In the absence of a voted national text, what ways of applying and appropriating the NIS 2 requirements for French companies and administrations in the immediate and medium term? Answers by Pierre Affagard, a lawyer in the Paris office of Clyde & Co. It has activities dedicated to new technologies, data protection and cyber security.
Directive no. 2022/2555 of 14 December 2022, known as the NIS 2 Directive, which aims to ensure a high level of cyber security across the EU, still leaves the companies concerned in relative uncertainty.
NIS 2, which will enter into force on 16 January 2023, was supposed to be transposed and applied by 17 October 2024. In France, as in most other Member States, transposition is still pending.
First account(1) concerning ” resilience of critical infrastructure and strengthening cyber security » was submitted to the Senate on October 15.
Article of the week
Little information about the terms of the application
The legislator would not establish a transitional period for the benefit of the organizations concerned. This challenging choice and marked as such by the Higher Digital and Postal Commission (CSNP)(2) and the State Council(3) means the immediate implementation of the requirements of NIS 2 from the promulgation of the implementing law.
But when? The special commission charged with examining the project met on November 12. It has to publish its report soon and a public examination would be scheduled for February. Beyond these elements, no timetable has been communicated.
Lessons from European law on the enforceability of NIS 2
Faced with this situation – certainly inconvenient for businesses, but by no means unprecedented – a directive already in force but not transposed into national law, the courts have long established the rules that determine what is enforceable and what is not.
Private actors can be reassured in this regard. Since 1979, the principle has not changed: “ The state cannot challenge individuals for failure to fulfill the obligations contained in the directive. “. In other words, the state cannot require essential and important businesses under the NIS 2 Directive to be immediately compliant.(4).
Similarly, NIS 2 cannot be used in a dispute between two individuals.(5).
Directives can create obligations only towards the Member States to which they are addressed(6). we talk” vertical upward effect ”, which allows litigants to invoke a directive that has not been or has been incorrectly transposed before national judges(7).
What about local authorities who may be indirectly dependent on this direct effect?(8)?
By using the NIS 2 maneuvering space, France extended its cybersecurity responsibilities to communities that were not originally directly targeted.(9) such as departments, municipalities and groups of municipalities of over 30,000 inhabitants and, in certain respects, overseas communities(10).
Even if, in theory today, non-compliance with NIS 2 could be blamed on local authorities under certain conditions, this seems highly unlikely.
Necessary implementing decrees
Added to these inherent difficulties in bringing the law, which is so far only a draft, into compliance is the fact that NIS 2 requires implementing decrees to specify the outlines of a number of obligations.
This is the case, for example, of security incidents.(11)which must be notified to the National Agency for the Security of Information Systems (ANSSI) within 24 and 72 hours, for which the Decree of the State Council will provide some expected practical and technical details.
This is also the case for declarations that essential and important entities must make to ANSSI by 17 April 2025 at the latest..(12).
In summary, due to the reduced visibility of the application and allocation schedule, it is recommended to anticipate the implementation of the main security and governance responsibilities required by NIS 2.
(1) This draft law also plans to transpose the directive of 14 December 2022 no. 2022/2557 on the resilience of critical entities (hereinafter referred to as the “REC directive”) and no. 2022/2556 on digital operational resilience of the financial sector, which brings consistency of the new provisions of DORA with existing directives
(2) ČSNP opinion no. 2024-03 of 21 May 2024 on the draft law on the resilience of critical activities, protection of critical infrastructure, cyber security and digital operational resilience of the financial sector
(3) Opinion of the State Council of June 6, 2025 on the draft law on the resilience of critical activities, critical infrastructure protection, cyber security and digital operational resilience of the financial sector
(4) CJCE 5 April 1979, Prosecutor v. Ratti, aff. 148/78
(5) ECJ 26 February 1986, Marshall v. Southampton and South-West Hampshire Area Health Authority, aff. 152/84, spec. point 48
(6) 288 par. 3 of the Treaty on the Functioning of the European Union (TFEU).
(7) ECJ 4 December 1974, Van Duyn v Home Office, aff. 41/74
(8) CJCE, 22 June 1989, Fratelli Costanzo v. Municipality of Milan, aff. 103/88 – CJCE 18 June 1991, Impresa Donà Alfonso, aff. C-295/89
(9) Article 2.2 of the NIS 2 Directive specifically referred only to regions
(10) Article 9 of the bill
(11) Article 17 of the bill
(12) Article 3.3 of the NIS II directive