CRA Compliance in France
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for France manufacturers.
France operates one of Europe's most capable national cybersecurity authorities in ANSSI, which will serve as the national competent authority for CRA enforcement. French manufacturers — particularly in aerospace, automotive, and industrial sectors — face a mature regulatory environment shaped by the Loi de Programmation Militaire (LPM), which already mandates incident reporting for operators of vital importance. The CRA extends comparable obligations across a far broader population of product manufacturers, and ANSSI is expected to play an active role in both guidance and enforcement.
National Competent Authority (CRA)
ANSSI
Agence nationale de la sécurité des systèmes d'information
ANSSI is the French national cybersecurity agency under the authority of the Prime Minister, and France's designated NCA for the CRA. It publishes binding cybersecurity reference frameworks and conducts market surveillance for cybersecurity products.
https://www.ssi.gouv.fr →National CSIRT (Article 14 Reports)
CERT-FR
CERT-FR
https://www.cert.ssi.gouv.fr/contact/
https://www.cert.ssi.gouv.fr →CRA Enforcement in France
ANSSI has been established as France's national competent authority for the CRA, with a mandate that builds on its existing role as the national authority under the NIS2 Directive. ANSSI operates with broad supervisory powers including the ability to conduct on-site inspections, request technical documentation, and order product recalls. French manufacturers in regulated sectors — including those supplying the defence and critical infrastructure supply chains — will be subject to overlapping requirements from ANSSI under both the CRA and the LPM framework. ANSSI's Centre de Qualification and CSPN certification scheme provide a recognised pathway for third-party conformity assessment.
Article 14 Incident Reporting for French Manufacturers
French manufacturers must route Article 14 reports through CERT-FR, ANSSI's operational CSIRT. CERT-FR operates a secure electronic reporting portal and accepts incident notifications 24/7. The Article 14 obligation requires an early warning within 24 hours of discovering active exploitation, with a full notification within 72 hours and a final report within one month. France's existing LPM notification framework for Opérateurs d'Importance Vitale (OIV) uses a similar tiered structure, and manufacturers already accustomed to OIV reporting will find CRA Article 14 familiar. CERT-FR will relay reports to ENISA and coordinates within the EU CSIRTs network.
Market Surveillance & Penalties
ANSSI and the DGCCRF (Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes) share market surveillance responsibilities in France for consumer-facing products. For CRA violations, France will implement the full penalty regime: up to €15 million or 2.5% of global annual turnover for breaches of essential cybersecurity requirements. ANSSI may issue formal notices, require corrective action, or seek product withdrawal through the courts. The DGCCRF has an established track record of active enforcement in consumer product safety, suggesting CRA enforcement for consumer-facing connected products will be vigorous.
Support for French Manufacturers
ANSSI publishes extensive guidance in French, including its Référentiel Général de Sécurité (RGS) and product security recommendations that map to CRA Annex I requirements. Its CSPN (Certification de Sécurité de Premier Niveau) scheme provides a lighter-touch evaluation pathway suitable for lower-risk products. For SMEs, Bpifrance and the French cybersecurity industry association ACN operate support programmes. ANSSI also maintains the France Cybersecurity label, which can complement CRA conformity activities. The Campus Cyber initiative in Paris serves as a national hub connecting manufacturers with cybersecurity expertise.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for CERT-FR, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact ANSSI as a manufacturer with a CRA compliance question?+
ANSSI operates a liaison function for industry at ssi.gouv.fr. Manufacturers can submit written enquiries through the official contact form. ANSSI also engages industry through its Observatoire de la sécurité des systèmes d'information et des réseaux (OSSIR) and sector-specific working groups. For urgent compliance questions, ANSSI's industrial liaison team can be reached directly during business hours.
Does France have national-level CRA implementing legislation?+
France is expected to transpose CRA market surveillance and penalty provisions through amendments to the Code de la consommation and sectoral regulations. The LPM already provides a legal basis for ANSSI's supervisory powers over critical infrastructure. National implementing decrees are expected to be issued ahead of the CRA's December 2027 application date, and ANSSI is expected to publish regulatory guidance documents (circulaires) for affected sectors.
How does the CRA interact with France's Loi de Programmation Militaire obligations?+
The LPM imposes incident reporting obligations on Opérateurs d'Importance Vitale (OIV) that partially overlap with CRA Article 14. French manufacturers that are also OIV designees — common in energy, transport, and defence supply chains — must satisfy both frameworks. ANSSI is expected to provide unified reporting guidance that allows a single submission to satisfy both obligations where the incident scope qualifies. Manufacturers should map their LPM and CRA notification triggers as part of their incident response planning.
CRA guides for neighbouring countries
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.