Current status of implementation


The French NIS Directive Implementation Act came into effect on 27 February 2018. Certain provisions shall apply on the date set by a decree issued by the Conseil d'Etat or at the latest on the 10 May 2018.

Implementation Act


Act n° 2018-133 of 26 February 2018 relating to implementation of EU provisions in the field of security.

Determination of operators of essential services (Art. 5 NIS)

A ministerial decree dated 2 June 2006 had identified the following sectors as essential services:

a) Civil activities of the State. b) Judicial activities. c) Military activities of the State. d) Food. e) Electronic, audio-visual and information communications. f) Energy. g) Space and research. h) Finance. i) Water management. j) Industry. k) Health. l) Transport.

Article 4 of the Act provides that the list of the essential services shall be provided by a decree of the Conseil d'Etat. This list of essential services does not replace the one provided by the decree of June 2006 according to article 5§2 of the bill.

Article 24 of the Act provides that the Conseil d'Etat shall by decree list the operators of essential services on the 9 November 2018 at the latest.

Reporting obligations

According to Article 7 of the Act, operators of essential services must report "without undue delay" to the ANSSI any incident significantly impacting the security of the network and information systems.
Sanctions regime


At the moment, Article 9 of the Act provides for three criminal fines for the operators of essential services:

  • directors that do not comply with the security rules even after the timeline specified in a formal demand issued by the ANSSI shall be punishable with a fine of €100,000;
  • directors that do not comply with their reporting obligation in case of an incident shall be punishable with a fine of €75,000;
  • directors that obstruct an investigation shall be punishable with a fine of €125,000.

Article 15 of the Act provides for three criminal fines for the digital service providers:

  • directors that do not comply with the security rules even after the timeline specified in a formal demand issued by the ANSSI shall be punishable with a fine of €75,000;
  • directors that do not comply with their reporting obligation in case of an incident shall be punishable with a fine of €50,000;
  • directors that obstruct an investigation shall be punishable with a fine of €100,000.
Competent authorities

Article 8 of the Act provides that the National Agency for the Security of Information Systems (ANSSI) is competent to investigate and to issue formal demands asking to comply with the set of security rules.
Jurisdictional applications

The bill only specifies the jurisdiction for the digital service providers. French law shall be applicable to digital service providers providing services in the EU and (a) having their registered office or their principal place of business in France, or (b) having an authorised representative in France (Article 11).
Remarks (if any)

More details to follow.


Last reviewed 28.02.2018