NIS 2 in France: the mid-market trap most companies will misread
Too long?
Ask an AI to summarize this article.
A 30x scope expansion, hiding an asymmetry
The headline number for NIS 2 in France is unambiguous. According to the OpenKRITIS legal summary of the French transposition, regulated entity coverage moves from roughly 500 under NIS 1 to about 15,000 under NIS 2, across 18 sectors versus six previously. The ANSSI NIS 2 page calls the expansion "sans précédent en matière de réglementation cyber".
What gets less attention is the asymmetry inside the new perimeter. The French draft, summarised by OpenKRITIS, creates two tiers: Entités Essentielles (EE) and Entités Importantes (EI). Most mid-market companies that just got pulled into scope land in EI, not EE. And the audit obligation is asymmetric between the two.
EE versus EI in plain language
EE is the small group of heavy hitters. Per OpenKRITIS, an EE in a highly critical sector is at least 250 employees with turnover above €50 million, or balance sheet above €43 million. Telecoms qualify regardless of size. Sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
EI is the much larger group. Same source: at least 50 employees with turnover or balance sheet above €10 million. Sectors include food, waste management, manufacturing of certain critical products, postal services, chemicals, research, certain local authorities.
A French SaaS, fintech, or healthtech with 80 staff and €15M annual revenue is almost certainly EI, not EE. That is the typical mid-market position.
The audit asymmetry
Here is where the trap sits. OpenKRITIS is explicit: "Essential entities must undergo security audits every three years by ANSSI-certified providers. Important entities are excluded from audit obligations."
That sentence alone is responsible for a lot of mid-market planning errors. Read in isolation, it suggests EI companies have no testing obligation under NIS 2. Procurement decks say "we are EI, not EE, audit not required." Boards approve the line.
EI is excluded from the every-three-years audit obligation. It is not excluded from Article 21(2)(f).
That distinction matters. Article 21(2) of the NIS 2 directive lists the ten cybersecurity risk-management measures every regulated entity must adopt, regardless of tier. The verbatim text of Article 21(2)(f) requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures."
Effectiveness assessment is a testing concept. The mechanism by which an organisation knows whether a security control actually works is, almost by definition, some form of test against it.
What ENISA says you should do for Article 21(2)(f)
ENISA's Mapping NIS 2 obligations with ECSF role profiles provides the technical bridge. The relevant passage: entities must establish policies and procedures for assessing the effectiveness of their security measures, and ENISA suggests that vulnerability assessments, penetration testing, and team-based exercises should form part of effectiveness evaluations.
For an EI company, the chain of obligations runs: Article 21(2)(f) requires effectiveness assessment, ENISA names penetration testing as a primary method, and the supervisory authority (ANSSI in France) will read your evidence file against ENISA guidance when there is no statutory three-year audit deadline forcing the question.
What a mid-market RSSI should do this year
Five concrete steps, ordered by how often I see them mishandled.
-
Confirm tier classification with your DPO. Do not assume. Run the OpenKRITIS thresholds against your actual employee count and last fiscal year's turnover / balance sheet. Document the answer with the date and the source you used. EI versus EE materially changes the procurement decisions downstream.
-
Map Article 21(2) sub-points to existing evidence. All ten sub-points apply to both tiers. (a) risk analysis, (b) incident handling, (c) business continuity, (d) supply chain, (e) acquisition / development / maintenance security, (f) effectiveness assessment, (g) basic hygiene, (h) cryptography, (i) HR security, (j) MFA. Most mid-market teams have evidence for half of these and a gap for the rest.
-
Define your Article 21(2)(f) evidence file before the next audit cycle. Penetration test results with reproducible findings, vulnerability assessments mapped to risk register, retest evidence on remediation. The companion piece on annual versus continuous testing covers the cadence question for high-change codebases.
-
Decide whether to elect into PASSI-certified testing voluntarily. EI tier does not require ANSSI-certified providers, but selecting one anyway converts the evidence into something auditors and insurers read more easily. The trade-off is cost and provider availability.
-
Watch the Q2 2026 ANSSI décrets. Per the European Commission tracker, final transposition is expected during 2026 with technical specifications following promulgation. The exact reporting obligations for EI will sharpen, and procurement contracts written before that point may need clauses re-opened.
What this means for you
If you are a French RSSI, GRC lead, or DPO at a 50 to 1000 person company, two questions for Monday morning. First: are you EI or EE under NIS 2, and is that classification documented? Second: if EI, what does your Article 21(2)(f) evidence file look like today, and would ANSSI's ReCyF reviewer find it sufficient?
Building Fleuret around exactly this gap: agentic, EU-sovereign, designed to produce audit-grade evidence on a cadence that fits mid-market budgets without the every-three-years cliff.
Sources
- La directive NIS 2. ANSSI (cyber.gouv.fr), 2026-03-17.
- EU NIS 2 in France. OpenKRITIS, 2025.
- NIS 2 Directive, Article 21: Cybersecurity risk-management measures. nis-2-directive.com editorial, 2025.
- NIS2 Directive implementation in France. European Commission, Shaping Europe's digital future, 2025.
- Mapping NIS 2 obligations with ECSF role profiles. ENISA, 2025-06.