French companies face rising cyber threats and tighter enforcement of GDPR, NIS2, and DORA in 2026. Discover the 12 highest-impact risks — from ransomware and supply chain attacks to board liability and CNIL breach reporting — and the controls regulators expect to see.
In 2026, French companies are dealing with a sharper compliance environment where cybersecurity failures can quickly become legal exposure. Two forces are driving this shift. First, GDPR enforcement keeps rising in practical impact because a cyber incident often leads to personal data exposure, which brings CNIL scrutiny, formal remediation orders, and potential sanctions. CNIL’s own cybersecurity guidance highlights the direct compliance link between weak security controls, breach handling, and the duty to notify the authority within 72 hours when the breach creates risk to individuals.
For more details, check GDPR breach handling and security guidance (CNIL Cybersecurity 2024
Second, NIS2 expands cybersecurity obligations beyond traditional “critical infrastructure” and pulls more mid-sized organisations into scope, especially in sectors considered essential to the economy and society. NIS2 sets out minimum risk management measures, incident reporting duties, and a clearer enforcement model with two categories: essential entities and important entities.
ANSSI NIS2 brochure (MonEspaceNIS2 – PDF)
What this means for leadership teams is simple: cybersecurity is now a compliance system that has to hold up under regulatory review, not just a technical programme that looks good on paper.
CNIL is the French data protection authority. Its role becomes central whenever a cyber incident affects personal data (customer, employee, patient, user, prospect, or any identifiable person). CNIL expects organisations to do three things consistently:
Prevent avoidable breaches through appropriate security measures
Document breaches internally (even if they are not notified)
Notify CNIL within 72 hours when the breach is likely to create risk to individuals, and inform affected people when the risk is high
This is why “pure cybersecurity” issues such as weak access controls, poor patching discipline, insecure cloud storage, or inadequate logging can quickly become GDPR governance issues, because they increase breach likelihood and reduce the ability to prove control.
ANSSI is the national cybersecurity authority. Under the NIS2 framework, ANSSI is positioned as a key public authority for guiding regulated stakeholders and organising how entities register, share required information, and engage with incident reporting and risk management expectations. ANSSI’s NIS2 materials describe obligations such as providing up-to-date organisational information, incident reporting, and implementing appropriate cyber risk management measures, with ANSSI supporting entities through the process.
In practice, ANSSI’s involvement tends to increase compliance maturity expectations: a company may need to show governance, controls, evidence, and follow-through, not just intentions.
Some sectors face layered oversight.
In finance, firms can face regulatory expectations around incident and cyberthreat reporting and operational resilience. For example, AMF provides DORA-related incident and cyberthreat notification forms and deadlines for regulated actors.
ACPR has also long stressed that IT risk management is not only for IT teams and must be embedded into broader risk control and risk management structures.
In healthcare, the French health digital doctrine highlights security frameworks and requirements used by health organisations, including core security resources and structures used across the ecosystem. The Ministry of Health also flags cybersecurity as a major issue for health establishments due to attacks that can disrupt services and cause sensitive data leaks.
This layered model matters because a single incident can trigger multiple conversations at once: data protection, cybersecurity supervision, and sector resilience.
NIS2 distinguishes between essential and important entities and links that distinction to supervisory intensity. Essential entities are generally subject to more proactive supervision, while important entities tend to face more reactive supervision (often triggered by evidence, incidents, or signals of non-compliance). This structure is built into the directive’s enforcement approach and is designed to scale oversight across a much larger population of regulated organisations.
ANSSI’s NIS2 guidance materials also underline practical supervision foundations, such as entity registration/identification, information sharing that must stay current, and incident reporting expectations.
For French companies, the key implication is that “being in scope” is not abstract. It creates an ongoing compliance relationship, where documentation, control evidence, and timely reporting become routine.
NIS2 raises the bar for management accountability by requiring that cybersecurity risk management measures are approved and overseen at the management body level. In other words, it is not enough to delegate everything to IT or security teams and hope it works. NIS2 ties governance to real expectations, including training/awareness at leadership level and accountability for failure to meet required measures.
Separately, GDPR already creates material financial and reputational exposure when cyber incidents lead to unlawful disclosure of personal data, especially if the organisation cannot show appropriate security and compliant breach handling. CNIL’s cybersecurity guidance reinforces that breach documentation, timely notification, and adequate security measures are part of the compliance baseline.
