

The national implementation in France is overseen by the National Agency for the Security of Information Systems ANSSI, Agence nationale de la sécurité des systèmes d'information. Art. 5 The bill is divided into three sections: Resilience of vital activities, Cybersecurity and Digital operational resilience of the financial sector for a joint implementation of NIS2, DORA and RCE.

As part of an accelerated procedure, a draft bill was published and submitted to the French Senate on 15 October 2024 by the French Minister of Economy, Finance and Industry, the Minister of Higher Education and Research. Following the Senate's review, the draft law on the implementation of the NIS Directive will have to be considered by the National Assembly, which makes the adoption of the Directive feasible for the second half of 2025.

National NIS2 differences

Compared to the original EU Directive, the scope has been extended to more local authorities in France: all departments, communes with more than 30,000 inhabitants and overseas collectivities. The scope of application has also been extended for sectors to include educational institutions that carry out research activities.

In addition to the entities categorized under Art. 8 and 9 the French Prime Minister may decide to exclude some educational entities from the scope or to designate an entity as essential if its service is essential for society, public security or economic stability, poses systemic risks or is vital for its sector or interdependent sectors Art. 10.

Entities and sectors

The French implementation law defines classification criteria for essential entities (entités essentielles) in Art. 8(I) and for important entities (entités importantes) in Art. 9. The thresholds for entities operating in (highly) critical sectors, telco providers and public inter-municipal cooperation establishments will be defined by regulation.

The coverage of regulated entities will possibly increase from 500 under NIS1 to 15,000 entities with the implementation of NIS2, while the number of sectors increases from six to 18.

According to the Minister of Economy and Minister of Education, the scope retained in the NIS2 Directive specifically targets the sectors and types of entities with the greatest potential impact on the economy and society, whereas the NIS1 Directive provided for a national procedure for identifying operators of essential services.

The draft law does not yet contain definitions of highly critical sectors and critical sectors.

For public administration entities, several exceptions apply. State administrations in the fields of national security, public safety, defense and law enforcement are not classified as essential entities. Art. 8(I) no. 7a However, these entities are covered by the risk management obligations addressed in Art. 11. Communities with a population of less than 30,000 are also not classified as essential entities as well as other entities operating on a regional level. Art. 8 no. 7b

CER Directive

EU CER Directive (2022/2557) is also transposed through Title I of the French Resilience bill.

Art. 1 replaces the current Chapter II of Title III, Book III, Part 1 of the Defence Code onProtection of installations of vital importance (L. 1332-1 to L. 1332-7) with a new chapter titledResilience of activities of vital importance, consisting of three sections and 22 articles.

The first section of the new chapter is concerned with general provisions relating to activities of vital importance. This new section contains eleven articles of which most are dedicated to definitions: it articulates the already existing national definitions with the definitions provided by the European directive, concerning activities of vital importance and critical infrastructures.

Art. L. 1332-2 governs the system for designating the different categories of operators of vital importance, distinguishing between:

1. operators who carry out one or more activities of vital importance;
2. operators whose destruction or damage could present a serious danger to the population and the environment.

The second part of article (II) aims to take account of the communities which have decided to grant an activity of vital importance by providing them with information:

Art. L. 1332-4 provides for the obligation of vital services operators to identify their dependencies, particularly in terms of supplies, but also with regard to their own service providers.

Art. L. 1332-5 lays down specific obligations for critical points, which must be provided with a specific resilience plan drawn up by the operator, replacing the current specific protection plan.

Art. L. 1332-6 extends the cases of access to points of vital importance and information systems of vital importance and functions which may be subject to administrative security investigations at the request of the operators in accordance with the Directive.

Art. L. 1332-7 requires operators to notify the administrative authority of incidents likely to jeopardise the continuity of their essential activities or to present a serious risk to the population or the environment.

Art. L. 1332-9 makes it possible to distinguish, among the operators of vital importance providing essential services, critical entities of particular European importance for which the European Commission may carry out advisory missions, subject to the agreement of the Member States.

NIS2 Directive

EU NIS2 (2022/2555) is transposed with Title II (Cybersecurity) of the Resilience bill

On the National Authority for the Security of Information Systems (Chapter I Title II) contains a single Art. 5 which provides that ANSSI is responsible for implementing the government's policy on the security of information systems.

On Cyber Resilience (Chapter II Title II) provides definitions under Art. 6 and a list of critical and highly critical sectors of activity is set by decree in the Council of State through Art. 7. Furthermore:

• Art. 8-9 define, on the basis of NIS2 Directive, the essential and important entities which will be affected by the measures as well as those which are explicitly excluded from its scope, in particular under clauses relating to national security.
• Art. 10 provides for the possibility for the Prime Minister to designate certain essential and important entities and they define the articulation of the bill with national and sectoral regulations also having an impact on cybersecurity.
• Art. 11-17 harmonize and simplify the existing legal framework for the protection of information systems (NIS1) by establishing a set of rules harmonized for different types of entities, adapted to each level of threat, as well as to sectoral and thematic specificities, and applicable to the largest number of entities in order to protect them against the cybercriminal threat. They bring the additional security requirements of the system of information systems of vital importance (les systèmes d'information d'importance vitale, SAIV), designed to protect the most critical French organizations against strategic threats, into line with those foreseen by the implementation of the NIS2 directive.
• Art. 17 provides for an obligation for essential and important entities to notify significant incidents to the national authority, as well as to the recipients of services in certain cases.

