Cybersecurity - France

The Agence nationale de la sécurité des systèmes d'information (ANSSI) is the competent national cybersecurity authority, with a dual mission of supporting operators in securing critical systems and supervising compliance with security obligations.

Law No. 2018-133 of 26 February 2018 transposed the EU NIS Directive, imposing security rules and incident-reporting duties to ANSSI on Operators of Essential Services (OSE), with fines up to €100,000 for breaching security rules and €75,000 for failing to report incidents.

Under the Military Programming Law (LPM), roughly 250 designated Operators of Vital Importance (OIV) must declare security incidents to ANSSI, apply mandatory baseline security rules on their critical information systems (SIIV), and use qualified detection products/providers.

Under GDPR Article 33, data controllers must notify the CNIL of personal-data breaches posing a risk to individuals within 72 hours of becoming aware, and inform affected individuals where the risk is high; failure is sanctionable up to €10M or 2% of global turnover.

The 'Résilience des infrastructures critiques et renforcement de la cybersécurité' bill (transposing NIS2, REC and DORA) was adopted by the Senate in March 2025 and by the National Assembly's special committee in September 2025, but had not been finally adopted/promulgated as of May 2026 — France missed the EU's 17 October 2024 deadline and received a Commission reasoned opinion on 7 May 2025.

The pending law would expand regulated entities from roughly 500 to about 15,000 and covered sectors from 6 to 18, distinguishing 'essential' and 'important' entities by size thresholds and newly subjecting software publishers to NIS2 obligations; ANSSI published the Référentiel Cyber France (ReCyF) framework on 17 March 2026 to support compliance.