NIS2 in 2026: France falls behind
February 2026. NIS2 is supposed to have been fully operational for more than a year across Europe. Yet in France, we are still waiting for the final parliamentary debates, with adoption hoped for in the first quarter and a roadmap of…

February 2026. NIS2 is supposed to have been fully operational for more than a year across Europe. Yet in France, we are still waiting for the final parliamentary debates, with adoption hoped for in the first quarter and a compliance roadmap spread over three years. Meanwhile, the attackers follow no legislative calendar.
I regularly run workshops with French CISOs and IT directors: the weariness is palpable.
"We are waiting for the final text,"
"We will see when the implementing decrees come out,"
"In any case, ANSSI will add its own layer on top."
Nobody really wants to move forward. It is tedious, bureaucratic, and it blocks everything.
And yet, right next door, in Belgium, Ireland or Romania, things are moving. Fast and well.
Europe moves forward, France hits the brakes
NIS2 was meant to be transposed before October 2024. Most member states did so, with more or less pragmatic approaches. Some have even already launched their first inspections and registries of essential/important entities.
In France? The Resilience Act is still winding its way through the parliamentary process. The European trackers (ECSO, Eversheds Sutherland) regularly rank France among the laggards. The result: legal uncertainty, fuzzy reporting, and companies putting off cyber investments on the pretext of waiting for "the final version."
And this is where the mechanism turns perverse: the longer it drags on, the more inaction is justified.
We are not postponing for lack of budget or lack of resources. We are postponing while we wait for the framework. As if an attacker needed the official gazette to launch a piece of ransomware.
And security is never anything but a second-tier subject, something I already addressed in my open letter to the president.
Meanwhile, our neighbours are adopting simple, operational frameworks. The best example? The Belgian model CyberFundamentals (CyFun).

The Belgian field: when simplicity wins
At Cresco, where I work as Lead GRC, we supported nearly 40 companies through their NIS2 compliance in 2025 alone.
And the conclusion is clear and frankly alarming: THERE IS AN URGENT NEED TO LEGISLATE ON CYBERSECURITY TO FORCE ORGANISATIONS TO HARDEN THEMSELVES.
Because in the field, I have seen it all:
- I have seen companies with nine-figure revenue that were less secure than a windmill with a wooden door and no lock.
- I have seen firms of 200 employees with no formalisation whatsoever, not even an IT policy.
- I have seen IT teams full of goodwill, but a management that could not care less about security, because we keep treating the subject as a budget exercise: we will see next year, it is not a priority, there are other emergencies.
Can you picture them handling this the way they handle fire risk in a building?
No. Management would be out the door.
And yet, a cyber risk is a business risk.
This is exactly why CyFun is interesting. Not because Belgium is better, but because the framework is workable. It forces a simple discussion: target level, expected controls, evidence, trajectory.
Not an essay. A plan.
The CyberFundamentals (CyFun) framework, developed by the Centre for Cybersecurity Belgium (CCB), is today co-adopted by Belgium, Ireland and Romania. Other countries (Portugal, Croatia, and more) are watching it or adopting it in part. Why? Because it is pragmatic: three maturity levels, clear controls, and a recognised certification that presumes NIS2 compliance until proven otherwise.
And above all: it kills organisations' favourite excuse, we do not know what to do.
Because the framework says what to do, in what order, and how to prove it.
Companies hate compliance, but they love being handed a simple framework. If it is clear, they sign.
CyFun is exactly that.
Concrete result: companies move forward. They invest in real resilience rather than endless paperwork.
Meanwhile, the threats are exploding
We are wasting an enormous amount of time on political and administrative childishness, while the personal data of French citizens is exposed as never before.
- Supply chain attacks rising steadily?
- Offensive AI industrialising phishing, self-evolving malware and automated reconnaissance.
- Data breaches one after another: every month brings its share of massive breaches, often at entities that should have been better protected under NIS2.
And what worries me most is not the intensity of the attacks. It is the habit.
The breach becomes background noise.
Ransomware becomes a business risk.
Phishing becomes an HR problem.
We are normalising the abnormal.
The WEF Global Cybersecurity Outlook 2026 once again puts geopolitical fragmentation and sophisticated attacks at the top of the risk list. But in France, we prefer to debate the exact wording of a decree rather than strengthen operational resilience.
And this is the key point: administrative time is slow. Threat time is instant.
The gap between the two is where incidents take up residence.

