5 mistakes French companies make before their first NIS2 audit
French implementation of NIS2 has turned compliance into an immediate operational issue. The scope is broader than many organizations first assumed, and the first serious readiness review can arrive faster than teams expect. Avoid these mistakes.
Ignoring your actual scope
Many companies underestimate their liability. They think they are not concerned. The NIS2 directive significantly broadens the scope. Depending on the sector and size thresholds applied, tens of thousands of French entities may be affected. Check your sector and your size. Use the ANSSI MonEspaceNIS2 simulator. Do not assume you are spared.
Cybersecurity Threat Report
Download our Cybersecurity Threat Report and outlook for 2026.
A comprehensive analysis of the evolution of threats by sector and by country.
Learn how to protect your assets from the latest threats and be compliant with the latest regulations.
Reducing NIS2 to a technical exercise
NIS2 compliance goes beyond just technique. It involves governance and risk management. Management bears increased responsibility. Organizational measures are also crucial. An audit evaluates your overall strategy. Not just your security tools.
Neglecting the asset inventory
You cannot protect what you do not know. A precise asset inventory is fundamental. It includes information systems, data, and dependencies. Many companies have gaps here. A NIS2 audit will highlight these shortcomings. This directly impacts your risk management.
Underestimating supplier management
Your supply chain is a target. Incidents at a supplier impact you. NIS2 requires rigorous third-party risk management. Evaluate the cybersecurity of your providers. Integrate strong contractual clauses. A weak link compromises your entire system.
Waiting until the last minute
The French transposition of NIS2 is underway. ANSSI guidance and national preparation material already make the expected control areas clear. Starting early allows you to integrate the changes. Late preparation generates stress. It increases the risks of non-compliance.
Key Takeaways
| Common mistake | Impact on the audit | Recommendation |
|---|---|---|
| Poorly defined scope | Total non-compliance | Check sectors and thresholds |
| Technical focus | Lack of governance | Involve management |
| Incomplete inventory | Unidentified risks | Map all assets |
| Unevaluated suppliers | External vulnerabilities | Audit the supply chain |
| Late preparation | Stress, non-compliance | Anticipate, use the ReCyF |
FAQ
What guidance should companies use first?
Start with the NIS2 directive, the French transposition texts that apply to your entity, and current ANSSI guidance. Additional national frameworks can help, but they should complement rather than replace the official legal and supervisory texts.
What are the penalties for NIS2 non-compliance?
Fines can be heavy. Up to 10 million euros or 2% of global turnover. The liability of executives is involved.
How can Autodit.io help with NIS2 compliance?
Autodit.io is an EASM platform. It helps you map your exposed assets. You identify vulnerabilities. You better prepare your NIS2 audit.