So, the director-level risk in 2026 is a combination of:
Formal governance duties under NIS2
Enforceable data protection duties under GDPR
Sectoral resilience and reporting expectations (especially in finance and healthcare)
A practical French approach in 2026 is to treat cyber risk as a business risk with regulatory consequences. That means building a structure that can withstand scrutiny:
When cyber risk is embedded into strategy, it stops being a last-minute crisis and becomes part of how the organisation protects revenue, service delivery, and trust.
Assume your cybersecurity posture may be reviewed against GDPR and NIS2 expectations, not only against internal standards.
Treat ANSSI engagement as an ongoing compliance relationship for in-scope entities, with registration, incident reporting, and up-to-date organisational information.
Prepare for sector overlays (finance and healthcare especially), where incident reporting and resilience expectations add pressure during real events.
Make cybersecurity a management system: governance, controls, evidence, testing, and response discipline.
For French companies, 2026 sits at the intersection of high-pressure threat activity and stricter resilience expectations. On the threat side, ANSSI’s reporting shows ransomware remains persistent in France, with 144 ransomware compromises reported to ANSSI for 2024, and SMEs/VSEs/mid-caps among the most affected groups. On the resilience side, organisations are facing a wider compliance net through NIS2 obligations on risk management and incident reporting for essential and important entities.
The practical effect is that “good enough” security is no longer good enough. French regulators and sector ecosystems increasingly expect organisations to show three things:
You know your risks (risk mapping and documentation).
You can keep operating under attack (business continuity and recovery planning).
You can detect, respond, and report fast (continuous monitoring, incident handling, and timely notification).
This is why a prevention-and-resilience lens matters in 2026: the goal is not just avoiding incidents, but limiting disruption and proving control when incidents happen.
For many organisations in France, this shift marks the point where cybersecurity moves from reactive defence to structured risk management. It requires not only technical controls, but also a clear understanding of regulatory expectations, reporting obligations, and governance responsibilities—especially under frameworks shaped by authorities like ANSSI and CNIL.
As a result, teams are increasingly focusing on building internal capability to manage cyber risk as a compliance function. Structured learning programmes, such as this cybersecurity and information risk management course are being used to help professionals translate regulatory pressure into practical systems for risk management, incident response, and organisational resilience.
Threat intelligence · France 2026
Grouped by operational impact. Click any threat to see regulatory exposure, ownership, and what to do.
Industrialised ransomware gangs encrypt systems and steal data simultaneously — a single attack triggers both operational shutdown and a mandatory GDPR breach notification. Recovery takes weeks; reputational damage lasts longer.
What to do now
Build and test a ransomware-specific incident response playbook that maps containment steps to NIS2 and GDPR reporting timelines — not just IT recovery.
Attackers steal data without encrypting systems — no operational downtime, but enormous pressure to pay. Legal, communications, and executive teams get overwhelmed while systems appear normal, creating dangerous response delays.
What to do now
Define a data exfiltration detection capability and document a clear CNIL notification decision tree that does not depend on system downtime as a trigger.
Business email compromise manipulates finance teams into authorising urgent, fraudulent transfers. AI-generated voice and email clones now make these attacks significantly harder to detect, even for experienced staff.
What to do now
Implement mandatory dual-authorisation for all transfers above a defined threshold and run BEC simulation exercises with finance teams at least twice a year.
Energy, transport, water, health, and public service operators face targeted attacks where outages affect citizens, supply chains, and national continuity. A single incident can trigger simultaneous regulatory, operational, and reputational crises.
What to do now
Map your NIS2 classification, register with ANSSI via MonEspaceNIS2, and validate your incident reporting workflow against the 24-hour early warning requirement.
Cloud misconfigurations and hybrid environment blind spots are now a primary attack vector. A single compromised cloud identity can become a gateway to multiple internal systems, customer data repositories, and connected SaaS tools simultaneously.
What to do now
Audit cloud identity permissions, review misconfiguration alerts, and confirm all cloud subprocessors are covered by valid GDPR data processing agreements.
Over-reliance on one or two hyperscale providers creates a single-provider blast radius. Even without a breach, major outages, identity platform failures, or misconfiguration cascades can halt all business processes simultaneously — with no fallback.
