On November 28, 2024, the European Commission officially issued formal notices to 23 Member States, including France, for their delay in transposing the NIS 2 Directive into national law. Member States had until October 17, 2024, to transpose the directive. To date, only Belgium and Italy have finalized their transposition within the allotted time. Croatia, Latvia, and Lithuania have initiated partial transpositions, while the majority of Member States, including France, are significantly behind schedule.
The formal notice constitutes the first stage of infringement proceedings. The concerned Member States now have two months to respond to the Commission and finalize their transposition processes. However, if the situation is not rectified by the end of this period, the Commission could issue a reasoned opinion, followed, in case of persistent non-compliance, by referral to the Court of Justice of the European Union (CJEU). The CJEU could then impose fines to compel the Member State to fulfill its European obligations.
For its part, the European Commission met the October 17, 2024, deadline to specify the cybersecurity requirements applicable to digital service providers under the NIS 2 Directive.
Reminder: Unlike other essential or important entities, digital entities—such as social networks, online marketplaces, or cloud service providers (SaaS, PaaS, IaaS)—are subject to specific technical and methodological requirements defined directly by the European Commission.
To understand the practical impacts of this implementing act published on October 17, 2024, for digital entities and the actions to be taken, consult our dedicated article.
What About France?
In France, the transposition of the NIS 2 Directive has been delayed. A Resilience Bill was presented to the Council of Ministers on October 15, 2024, aiming to integrate the provisions of NIS 2 into French law, as well as two other major European texts:
- The "REC" Directive of December 14, 2022, on the Resilience of Critical Entities (Resilience of Critical Entities): This directive aims to improve the provision, within Europe, of essential services for maintaining societal functions or vital economic activities (energy, transport, banking sector, health, water, foodstuffs, digital infrastructures, public administration, space, etc.).
- The directive related to the DORA Regulation (Digital Operational Resilience Act): This aims to harmonize the framework for prevention, detection, and reporting of incidents applicable to financial entities.
According to the Senate, parliamentary examination is not expected before mid-February 2025.
What Should You Do Now?
Don't be caught off guard by the upcoming transposition!
- Identify if your entity is concerned: Verify if your organization is classified as an essential or important entity, or if it is part of their supply chains as a provider or subcontractor.
- Conduct a compliance audit: Analyze your current cybersecurity practices to identify gaps with the known or foreseeable requirements of the directive.
- Develop a roadmap: Implement an action plan to align your practices with the new obligations, particularly in terms of cyber risk management and incident notification.
For more information, you can also consult our complete FAQ on NIS 2.
Need Assistance?
Our law firm can assist you in your compliance efforts, starting with identifying your status under the NIS 2 Directive. Whether you are an essential entity, an important entity, or a provider to these entities, we help you understand your obligations and develop an appropriate compliance plan.
Contact us today to benefit from our expertise.
About the Author
Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.
Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection law, and cybersecurity law.
view our expertise