Back to blog
    ComplianceDecember 28, 20258 min read

    NIS2 Directive: What French Companies Need to Know in 2025

    The NIS2 directive comes into force with new cybersecurity obligations. Find out if your company is affected and how to achieve compliance.

    AT

    Alexandre Tavares

    Founder & Cybersecurity Expert

    Share

    Introduction

    The NIS2 (Network and Information Security 2) directive represents a major evolution in European cybersecurity regulation. Entered into force in January 2023, it must be transposed into French law and will fully apply in 2025.

    Who is affected?

    Unlike NIS1, which only concerned about 300 entities in France, NIS2 significantly expands the scope:

    Highly critical sectors

    • Energy (electricity, oil, gas, hydrogen)
    • Transport (air, rail, maritime, road)
    • Banking sector and financial market infrastructures
    • Health (hospitals, laboratories, medical device manufacturers)
    • Drinking water and wastewater
    • Digital infrastructure (DNS, IXP, cloud, datacenters)
    • Public administrations
    • Space

    Other critical sectors

    • Postal and courier services
    • Waste management
    • Chemical manufacturing
    • Food industry
    • Manufacturing (medical devices, electronics, machinery, vehicles)
    • Digital providers (marketplaces, search engines, social networks)
    • Research

    Size criteria

    Your company is affected if it operates in a listed sector AND:

    • Essential entity: >250 employees OR turnover >€50M OR balance sheet >€43M
    • Important entity: >50 employees OR turnover >€10M OR balance sheet >€10M

    New obligations

    1. Cybersecurity governance

    • Management must be trained and involved
    • Appointment of a cybersecurity manager
    • Approval of risk management measures by management

    2. Risk management

    You must implement proportionate measures covering:

    • Risk analysis and security policies
    • Incident management
    • Business continuity and crisis management
    • Supply chain security
    • Security in acquisition and development
    • Assessment of measure effectiveness
    • Cyber hygiene and training
    • Cryptography and encryption
    • Human resources security
    • Access control and asset management

    3. Incident notification

    • Early warning: 24h after detection
    • Incident notification: 72h with initial assessment
    • Final report: 1 month with complete analysis

    Sanctions

    Sanctions are significantly strengthened:

    • Essential entities: up to €10M or 2% of global turnover
    • Important entities: up to €7M or 1.4% of global turnover

    How to prepare?

    Step 1: Assessment

    1. Determine if you are affected (sector + size)
    2. Identify your category (essential or important)
    3. Conduct an audit of your current posture

    Step 2: Gap Analysis

    1. Compare your situation to NIS2 requirements
    2. Identify priority gaps
    3. Establish a roadmap

    Step 3: Compliance

    1. Implement technical measures
    2. Train your teams
    3. Document your processes
    4. Test your incident procedures

    Conclusion

    NIS2 is not just a regulatory constraint: it's an opportunity to strengthen your cyber resilience. Companies that prepare now will have a competitive advantage.

    Need support? RedSentinel helps you assess your NIS2 compliance and implement the necessary measures.

    #NIS2#Conformité#Réglementation#Europe

    Need help on this topic?

    Our experts can assist you with this issue.

    Contact us

    Related Articles

    Web Security

    Top 10 Web Vulnerabilities in 2025: What Has Changed

    12 min read
    Artificial Intelligence

    Generative AI in Business: Security Risks You're Ignoring

    10 min read
    Pentest

    How to Conduct a Pentest as an SMB with a Limited Budget

    9 min read