What to do now
Document your critical service dependencies per provider and define the minimum viable operations plan if your primary cloud provider becomes unavailable for 24–72 hours.
Attackers exploit weaker security postures at managed service providers and IT suppliers to reach larger targets. Your security is only as strong as the least-secure provider with privileged access to your systems.
What to do now
Audit which IT providers and MSPs have privileged access to your systems and ensure GDPR Article 28 agreements include enforceable security and breach notification clauses.
Phishing is the most efficient attack entry point because it bypasses technical controls entirely by targeting people. AI-generated phishing now mimics internal communications with near-perfect accuracy, making employee recognition significantly harder.
What to do now
Run a role-based phishing simulation programme and document completion rates as evidence of NIS2-compliant staff awareness measures — not just a one-size-fits-all annual click-test.
Stolen credentials and excessive privileges are the operational starting point of most major breaches. Shared admin accounts, weak MFA adoption, and unreviewed access rights create permanent open doors that attackers find and exploit systematically.
What to do now
Remove shared admin accounts, enforce MFA on all external-facing systems, and run quarterly access reviews — documenting each step as GDPR and NIS2 control evidence.
In cloud and outsourced IT, organisations frequently assume their provider handles security controls that the provider assumes the customer manages. These gaps — in logging, hardening, key management, and breach notification — become critical failures during incidents.
What to do now
Produce a shared responsibility matrix for every cloud or outsourced service processing personal data — documenting who owns logging, patching, access reviews, and incident notification.
AI risk runs in two directions: attackers use generative AI to produce convincing phishing, deepfakes, and social engineering at scale — while employees paste sensitive data into unapproved AI tools, creating silent GDPR and confidentiality exposure.
What to do now
Build an approved AI tool register, run a DPIA for any AI processing personal data, and issue a clear employee policy on what data can and cannot be entered into external AI tools.
Connected devices — building systems, manufacturing sensors, medical equipment, logistics trackers — quietly expand the attack surface with default credentials, infrequent patching, and poor network segmentation. They are rarely monitored and often forgotten after deployment.
What to do now
Run a full connected device inventory, change all default credentials, segment IoT devices onto isolated network zones, and add IoT exposure to your formal cyber risk register with a named owner.
Hospitals and health providers face ransomware and service disruption risk, with dedicated incident support and guidance ecosystems such as CERT Santé.
Industrial and OT environments are harder to patch and often prioritise availability, which increases resilience pressure if incidents spread from IT to OT.
Beyond NIS2, firms must also align with DORA’s operational resilience expectations (in force since 17 January 2025), which tightens ICT risk management and response discipline.
They inherit heightened security expectations because they sit in the delivery chain of public services and sensitive systems.
Maintain an up-to-date cyber risk map (assets, threats, business impact, owners).
Document security measures, access policies, and key decisions. CNIL’s practical security guidance is a solid baseline for protecting personal data.
Build and test BCP/DR plans, including ransomware scenarios and provider outages.
Define recovery objectives (RTO/RPO) for critical services and validate backups with restore tests.
Centralise logs, monitor identity events, and track third-party access.
Run detection and response routines that can support fast reporting under GDPR and NIS2.
Operational resilience in 2026 means preparing for disruption as a normal business condition. A strong approach combines:
Prevention (reduce likelihood): hardening, MFA, least privilege, secure cloud configuration, vendor requirements.
Containment (reduce blast radius): network segmentation, tiered admin accounts, supplier access boundaries.
Recovery (restore services): tested backups, rehearsed decision-making, crisis communications plans.
Proof (show control): documentation, evidence of tests, clear roles, and measurable improvements.
In France in 2026, cyber risk is no longer something a company can park inside the IT department and forget. Regulators increasingly treat cybersecurity as an issue of governance, oversight, and accountability. Two forces drive this shift.
First, NIS2 makes management bodies responsible for approving cybersecurity risk-management measures and overseeing their implementation, with the possibility of liability where obligations are not met.
Second, GDPR enforcement continues to show that weak security controls can lead to major sanctions when personal data is exposed, especially where controls are judged inadequate for the risk.
The board’s risk is not only the fine. It is also operational disruption, reputational damage, loss of trust from customers and partners, and difficult regulator relationships right when the company needs support.
