Cybersecurity · France
Cybersecurity regulation in France (2026)
France shaded by its cybersecurity status
France already has a comprehensive, in-force cybersecurity framework combining the 2018 NIS1 transposition (Operators of Essential Services), the longstanding LPM/SAIV regime imposing mandatory security rules and incident reporting on ~250+ vital-importance operators (OIV), GDPR data-breach notification via the CNIL, and the directly-applicable EU DORA Regulation for the financial sector since January 2025. ANSSI is the national cybersecurity authority across these regimes. The NIS2 upgrade — bundled with the REC and DORA directives in the 'Résilience des infrastructures critiques' bill — was adopted by the Senate in March 2025 and by the National Assembly's special committee in September 2025, but as of May 2026 had not yet been finally adopted/promulgated, leaving France past the EU's October 2024 transposition deadline.
Key points
The Agence nationale de la sécurité des systèmes d'information (ANSSI) is the competent national cybersecurity authority, with a dual mission of supporting operators in securing critical systems and supervising compliance with security obligations.
Law No. 2018-133 of 26 February 2018 transposed the EU NIS Directive, imposing security rules and incident-reporting duties to ANSSI on Operators of Essential Services (OSE), with fines up to €100,000 for breaching security rules and €75,000 for failing to report incidents.
Under the Military Programming Law (LPM), roughly 250 designated Operators of Vital Importance (OIV) must declare security incidents to ANSSI, apply mandatory baseline security rules on their critical information systems (SIIV), and use qualified detection products/providers.
Under GDPR Article 33, data controllers must notify the CNIL of personal-data breaches posing a risk to individuals within 72 hours of becoming aware, and inform affected individuals where the risk is high; failure is sanctionable up to €10M or 2% of global turnover.
The 'Résilience des infrastructures critiques et renforcement de la cybersécurité' bill (transposing NIS2, REC and DORA) was adopted by the Senate in March 2025 and by the National Assembly's special committee in September 2025, but had not been finally adopted/promulgated as of May 2026 — France missed the EU's 17 October 2024 deadline and received a Commission reasoned opinion on 7 May 2025.
The pending law would expand regulated entities from roughly 500 to about 15,000 and covered sectors from 6 to 18, distinguishing 'essential' and 'important' entities by size thresholds and newly subjecting software publishers to NIS2 obligations; ANSSI published the Référentiel Cyber France (ReCyF) framework on 17 March 2026 to support compliance.
Timeline - major decisions & events
CERT-FR's annual threat report logged 1,366 confirmed incidents and 128 ransomware attacks in 2025 (down from 141 in 2024) while flagging a sharp rise in data-exfiltration cases, shaping ANSSI's defensive priorities.
ANSSI / CERT-FR ↗Decision SAN-2026-003 penalised the national employment agency for failing to secure job-seeker data, after a 2024 breach exposed personal data of tens of millions of people — among France's largest GDPR security sanctions.
CNIL ↗The committee approved the bill transposing NIS2, the CER (REC) directive and DORA, restructuring France's framework around 'essential'/'important' entities and creating sanctions up to €10M or 2% of turnover — a key step toward enactment.
Assemblée nationale ↗The Commission escalated infringement proceedings after France missed the 17 October 2024 deadline to transpose the NIS2 Directive, pressuring Paris to finalise its Résilience legislation.
European Commission ↗The Senate passed, under accelerated procedure, the omnibus bill jointly transposing NIS2, REC and DORA — the legislative vehicle that will expand ANSSI's supervisory powers and the regulated sector scope.
Sénat ↗Attackers used social engineering against Cap Emploi accounts to access names, social-security numbers and contact data spanning 20 years of registrants, prompting CNIL and ANSSI involvement and France's largest personal-data breach.
CNIL ↗A LockBit-linked attack via a hijacked VPN account paralysed hospital systems; the hospital refused the $10M ransom and ~11GB of data was leaked, intensifying France's focus on healthcare cyber resilience and prompting ANSSI on-site support.
The Record (Recorded Future) ↗The data-protection authority penalised Google for lack of transparency and invalid consent for ad personalisation; upheld by the Conseil d'État in 2020, it set the tone for GDPR-driven security and consent enforcement in France.
CNIL ↗Extended cybersecurity obligations beyond critical operators to 'essential service operators' (OSE) and 'digital service providers' (FSN), requiring risk management and incident notification to ANSSI under decree n°2018-384.
Légifrance ↗Article 22 of Law n°2013-1168 created binding obligations for Operators of Vital Importance (OIV) — incident reporting, security audits and detection requirements overseen by ANSSI — the foundation of France's critical-infrastructure cyber regime.
ANSSI ↗Established the Agence nationale de la sécurité des systèmes d'information under the SGDSN, replacing the DCSSI and giving France a dedicated national authority to defend information systems and supervise cybersecurity obligations.
Légifrance ↗France - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →