As cyberattacks multiply, Europe is strengthening its regulatory arsenal. The NIS 2 directive is becoming the reference text to raise the cybersecurity level of critical organisations. In France, between 15,000 and 18,000 entities are affected. Are you ready?
The average cost of a cyberattack today represents between 5% and 10% of a company’s annual revenue, according to a report from the French Court of Auditors published in June 2025. For a French SME, that averages €466,000. Staggering numbers that explain why the European Union decided to drastically strengthen its regulatory framework.
Adopted in December 2022, the NIS 2 directive (Network and Information Security) succeeds NIS 1 with a clear ambition: harmonise and raise the cybersecurity level across Europe. The scope widens considerably — from 7 to 18 activity sectors. Obligations strengthen. And penalties become truly deterrent.
From NIS 1 to NIS 2: why this evolution was necessary
The first NIS directive, adopted in 2016, was a first step toward a coordinated cybersecurity approach in Europe. It mainly targeted Operators of Essential Services (OES) and Digital Service Providers (DSP). But its application revealed several limits.
First, a scope too narrow, leaving many critical sectors without binding framework. Then, significant disparities between member states in the interpretation and application of the rules. Some countries were far more demanding than others, creating a form of unfair competition. Finally, often symbolic penalties that didn’t encourage organisations enough to invest in their cybersecurity.
NIS 2 corrects these weaknesses. The directive establishes a common set of stricter rules, uniformly applicable across the European Union. It places greater responsibility on leaders and provides financial penalties that can truly impact negligent companies.
Who is affected by NIS 2?
This is one of the major evolutions of NIS 2: the scope widens considerably. In France, between 15,000 and 18,000 organisations now fall within the scope, compared to about 500 for NIS 1.
The directive distinguishes two categories of entities with different requirement levels.
Essential entities include large organisations (more than 250 employees or more than €50 million in revenue with more than €43 million balance sheet) operating in highly critical sectors: energy, transport, health, drinking water, digital infrastructure, public administrations, space, banking and financial-market infrastructure.
Important entities cover mid-sized companies (between 50 and 249 employees or more than €10 million in revenue and balance sheet) in those same sectors, plus other sectors classed as “critical”: postal services, waste management, chemical production, food production, medical-device manufacturing, electronic and optical equipment, digital-service providers, research organisations.
Important note: some organisations are affected regardless of size — DNS service providers, domain-name registrars or qualified trust-service providers.
NIS 2 also introduces a strong supply-chain requirement. Even if you are not directly affected, your clients subject to the directive can impose cybersecurity obligations on you through contracts.
The concrete obligations imposed by NIS 2
ANSSI, the national supervision authority, defined 20 security objectives for essential entities and 15 for important entities. These obligations cover the full spectrum of cyber-risk management.
Cybersecurity governance becomes a direct responsibility of leadership. Leaders must follow cybersecurity training and actively supervise the implementation of measures. In case of serious breach, they can be personally held accountable and temporarily barred from leadership roles.
Risk management must rely on a rigorous, regularly updated analysis of threats weighing on information systems. Protection measures must be proportional to identified risks and cover the full perimeter: physical security, access control, encryption, network segmentation, vulnerability management.
Incident notification now follows a very precise timeline. For a significant incident, the entity has 24 hours to send an initial alert to ANSSI, 72 hours to provide an assessment report and one month to deliver a final report detailing causes, impacts and corrective actions.
Business continuity requires regularly tested plans to maintain or restore critical activities during a cyberattack — data backup, recovery procedures, crisis management.
Supply-chain security requires entities to evaluate the security posture of their critical suppliers and providers and to embed cybersecurity requirements in their contracts.
A key point to remember: ISO 27001 certification does not guarantee NIS 2 compliance. According to ANSSI, this standard only covers 2 of the 20 security objectives defined for essential entities. Even complemented by ISO 27002, you only reach about 80% of requirements.
Penalties for non-compliance
NIS 2 harmonises penalties across Europe and makes them truly deterrent.
For essential entities, fines can reach €10 million or 2% of total global annual revenue, whichever is higher.
For important entities, the cap is set at €7 million or 1.4% of global revenue.
Beyond financial penalties, authorities can impose binding corrective measures and, in the most serious cases, temporarily suspend certain activities.
Personal leadership liability is another major innovation. In case of gross negligence leading to a security incident, a leader can be barred from leadership roles. This provision aims to place cybersecurity at the heart of board-level concerns.
Where does transposition stand in France?
The European directive required transposition into national law before 17 October 2024. France is running late, like several other member states. The European Commission sent France a reasoned opinion on 7 May 2025 for failure to notify complete transposition.
The “Resilience” bill, which transposes NIS 2 (as well as the REC and DORA directives), was voted by the Senate on 12 March 2025. The National Assembly’s special committee finished its review on 11 September 2025, adopting 245 amendments. Political instability has, however, slowed the legislative process.
Final adoption is expected for 2026. Once the text enters into force, affected entities will have three years to reach full compliance. But ANSSI is clear: threats don’t wait. Risk analysis and system mapping must start now.
To check if your organisation is affected, ANSSI provides a simulator on the “Mon Espace NIS 2” platform. A voluntary pre-registration service is also available to anticipate the mandatory registration that will accompany the transposition.
How Make IT Safe supports your NIS 2 compliance
Facing NIS 2’s complexity, having the right tool makes all the difference. Make IT Safe is the business software built by cyber experts for CISOs and DPOs who must combine risk control with regulatory compliance.
Our solution lets you structure your NIS 2 compliance journey in an efficient, collaborative way:
- Map your risks using our analysis module that identifies, evaluates and prioritises the threats weighing on your information systems, in line with directive requirements.
- Steer your action plans by centralising every security measure to deploy, with real-time progress tracking and clear ownership.
- Evaluate your third parties to meet supply-chain security obligations. Our supplier-analysis feature gives you a clear view of your ecosystem’s security posture.
- Manage your incidents with workflows aligned to the deadlines imposed by NIS 2 (24h, 72h, 1 month) and documentation meeting ANSSI expectations.
- Demonstrate your compliance through exportable dashboards and reports that showcase your work with leadership and during controls.
100% European, Make IT Safe today supports more than 150 organisations that chose a sovereign, simple and high-performance solution. Our customers report on average 30% productivity gains in managing their compliance.
Preparing for NIS 2 compliance is an investment. But remember: the cost of non-compliance is generally far higher.