The useless labels and the cosy inner circle
At the same time, we keep producing initiatives that create the illusion of action without creating any real value.
A perfect example: the CyberBat label, recently launched for the construction sector (electrical engineering, energy, and the like). Nice on paper, but what does it actually bring to the table against NIS2 or real threats? One more layer for project owners who want to tick a box?
Because that is the problem: we love labels when they let us dodge the hard work: inventory, segmentation, access management, patching, supplier requirements, crisis exercises, restore evidence, and so on.
A comfort label is never a substitute for a capacity to respond.
And what about the PASSI qualification? Indispensable for certain regulated audits, it has become a closed club that mainly serves the inner circle of incumbent providers. The market is locked up, costs are soaring, innovation struggles to get in, and tender documents call for PASSI auditors for no reason other than having been talked into it by Tom, Dick or Harry.
We congratulate ourselves on French certifications, but we forget the essential: effective cybersecurity is the kind that actually protects, not the kind that fills in files.
Recommendations: stop waiting and take action
Whatever the exact timeline of the Resilience Act, French companies can (and must) move forward right now:
- Adopt a pragmatic framework such as ISO 27001, CyFun or NIST CSF: they are NIS2-compatible and already in use elsewhere in Europe.
- Launch the inventory of your critical assets, suppliers and supply chain risks, without waiting for the official registry.
- Train your teams and simulate incidents: resilience is built in the field, not in legal texts.
- Demand transparency from providers: beyond the labels, ask for concrete evidence of effectiveness.
- Push your peers and federations to call for a fast, lightweight transposition, not another bureaucratic monster.
And I will add one field point that everyone avoids:
6. Clarify decision-making in a crisis (who cuts what, who talks to whom, who signs off on shutting down production, who owns the notification).
Because on the day it hits, security does not always collapse for lack of a tool. It collapses for lack of a decision.
2026 must be the year we wake up
NIS2 is not one more constraint: it is an opportunity to finally strengthen European resilience. But in France, we still choose to drag our feet, to add complexity, to create gimmick labels while the attackers go on the offensive.
The data of French citizens, and of our companies, deserves better than political childishness. It is time to move forward like our neighbours: pragmatically, quickly.
Compliance does not protect. Execution does.
And execution is something we can start today.
Questions fréquentes
Where does the transposition of NIS2 stand in France in 2026?
In February 2026, the Resilience Act is still under parliamentary debate, with adoption hoped for in the first quarter and a compliance roadmap spread over three years, whereas the directive was meant to be transposed before October 2024.
What is CyFun and why is it held up as an example?
CyberFundamentals (CyFun) is the framework of the Centre for Cybersecurity Belgium (CCB), co-adopted by Belgium, Ireland and Romania. It is pragmatic: three maturity levels, clear controls, a certification that presumes NIS2 compliance, and it makes achieving compliance manageable.
Should you wait for the final text before acting?
No. Companies can adopt a NIS2-compatible framework right now (ISO 27001, CyFun, NIST CSF), start the inventory of their assets and suppliers, train their teams and simulate incidents, without waiting for the official registry.
Are labels like CyberBat or the PASSI qualification enough?
The article argues no: a comfort label is no substitute for a capacity to respond, and the PASSI qualification tends to lock up the market. Effective cybersecurity is the kind that actually protects, not the kind that fills in files.
Sources & méthodologie
- Lettre ouverte à Emmanuel Macron sur la cybersécurité
- Centre for Cybersecurity Belgium (CCB), framework CyberFundamentals (CyFun)
- Cresco (Lead GRC)
- WEF Global Cybersecurity Outlook 2026

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