Government authorities

ANSSI, the French Cybersecurity authority, will be authorized to monitor and supervise the law. This includes search and detection of breaches, violations of the obligations and on-site and remote inspections, regular and targeted security audits, security scans and audits in the event of an incident or breach.

State Agents Art.L. 1332-12, i.e. ANSSI, are granted authority to impose administrative fines of up to €10 million or 2% on essential entities and €7 million or 1.4% of total annual worldwide turnover on important entities Art. 37 § 1-2. While the EU’s NIS2 Directive did not provide for this, the French implementation draft law entrusts these tasks to ANSSI as a single authority.

In agreement with the French government, the Council of State has proposed adding a provision to the bill allowing the Prime Minister to designate another authority for activities in regards to defence. Art. 5 and 10

ANSSI plans to launch several online tools, some of which are available in beta (as of late 2024):

• A NIS 2 applicability assessment tool for organizations
• A support service for the implementation of security measures
• A tool for the management of security measures [4]

Security

Risk Management

The French NIS2 lat addresses risk management measures in Art. 11 and Art. 14. Essential and important entities as well as several state administrations will need to implement appropriate and proportionate technical, operational and organizational measures to manage risks to the security of their networks and information systems (NIS).

These measures should ensure a level of NIS securityappropriate and proportionate to the existing risks Art. 14 and should ensure:

• Governance of NIS security, including cybersecurity training for members of management bodies and staff exposed to risk
• Protect NIS, even when outsourced
• Tools and procedures to defend NIS
• Incident management
• Business resilience

Further risk management measures will follow in a separate decree by the Council of State Art. 14 which will further determine the conditions for the development, modification and publication of a reference framework of technical and organizational requirements. The framework will serve as a guide for audits vis-à-vis the national authority to demonstrate compliance with the objectives mentioned in the same paragraph Art. 15.

Security measures

A draft document on risk management measures with concrete risk management measures was leaked in July 2024. The document lists 20 Security Objectives each divided into sections covering a description of the respective security objective, justifications and the addressed risks, and acceptable means to reach compliance.

The document presents acceptable means in a table listing which measures are necessary for important and essential entities, and which ones apply to essential entities only. The security objectives cover Art. 21 requirements of EU NIS2 by addressing the following topics:

• Identification of information systems
• Implementation of a risk-based approach
• Security audits of information systems
• Physical access controls
• Secure architecture of information systems
• Identity and access management of information systems
• Incident response
• ... and more

Information and authorities

Registration

The registration obligations are defined in Art. 9. Essential and important entities, as well as DNS registration services will have to register at ANSSI. Further details such as deadlines and necessary information will be defined by decree. An online evaluation and registration service run by ANSSI will be made available in 2025.

Reporting

Reporting obligations are defined in Art. 18-22. Essential and important entities, as well as state administrations and their public administrative establishments, as defined in Art. 14, must notify the recipients of their serviceswithout delay of any critical incident that may affect the provision of services, critical vulnerabilities that (potentially) affect their services, as well as the measures or corrections as soon as they become aware of them, in order for the recipients to respond to vulnerabilities or threats Art. 17.

Operators of vital importance must notify ANSSI without delay ofany incident likely to compromise the continuity of its activities of vital importance or to present a serious danger to the population or the environment Art.L. 1332-8 Code de la défense.

ANSSI may require an entity to disclose an incident to the public or do so itself Art. 13(II)

A decree of the Council of State will follow, specifying deadlines for incident notifications as well as criteria to classify incidents as significant Art. 13(V).

Sanctions

The draft law defines regulatory offenses (measures after checks) under Art. 31-34. They provide for the procedures for initiating a procedure following checks and the enforcement measures that the national authority may decide on and attach to them daily penalty payments, including warnings, binding instructions, compliance injunctions and information obligations.

Sanctions are defined under Art. 35 to 37. They allow for effective implementation of sanctions, within appropriate timeframes in order to encourage the entities concerned to comply with their obligations and adopt good practices in cybersecurity. The penalty amounts are closely aligned with EU NIS2.

The Sanctions Committee Article L. 1332-15 of the Defense Code rules on any breaches of obligations arising from the application to the the NIS2 implementation law (Chapter II + III) Art. 35.

In the case breaches of the implementation law (Chapter II + III), the Sanctions Committee is composed of one coordinating minister of a vitally important sector (Article L. 1332-16 of the Defense Code) as well as three qualified persons appointed by the Prime Minister due to their skills in the field of information systems security Art. 36.

