NIS2 for French SME: Am I concerned and what to do in 2026?

The NIS2 directive entered progressive implementation in France between late 2024 and 2026. Many SME managers still wonder: "Am I really concerned?". Pragmatic answer.

1. Are you concerned?

Three cumulative criteria:

• Size: ≥ 50 employees OR ≥ €10M annual revenue
• Listed sector: energy, transport, banking, healthcare, drinking water, wastewater, digital infrastructure, space, postal services, critical manufacturing, waste management, agri-food, chemicals, research
• EU establishment or service provision within the EU

Special case: MSP suppliers, datacenters, DNS, cloud are concerned from the first employee if their service is deemed essential.

2. Essential entity vs important entity

NIS2 distinguishes two categories. The difference is not trivial on the penalties side:

• Essential entity (≥ 250 employees or ≥ €50M CA in highly critical sector): penalties up to €10M or 2% of global revenue
• Important entity (SME 50–250 employees in critical sector): penalties up to €7M or 1.4% of global revenue

3. The 10 key obligations to implement

1. Information security policy validated by management
2. Documented cyber risk management revised annually
3. Incident management (detection, handling, post-mortem)
4. Business continuity and crisis management (BCP/DRP tested)
5. Supply chain security (audit of critical suppliers)
6. Security in development and maintenance (SSDLC)
7. Evaluation of effectiveness of measures (annual audit)
8. Cyber hygiene and ongoing training (all employees)
9. Cryptography and encryption (at rest, in transit)
10. MFA and privileged access management (PAM)

4. Incident notification: the 24h–72h–1 month rule

The strict timing is new and many organizations underestimate it:

• 24h: pre-notification to the competent authority (ANSSI in France via dedicated platform)
• 72h: detailed incident notification
• 1 month: final report with root cause analysis and corrective measures

5. 6-month action plan for affected SME

Months 1–2 — Scoping

• Self-assessment of eligibility (criteria + sector)
• Registration with ANSSI within deadline
• Designation of NIS2 compliance officer (often CISO or RSSI)

Months 3–4 — Documentation

• Written security policy validated
• Mapping of critical assets + risk analysis
• Incident management procedures + escalation

Months 5–6 — Technical implementation

• EDR/XDR on all endpoints
• Widespread MFA
• Immutable backups tested
• Quarterly phishing training

Conclusion

NIS2 is not a project "to be done someday". The penalties are real, the liability of managers can be engaged personally. If your SME is concerned and nothing is in place, start scoping this week — KOLOSALTech supports compliance audit and implementation.