NIS2 sets a clear expectation: boards (management bodies) must not only be aware of cyber risk, but must actively govern it. Article 20 states that management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee implementation, and can be held liable for infringements related to those obligations.
That has practical meaning for French boards:
You must be able to show that cyber risk decisions were made at the right level, with recorded rationale (minutes, risk appetite decisions, budget approvals, policy approvals).
You must be able to evidence oversight through reporting routines (dashboards, KRIs, incident metrics, audit tracking, third-party risk reporting).
Boards are expected to approve measures that map to the NIS2 risk-management and reporting obligations, including incident handling and resilience planning. NIS2 also requires staged incident reporting for significant incidents (early warning, notification, and final reporting), which forces governance readiness, not just technical readiness.
Click any risk to expand. These are board-level issues grouped by governance theme — not technical details — that frequently leave an evidence trail visible to regulators and auditors.
↑ Tap any risk to expand the details
At national level, ANSSI is France’s single point of contact for NIS matters and is positioned as the key authority in the NIS2 ecosystem.
For boards, the practical implication is simple: if you fall into scope as an essential or important entity, supervision is not abstract. You should expect requests for information, proof of controls, and evidence of governance routines. (The intensity of supervision differs by category, but oversight expectations remain high.)
Boards should assume that regulators will test who approved what, when, and based on which risk evidence. NIS2 explicitly ties governance duties to management bodies.
Even where fines are imposed on the entity, the reputational impact and scrutiny can attach to directors and senior executives—especially if there is a pattern of weak oversight, delayed reporting, or repeated failures.
For 2026, boards in France should treat cyber like financial control: measurable, governed, and auditable. Three moves usually deliver the fastest improvement:
Board-level cyber charter: clear ownership, escalation rules, and reporting cadence.
Evidence-ready governance: risk assessments, third-party controls, incident playbooks, tested resilience.
Regulatory alignment: incident reporting pathways that meet NIS2 and GDPR timelines, with a single source of truth for crisis communication.
When this is done well, cybersecurity becomes a controlled business risk rather than a recurring board-level emergency.
In France, cyber risk in 2026 is not evenly distributed. The same attack type can create very different outcomes depending on the sector: hospitals face patient safety and continuity of care, financial services face fraud and regulatory reporting, industrial firms face production stoppages, retailers face payment and customer trust issues, and local authorities face essential public service disruption.
French and EU reporting shows a few recurring patterns:
Ransomware and extortion keep hitting a wide range of French organisations, with serious business continuity impact.
Third-party compromise is a frequent initial entry point, especially where IT services and managed providers are involved.
Availability attacks (including DDoS) and hacktivist-driven disruption remain relevant, particularly for public-facing services and public bodies.
Payments, identity data, and financial identifiers are increasingly attractive, because they enable fraud and social engineering at scale.
Below is the same landscape, broken down sector by sector.
Healthcare is a high-impact target because downtime can immediately affect care pathways, scheduling, diagnostics, and admissions. France has documented multiple hospital compromises where weak accounts, remote access, or legacy systems played a role. A concrete example is the 2025 incident feedback published through the national e-health cyber monitoring portal: a hospital compromise followed the reactivation of an old admin account with VPN access and a weak password, requiring crisis management with ANSSI and CERT Santé.
What makes hospitals especially exposed in 2026:
Complex IT estates (clinical apps, imaging, identity systems, connected devices) and difficult patch windows
Dependence on external suppliers (software, hosting, maintenance)
Pressure to restore service quickly, which attackers use to force payment or extortion
When incidents involve personal health data, the stakes rise quickly: health data is highly sensitive, and hosting/processing constraints are stricter in France. CNIL guidance highlights that health data hosting generally requires an HDS-certified host, and points to the national health digital agency list for certified providers.
So the risk is not only “a breach happened”, but also:
Was the hosting compliant for health data (HDS expectations)?
Were access controls and subcontractor controls properly managed?
Was incident handling documented and notifications made correctly (GDPR obligations)? (CNIL is explicit that subcontracting and security responsibilities must be managed and evidenced.)
In finance, cyber incidents often become fraud incidents: payment redirection, fake supplier invoices, account takeover, and social engineering. France also sees strong attention on transfer fraud and related assistance requests, reported by the national cyber assistance observatory.
