NIS2 in 2026 — who is really concerned?

The rule, in two sentences

NIS2 applies in France since 2025 (transposition of directive 2022/2555). An organisation is concerned if it operates in one of 18 listed sectors and has more than 50 staff or €10M annual revenue. Some actors are concerned regardless of size (ISPs, critical digital infrastructure, qualified trust service providers).

Two levels of eligibility

NIS2 distinguishes essential entities from important entities, with identical obligations but a stricter control and sanctions regime for the former.

Essential entities

Energy, transport, finance, health, drinking and waste water, digital infrastructure (DNS, TLD registries, IXP, cloud services, datacenters, CDN), inter-business ICT service management, space, public administration. Maximum sanctions reach €10M or 2% of worldwide turnover, whichever is higher.

Important entities

Postal and courier services, waste management, manufacture and distribution of chemicals, food, manufacturing (medical devices, electronics, automotive, machinery, transport equipment), digital providers (online marketplaces, search engines, social networks), research. Maximum sanctions €7M or 1.4% of worldwide turnover.

The six common obligations

Whatever the level, any concerned entity must put in place:

1. A documented risk analysis, kept up to date, covering the supply chain.
2. Technical and organisational measures proportionate to the risk (access management, encryption, monitoring, incident management).
3. A business continuity plan with tested crisis management and disaster recovery.
4. A vulnerability management policy including threat intelligence and patching.
5. Cybersecurity training for leadership and concerned staff.
6. Incident notification to ANSSI within 24 hours (early warning), 72 hours (incident notification), and one month (final report).

Direct executive liability

This is the most structurally important novelty. NIS2 personally engages governing bodies on the implementation of cybersecurity measures. In case of breach, temporary bans from exercise can be pronounced against executives — not only against the legal entity.

Practically, the cyber topic must be carried at the board or executive committee level, documented and reviewed periodically.

How to know if you are concerned in 24 hours

Three questions:

1. Are you in one of the 18 sectors? (list in annexes I and II of the directive)
2. Do you exceed 50 staff or €10M turnover?
3. Are you identified by decree as a critical provider (rare, targets a few specific entities)?

If yes to 1+2 or 3, you are concerned. We establish formal eligibility in 2 to 3 hours of scoping — useful in particular for borderline entities (subsidiaries, holdings, multi-sector groups).

And after eligibility?

The classic plan: gap audit (4 to 6 weeks), prioritised action plan (quantified, opposable), operational rollout (6 to 18 months depending on initial maturity), blank audit before any ANSSI inspection. Our audit & compliance services are aligned with that calendar.

Useful links

• NIS2 directive text (Eur-Lex)
• ANSSI NIS2 page
• Our cybersecurity glossary for technical definitions

Written by the Hexceos compliance team. Updated 10 May 2026.

Last updated: 10 May 2026