French companies are still waiting for Parliament to finalize the country’s implementing law for the European Union’s NIS2 cybersecurity directive—leaving many organizations unsure what, exactly, they’ll be required to do, how they’ll be inspected, and how fast they’ll need to comply.
That uncertainty is landing at an awkward moment. Cyber risk continues to rise, and executives are being forced to choose between moving ahead with major security investments now or holding back until France’s final rules are clear, according to reporting cited by Le Dauphiné Libéré.
NIS2 isn’t a niche IT issue. It’s designed to raise baseline cybersecurity across a much wider slice of the economy than earlier EU rules, pushing leadership teams to make practical calls on budgets, priorities, accountability after an incident, and how to prove the company did what was required—especially tough for organizations without large in-house cyber teams.
Why France’s NIS2 implementing law is stuck in Parliament
The holdup isn’t just a crowded legislative calendar. An analysis cited by a specialized source says the delay is tied to a disagreement between lawmakers and France’s DGSI—its domestic security and intelligence service—over certain choices in the implementing text.
The result is a mixed signal to business: the EU directive sets the direction, but the national framework that will spell out how enforcement and oversight work in practice still hasn’t stabilized.
On the ground, that’s producing two immediate behaviors. Some leaders are waiting for the final version before committing to big-ticket programs—detection tools, monitoring, governance, crisis planning. Others are moving anyway, relying on interpretations, guidance documents, and peer feedback, with the risk they’ll have to rework decisions later.
For multi-site companies or groups with subsidiaries, the lack of a clear text also complicates internal alignment: business units want simple rules, while security teams are often forced to answer with assumptions.
Forge Agency summarized the legislative status this way: as of June 2, 2026, the bill remains in “parliamentary shuttle,” having been adopted by the Senate and still awaiting review by the National Assembly, France’s lower house. Meanwhile, cyber pressure hasn’t paused.
Who’s covered—and why ANSSI is becoming the key regulator for companies
NIS2 expands the range of organizations in scope and centers compliance on risk management requirements and incident reporting. One educational source described NIS2 as an EU regulation that took effect in October 2024, aimed at pushing companies to strengthen cybersecurity. For many firms, the first question is basic: Are we covered, and on what basis?
That determination matters because it shapes expectations, governance, and the relationship with the oversight authority. The same source highlights NIS2’s categories—often summarized as “essential entities” and “important entities”—which affect how obligations will be monitored.
Even if operational details depend on France’s final implementing law, the logic is straightforward: the more critical the activity, the more demanding the cybersecurity risk-management expectations become.
In France, ANSSI—the National Agency for the Security of Information Systems—sits at the center of that system. According to the same source, ANSSI is the national authority empowered to conduct audits and inspections to verify compliance.
That changes day-to-day cybersecurity for companies: it’s no longer just about doing “the best you can,” but about being able to demonstrate decisions, tradeoffs, procedures, and the ability to respond when something goes wrong.
Practically, executives are being pushed to manage cybersecurity like quality control or regulatory compliance. Tooling questions—asset inventories, vulnerability management, logging, monitoring—now come with documentation and governance demands: who decides, who approves, who escalates, who communicates.
Without a final text, many companies are taking a pragmatic route: raise the basics to an expected level without waiting for the last line of the law.
Everyone is waiting for “the date”—and the daily cost of uncertainty
Le Dauphiné Libéré describes the delay as harmful to business, though not always in a single, obvious budget line. Instead, it shows up as friction across the organization.
An IT leader has to persuade management to invest while leadership asks for a timeline, precise requirements, and clarity on inspections. In-house counsel tries to lock down liability while the contours of French enforcement remain unsettled. Procurement teams want to add cyber clauses to contracts but hesitate over how strict to be with vendors.
On LinkedIn, one industry professional put it bluntly: this isn’t only a legislative delay, it’s an “increase in risk” for companies already juggling multiple demands and forced to make tradeoffs. While that kind of post isn’t official guidance, it reflects a common reality—cybersecurity is managed under pressure, and regulatory uncertainty adds organizational strain.
There’s also an opportunity cost. A company that hesitates on a structured program can lose time on simple, high-impact steps: mapping critical systems, setting up on-call incident coverage, testing ransomware recovery, or formalizing notification procedures.
But rushing carries its own risk: buying tools without solid governance, or stacking products without coherence. Either way, the delayed final framework makes it harder to optimize—doing the right work, at the right pace, with the right priorities.
Incident reporting is moving ahead at the EU level
Even as France’s timeline drags, EU-level implementation continues. A NIS2 monitoring source reports that the NIS2 Cooperation Group—bringing together EU member states, the European Commission, and ENISA (the EU’s cybersecurity agency)—adopted common templates for cyber incident notifications under the directive’s reporting article at a plenary session dated May 26, 2026.
For companies, the message is clear: notification isn’t paperwork. It’s a process that has to be prepared.
In practice, reporting an incident requires the ability to detect, assess, contain, and document. That forces concrete decisions: who has authority to report, what information is collected, how evidence is preserved, which channel is used, and how reporting aligns with external communications.
As a result, even without France’s final implementing law, companies have an incentive to build an internal notification pathway—roles, responsibilities, and reporting templates—rather than improvising during a crisis.
The same source also points to sector-level assessment work, citing an ENISA report called NIS360 that cross-references sector criticality and maturity. Even if each company’s situation differs, that kind of analysis pushes prioritization: focus effort on the assets and services that would halt operations if they go down—production and operational technology for industrial firms, line-of-business applications and customer data for service companies, and continuity of essential public services for local governments.
What companies can lock in now, even without France’s final text
France’s parliamentary delay doesn’t change the core reality: NIS2 is meant to raise cybersecurity standards, and attackers don’t wait for lawmakers. A compliance-focused source reiterates that the goal is to push companies to strengthen cybersecurity, with ANSSI expected to play an enforcement role through audits and inspections.
That means organizations can still make progress on fundamentals that will matter in any scenario.
First: governance—clarifying who leads cybersecurity, how risks are escalated to top management, and how decisions are documented. Second: technical hygiene—system inventories, patching, tested backups, access management, and monitoring. Third: crisis readiness—an incident response plan, up-to-date contacts, and simple exercises that test the ability to make fast decisions.
Finally, the risk extends well beyond internal IT. A large share runs through vendors, managed services, cloud providers, software publishers, and subcontractors. Even without knowing the final French text, companies can tighten contractual requirements, ask for proof of security measures, and set regular review cycles.
In the months ahead, the key watch point will be when France clarifies its parliamentary schedule—and how it translates supervision and notification mechanisms into national law—because that’s where the shift from principle to day-to-day practice will be decided.
Sources
- Retard sur NIS 2 : La France risque une double peine entre …
- Actualité NIS2 2026 : directive cybersécurité européenne
- NIS2 : tout le monde attend « la date »… – Forge Agency
- #nis2 #cybersécurité | Raphael Marichez | 14 commentaires – LinkedIn
- NIS2 : obligations et sanctions pour les entreprises françaises