The key point for 2026 is that fraud blends cyber and compliance:
A breach can expose customer identifiers or banking details that enable targeted fraud
Incident response must link IT evidence with AML/fraud processes and reporting lines
Third parties (payment processors, SaaS tools, KYC vendors) expand the attack surface
Fintechs rely heavily on APIs, integrations, and cloud infrastructure. The European finance sector threat landscape analysis from ENISA (covering 2023 to mid-2024 incidents) highlights recurring issues in financial organisations, including exploitation paths tied to digital services, third-party dependencies, and operational disruption.
On the payments side, the European Payments Council’s threats and fraud trends reporting provides a structured view of payment security threats and fraud patterns across Europe, relevant to French PSPs and payment-enabled businesses.
Industrial environments mix IT and OT (operational technology). Attacks here can stop production, damage quality, or create safety risks. ANSSI publishes dedicated guidance on securing industrial systems, including methods to define an appropriate security baseline for industrial perimeters.
In 2026, the most common reality is not “movie-style” sabotage; it is:
ransomware or intrusion spreading from IT into OT
poor segmentation and weak remote maintenance access
unmanaged assets and long patch cycles on industrial components
Industrial firms sit inside supply chains. Attackers exploit smaller suppliers, managed IT providers, or software dependencies to reach larger targets. ANSSI’s panorama notes that many French entities suffering data leaks were compromised through an IT provider, reflecting this supply chain pathway.
At the wider European level, ENISA’s threat landscape reporting identifies industrial and manufacturing as among the most frequent high-impact ransomware victims, which aligns with what French industry experiences when availability and production continuity are hit.
Retail is attractive because it concentrates payment activity and customer identities. Even when card data is tokenised, exposure can still happen through checkout integrations, scripts, supplier plugins, or poor data handling.
On compliance, CNIL-related guidance and legal commentary regularly stress that payment data storage must follow strict rules, and retaining certain elements (like card cryptograms) is prohibited.
Retailers face large-scale scraping and credential stuffing (re-used passwords) that can look “non-technical” but still becomes a security and trust crisis. ENISA’s threat landscape notes retailers as attractive targets due to the large amounts of sensitive customer data they handle and the operational impact when systems go down.
French local authorities are consistently targeted. ANSSI published a dedicated report showing it handled 218 cyber incidents affecting local authorities in 2024, averaging about 18 per month.
This is not just big cities; it includes communes and intercommunal structures, often with limited internal security resources.
Service disruption is a key public-sector risk: public websites and services are visible targets for DDoS and defacement, and public bodies can also be caught in extortion campaigns. Reporting and commentary around the ANSSI panorama highlights DDoS activity affecting local authorities and the broader pressure on public services to strengthen defences.
In France, 2026 is the year where cybersecurity stops being managed in separate silos. Three major rule sets are now colliding in day-to-day operations:
GDPR still drives the toughest expectations around personal data protection, breach readiness, and evidence of organisational measures (documentation, access control, incident handling). CNIL guidance keeps pushing practical security basics and clear breach handling, including the 72-hour notification rule where a breach creates risk to individuals.
NIS2 expands the scope of cybersecurity obligations to more sectors and more mid-sized entities, with stronger governance expectations and clearer minimum measures (including supply-chain security, security in development/maintenance, vulnerability handling, training, and effectiveness testing).
EU AI Act adds a new compliance layer for organisations building or using regulated AI, including obligations that become relevant on a defined timeline (with high-risk AI rules phased in from August 2026 onward).
In practical terms: a single incident (for example, a cloud misconfiguration exposing customer data and also impacting availability of a regulated service) can trigger multiple reporting duties and multiple supervisory interactions.
Overlapping reporting obligations
A serious incident may require GDPR breach handling (CNIL), NIS2 incident reporting (through national channels once implemented), and potentially sectoral reporting if you operate in finance, health, or critical services. The risk is not just “missing a deadline”, but giving inconsistent timelines, root causes, or impact estimates across reports.
Increased audit and evidence expectations
NIS2 is designed to raise baseline capability across the EU and includes mechanisms that encourage scrutiny of how well entities implement risk-management measures and reporting obligations. Expect more requests for proof: risk assessments, control testing records, supplier reviews, training logs, and incident response exercises.