For companies that obstruct requests necessary to investigate violations and enforce rights, the Sanctions Commission may impose ten million euros or 2% of the company's annual worldwide turnover, excluding tax, for the preceding financial year, whichever is greater Art. 37.

Regulatory offenses

The ANSSI designates one or more rapporteurs to conduct an investigation pursuant under Art. 31 in case of violations or suspected violations. In line with Art. 32 and in the case of regulatory offenses revealed by investigation, the ANSSI is authorized to:

1. issue a warning
2. take the necessary measures to avoid or remedy an incident, and define the deadlines for implementing these measures and reporting on this implementation
3. order the entity to comply with the obligations within a period which the ANSSI determines (> one month, except in the event of serious or repeated failure)
4. order the entity to inform the natural or legal persons to whom it provides services or carries out activities that may be affected by a significant cyber threat, of the nature of that threat and of any preventive or remedial measures that those natural or legal persons may take in response to that threat
5. order the entity to implement within the time limit it sets the recommendations made following a security audit
6. require that the affected entity communicates the observed breach to the public by any appropriate means

Art. 33 provides that:

1. in the case that the ANSSI's investigation finds that the entity complied with the enforcement measure within the time limit, the ANSSI will not continue the procedure. In the case of non-adherence with one of the enforcement measures addressed to him, the ANSSI will notify the entity of the grievances and refer the matter to the sanctions committee (Art. L. 1332-15).
2. If the entity concerned is an essential entity and does not provide evidence of compliance with the implementing measures referred to above within the time limit, the ANSSI may suspend the certification or authorization for all or part of the services or activities provided by the entity until the essential entity has remedied the non-compliance.
3. If that certification or authorization has been issued by a certification or authorization body of another entity, it shall instruct that body to suspend it until the essential entity has remedied the non-compliance.

A decree will specify the investigation process further Art. 34.

Audits

Audit obligations for operators are defined in Art. 15 to 17, official audit powers in Art. 27-30. Audits can be conducted by independent bodies or specially appointed and sworn agents empowered by ANSSI. Art. 26

According to Art. 29 the agents conducting the audits may have the authority to:

• conduct on-site inspections and remote controls
• conduct regular and targeted audits
• security scans
• audits in the event of a significant incident or a violation of the provisions of EU directives and regulations Art. 26

More details on audits will follow in a separate decree of the Council of State Art. 23.

The security objective no. 5 of the (draft) guideline document specifying the concrete risk-management measures obliges essential entities to conduct audits of their networks and information systems. Regulated information systems must be audited every three years by ANSSI-certified qualified security audit providers. The audit must:

• verify compliance
• assess security levels
• include penetration tests
• audit configuration, architecture, and code
• include organizational and physical audits

The outcomes of an audit must include an audit report summarizing compliance, identifying non-conformities and providing recommendations. Furthermore, the essential entity must establish an action plan to address non-conformities and vulnerabilities, with deadlines and designated responsible parties.

The guideline document excludes important entities from audit obligations.

Territoriality

The territorial provisions are established in accordance with Art. 26, NIS2 Directive. In line with Art. 11, Section I of the implementing legislation, essential and important entities are subject to the provisions of the law if they are established on national territory or, in the case of electronic communications operators, if they provide their services on the national territory.

DNS, registrars, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, e-commerce providers, online search engines, and social media networking platforms are considered exceptions and special cases. They fall under the provisions of the implementing law if:

• their principal place of business (établissement principal) is on French national territory (Art. 11, Section III clarifies the definition of "principal place of business" as the place where decisions regarding cybersecurity risk management measures are primarily made or, in the absence of such a place, the place where cybersecurity operations are carried out or, in the absence of such a place, the establishment with the largest number of employees in the European Union.)
• they are established outside the European Union but offering their services on national territory when they have appointed a representative established on national territory;

Furthermore, the conditions of establishment on national territory do not apply to state administrations and public establishments.

Art. 11, section II clarifies the obligations of these registration offices and the agents acting on their behalf. The territorial obligations apply to those:

• who have their main establishment in the national territory;
• who have appointed a representative established on the national territory, if they are established outside the European Union but offer their services on the national territory.

Art. 40 provides for the arrangements for applying the French implementation of NIS2 in overseas countries and territories (Wallis and Futuna, French Polynesia, New Caledonia and the French Southern and Antarctic Lands).

Entry into Force

Transitional Provisions (Chapter III Title I) includes Art. 4 which provides for the obligations applicable to operators of vital importance designated before the entry into force of the law.

Sources

1. Foliensatz der Agence nationale de la sécurité des systemes d'information (ANSSI) zur Vorstellung der der xNIS-2-Richtlinie, Webseite der ANSSI, 23.05.2023
2. Überblick und FAQ, Webseite der ANSSI, o.D.
3. Projektgruppe PortailNIS2, Webseite der französischen Regierung, o.D.
4. Ouala Barhoumi, Wavestone https://www.wavestone.com/de/insight/nis-2-europaeischen-laender-umsetzung-der-richtlinie/
5. French Senate https://www.senat.fr/leg/exposes-des-motifs/pjl24-033-expose.html