12 March 2026 Update - The transposition of the CER Directive in France
France did not complete the transposition of Directive (EU) 2022/2557 within the deadline established by Union law. Member States were required to adopt and publish national implementing measures by 17 October 2024. France’s legislative adjustments implementing the Directive were adopted after that deadline, as part of broader reforms of the national security and infrastructure protection framework.
Despite this delay, the French legal framework now provides a comprehensive system for ensuring the resilience of entities responsible for essential services. By integrating the Directive’s requirements into the existing regime governing operators of vital importance, France has created a regulatory environment in which resilience planning, risk management, and cooperation with public authorities form central components of infrastructure governance. This approach reflects the Directive’s objective of ensuring that essential services remain available even under conditions of significant disruption.
France has historically maintained one of the most sophisticated systems within the European Union for safeguarding critical sectors, particularly through the regime governing “opérateurs d’importance vitale” (operators of vital importance). This regime, which has been embedded in French security law for more than a decade, establishes extensive obligations for operators whose activities are essential for national security, public safety, and the functioning of the economy. Nevertheless, the adoption of the CER Directive required France to adapt and expand this preexisting framework in order to ensure full alignment with the broader resilience-based approach introduced by Union legislation.
Directive (EU) 2022/2557 is a substantial transformation in the European legal approach to the protection of essential services. Where earlier regulatory instruments focused primarily on the protection of specific infrastructure installations from security threats, the Directive establishes a comprehensive governance framework designed to ensure the resilience of the entities responsible for providing essential services. The Directive requires Member States to adopt national legal frameworks capable of identifying critical entities, conducting national risk assessments, establishing resilience strategies, and imposing obligations upon designated entities relating to risk management, operational continuity, and incident reporting.
France’s transposition of the Directive was implemented primarily through legislative amendments adopted within the framework of the national internal security system. The main legal adjustments were incorporated into the Code de la sécurité intérieure, which already contained the regulatory regime governing operators of vital importance. The French legislature adopted new provisions designed to align the national legal framework with the obligations established by the CER Directive while preserving the institutional structures that had previously governed the protection of vital infrastructures. In doing so, France effectively expanded the scope of its existing system so that it encompasses the resilience requirements mandated by Union law.
Under the French framework, operators designated as providing services of vital importance are subject to a set of obligations that closely correspond to the requirements imposed by the Directive on critical entities. These operators must identify risks that may affect the continuity of their activities, implement appropriate security and resilience measures, and maintain operational plans designed to ensure the continuity of essential services in the event of disruption. The system requires operators to cooperate closely with public authorities responsible for national security and crisis management, thereby creating a structured partnership between the State and private-sector operators responsible for essential infrastructure.
The identification of entities falling within the scope of the resilience regime is conducted through a national designation process coordinated by the competent authorities of the French State. Ministries responsible for the various sectors covered by the Directive evaluate the importance of specific operators within their respective domains and determine whether disruptions affecting those operators would significantly impair the functioning of society or the economy. Entities identified through this process become subject to the obligations imposed under the national resilience framework.
France’s implementation of the Directive also includes mechanisms for supervision and enforcement. Competent authorities are empowered to monitor compliance with resilience obligations, conduct inspections, and require operators to implement corrective measures where deficiencies are identified. The supervisory system operates within the broader national security architecture, which includes the General Secretariat for Defence and National Security and other specialized bodies responsible for coordinating infrastructure protection and crisis management. These authorities play a central role in ensuring that resilience obligations imposed upon operators are effectively implemented.
An additional dimension of the French implementation is the integration of resilience governance with the broader framework governing cybersecurity and digital infrastructure protection. Directive (EU) 2022/2557 forms part of a broader European legislative package that also includes Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. France has sought to ensure that the implementation of these two instruments proceeds in a coordinated manner so that the governance of physical infrastructure resilience and cybersecurity risks is addressed through mutually reinforcing regulatory measures.
Through this integrated approach, France seeks to address the increasingly complex threat environment affecting modern infrastructure systems. The continuity of essential services may be threatened not only by traditional security risks such as sabotage or terrorism, but also by natural disasters, technological failures, supply chain disruptions, and cyber incidents. The resilience framework established by the CER Directive and implemented within French law emphasizes risk management, intersector coordination, and proactive resilience planning.
As of March 2026, the implementation of Directive (EU) 2022/2557 in France is an extension and modernization of the country’s longstanding system for protecting vital infrastructures. Through amendments to the Code de la sécurité intérieure and the adaptation of the regime governing operators of vital importance, France has incorporated the Directive’s resilience oriented regulatory model into its national legal framework. Although the transposition was completed after the deadline established by Union law, the resulting legal regime provides the institutional and regulatory mechanisms necessary to strengthen the resilience of critical entities and safeguard the continuity of essential services within the French economy and society.