France transposition uncertainty as an operational risk
France’s NIS2 implementation status has had shifting timelines and updates at EU level. If your leadership waits for “final French details” before acting, you risk being late. A safer approach is to align now with the Directive’s minimum expectations, then adjust once French implementing texts and sector guidance are fully settled.
AI-powered cyberattacks improving speed and believability
Phishing, social engineering, and fraud attempts become harder to spot when attackers use generative tools. This raises the importance of identity controls, payment controls, and staff readiness, not only technical detection.
Governance of high-risk AI systems
If your organisation builds, deploys, or relies on AI that falls into the Act’s regulated categories, you will need governance that looks more like safety and compliance: documentation, oversight, and ongoing monitoring. The timeline matters: requirements phase in, and 2026 is where many organisations start feeling them in procurement and product decisions.
AI tools inside the business creating silent data exposure
Teams adopt AI assistants for faster work, then paste sensitive data into tools outside approved workflows. This creates GDPR exposure and can also create contractual risk with clients (confidentiality, data location, retention).
Cloud hyperscaler dependence
Concentration risk grows when most services rely on a small number of platforms. An outage, misconfiguration pattern, or identity compromise can have immediate business-wide impact. This is no longer only an IT stability issue; it becomes a resilience and continuity issue.
Vendor transparency and supply-chain security requirements
NIS2 explicitly includes supply-chain security in the minimum set of measures, meaning your vendor relationships must include security-related expectations, not just price and delivery. You will need a defensible approach to supplier selection, contractual controls, and periodic assurance.
Software and integration risk across the stack
Modern businesses run on interconnected SaaS tools, APIs, and managed providers. One weak integration (shared tokens, overbroad permissions, missing logging) can become the path of least resistance for attackers.
Shortage of qualified cybersecurity professionals
The skills gap is widely documented across Europe, and it directly affects incident response speed, control quality, and governance maturity.
Inadequate executive awareness
NIS2 pushes cybersecurity into governance and management oversight. If leadership cannot interpret risk reports, approve priorities, and fund the right controls, technical teams remain stuck in reactive mode.
Operational burnout and weak continuity of capability
High turnover in IT/security teams leads to “paper compliance”: policies exist, but control ownership is unclear, evidence is missing, and incident playbooks are outdated.
Many mid-sized organisations in France now fall under NIS2 because the Directive broadens coverage across more sectors and sets criteria that capture organisations previously treated as “too small to matter”. Even where the legal label is still being finalised nationally, client pressure rises fast: large firms will demand stronger cybersecurity assurance from suppliers because their own NIS2 obligations include supply-chain security expectations.
A future-proof cyber budget in France should be built around two spending lanes:
Governance spending (often underfunded, yet essential for audit defence):
Risk assessments tied to business services
Supplier assurance and contract controls
Training that is measurable and role-based
Incident response exercises and evidence-ready reporting workflows
Board-level reporting structure and ownership
Technical spending (must support resilience outcomes, not tool accumulation):
Identity security (MFA everywhere, privileged access controls)
Logging/monitoring with clear use-cases
Backup and recovery that is tested, not assumed
Cloud security posture management and configuration control
Segmentation and hardening for critical services
If you want this strategy to hold up under scrutiny, anchor it to recognised EU expectations and continuously show evidence of improvement, not just “we bought a tool”.
The organisations that will succeed in 2026 are not necessarily those with the most advanced tools, but those that can demonstrate control, respond quickly, and align cybersecurity with regulatory expectations.
This is why many professionals are now focusing on building a structured understanding of cybersecurity as a compliance system—covering GDPR obligations, NIS2 requirements, and risk governance at the management level. Learning pathways like this cybersecurity and information risk management course can help translate these regulatory expectations into practical, real-world decision-making.
Learn cybersecurity awareness best practices for employees and French organizations. Reduce phishing risk, protect sensitive data, and support GDPR/RGPD compliance.
Learn the importance of cybersecurity awareness training, how it reduces human risk, protects data, and builds a safer workplace culture.
Learn how cybersecurity awareness training and compliance work together under GDPR, NIS2, HIPAA, and ANSSI frameworks. The complete 2026 guide for French and European organizations.
