Updated on April 11, 2026
At EU level, the schedule is straightforward: Member States were supposed to adopt the measures needed to comply with NIS2 by October 17, 2024. That date comes directly from Directive (EU) 2022/2555.
In France, the picture is more nuanced. As of April 11, 2026, the Senate legislative file for the bill on critical-infrastructure resilience and stronger cybersecurity still shows a law in progress. The direction is clear, but the final national framework is not yet fully settled.
What is already official
Three points are firm.
1. NIS2 is real and already defines the European baseline. The directive was published in the Official Journal of the European Union in December 2022.
2. ANSSI is already asking future in-scope entities to prepare. On its official NIS2 page, the agency says the directive should help thousands of entities strengthen their protection and explicitly invites future essential and important entities to start now.
3. ANSSI has already started tooling the market. A pre-registration process has been open since November 24, 2025. And since March 17, 2026, ANSSI has made the ReCyF (Referentiel Cyber France) available as a working document.
What is not final yet
This is the part that matters most in practice.
You can already work on scope, governance, security measures, and evidence. But you should avoid claiming that every French control list, enforcement detail, or procedural deadline is already fixed in national law if the legislative and regulatory work is still ongoing.
In short: prepare seriously on the substance, but stay careful with legal wording that sounds more final than the current French text actually is.
Who should really pay attention?
NIS2 does not apply to "all SMBs" by default.
The directive mainly targets entities in listed sectors, usually medium-sized or large organizations, with exceptions where a smaller entity is critical because of the service it provides, its market position, or its national or regional importance.
So the right question is not "are we an SMB?" but rather:
Many startups and SMBs will not be directly regulated. But many of them will still be indirectly affected because their customers, hosting providers, or strategic partners will push NIS2-style requirements down the chain.
What companies should do now
1. Check your real exposure
Start with a practical map: business activities, sectors, customers, critical suppliers, hosting model, exposed systems, and internet-facing services. Without that inventory, it is impossible to tell whether you are likely in scope or sitting in the supply chain of an entity that is.
2. Use pre-registration where relevant
If you believe your organization may fall under the future essential or important-entity framework, ANSSI's pre-registration process is not a small administrative detail. It is an operational signal that preparation should already be underway.
3. Build a defensible security baseline
ReCyF is not yet the final mandatory French rulebook. But it is already a useful working basis. If you improve identity and access management, logging, backups, crisis handling, and control of your exposed services now, that work is unlikely to be wasted.
4. Formalize incident governance
NIS2 pushes organizations toward better detection, qualification, escalation, and notification. Even if your final status is still being clarified, documenting owners, escalation paths, contact points, and reporting workflows is a sensible move.
5. Keep evidence, not just intentions
In this kind of framework, actual security matters. But the ability to prove what you have done also matters. Inventories, policies, audits, action plans, and remediation tracking quickly become essential.
Our view
As of April 11, 2026, the right message is neither "wait until the final French law arrives" nor "everything is already fixed".
The right message is: French transposition is still moving, but ANSSI is already telling future affected entities to prepare. If your company may fall in scope, or if it sells to organizations that will, 2026 is the right time to upgrade both your security governance and your real application exposure.
An external review is not the same thing as legal transposition. But it is a concrete way to verify what an attacker can already see, document your actual exposure, and feed your compliance work with facts instead of assumptions.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
NIS2: SMBs with 50+ employees must prepare now
The NIS2 directive extends cybersecurity obligations to SMBs. Here's what changes.
DORA: digital operational resilience for fintech — what startups miss
DORA regulation has been applicable since January 2025. Here's what fintechs need to implement.
HDS 2.0 mandatory May 16, 2026: security checklist for healthtech
The HDS 2.0 framework becomes mandatory. Here's the complete checklist for healthcare applications.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.