“The danger for French essential entities today lies not only in the hacker, but in the space between policy and reality: where segmentation is missing, suppliers sit too deep, administration is too broad, and monitoring comes too late.”
In the boardroom of a French essential entity, there is no panic, but there is something that comes dangerously close: managerial uncertainty. Not because people do not know that cyber is a top priority, but because they feel that the traditional layers of policy, certification and audit are no longer sufficient. Today’s attacker does not look for a theoretical weakness, but for an operational opening: an inadequately separated administration environment, an external connection without strict filtering, a supplier with overly broad rights, a remote access channel that works but is not shielded with sufficient granularity. It is precisely in that space between governance and execution that ReCyF v2.5 appears. And that makes it anything but fun for French companies.
ReCyF, the Référentiel Cyber France, positions itself in this version as the French cybersecurity reference framework for the national NIS2 transposition. The document is both ambitious and uncomfortably honest: it is still a “version de travail” dated 17 March 2026. At the same time, the direction is already clear. ReCyF consists of security objectives and, for each objective, acceptable means of conformity. The objectives answer the question of what must mandatorily be achieved; the means of conformity answer the question of how an organisation can implement or demonstrate that. These means are not always mandatory, but they must help demonstrate during an ANSSI inspection that the security objective has been achieved. In addition, a proportionality principle applies: objectives 16 through 20 apply only to essential entities.
That immediately reveals the first tension. France is working on an auditable NIS2 model, but is doing so through a framework that is still in working version. Companies therefore do not have the luxury of waiting until every audit detail has been fully crystallised. They must already now think about their granularity, their technical evidence, and their managerial embedding. In that sense, ReCyF is not a friendly maturity document. It is a signal that France wants to move from general cyber governance to demonstrable operational cyber resilience.
From policy to evidence
The most fundamental aspect of ReCyF is not that it asks for governance. ISO 27001, NIST CSF and other frameworks have already been doing that for years. The fundamental difference is that ReCyF does not see governance separately from concrete, testable operationalisation. Under objective 2, for example, entities must establish a governance framework with roles, responsibilities, conformity management, PSSI and an action plan for identified deviations. That conformity analysis must be maintained for each information system, and alternative measures must be explicitly justified. In doing so, ReCyF shifts the conversation from “do we have a policy?” to “can we demonstrate where we deviate, why, and what we are doing about it?”
That principle runs throughout the entire document. ReCyF no longer wants inventory management, supplier control, HR security, patching, segmentation, identity management, administrative separation, backup, crisis response, exercises, risk analysis, audits, hardening and monitoring to be seen as separate disciplines, but as interconnected layers of assurance. In that respect, the 20 security objectives are not a collection of controls; they form a French attempt to turn NIS2 into a controllable architecture of cyber responsibility. The table with the four pillars — governance, protection, defense and résilience — explicitly confirms that structure.
Why this will weigh heavily on French companies
The real challenge of ReCyF is that, for many organisations, it leaves the comfortable zone of traditional compliance. An organisation may today have a fairly mature information security policy and still run into problems as soon as ReCyF starts requiring operational granularity. Think of annual filtering reviews, management of interconnections, stricter remote access conditions, exclusion of BYOD in certain essential contexts, separate administrative resources, or a security monitoring capability that must be able to ingest and process logs and events within 24 hours at the latest. These are no longer merely paper-based expectations; these are architecture and operational questions.
For essential entities, this becomes even more visible. Objectives 16 through 20 add a heavier regime: a formal risk-based approach, a planned audit programme, secure configuration, dedicated administration and security monitoring. This allows ReCyF to grow beyond a general policy framework and move toward a model in which governance, risk, technology and operational evidence must come together in one auditable chain.
The normative preparation: what can already be done today?
At the same time, ReCyF shows that preparation is perfectly possible. Not because everything has already been finalised, but because the contours are clear enough to position a mature organisation already now.
For governance and risk steering, the strongest foundation remains ISO/IEC 27001:2022. ReCyF explicitly recognises ISO 27001 as an evidence basis for objective 2, and again for objective 16 for the systems that fall within the scope of the certification. This means that organisations with a full-fledged ISMS approach are not starting from zero, but they must check whether their governance has also been translated deeply enough into technical practice.
For incident response, crisis management, exercises and risk analysis, ReCyF explicitly refers to qualified support services such as PACS, while PASSI becomes the logical reference for objective 17 concerning audit. For objective 19 concerning dedicated administration, ReCyF names PAMS as a relevant qualified basis, and for objective 20 concerning detection and monitoring, PDIS. This makes it clear that France does not want to rely only on its own policy, but on an ecosystem of qualified assurance mechanisms.
For the substantive preparation behind this, the normative map remains recognisable:
ISO 27002 for control practices, ISO 22301 for continuity, ISO 27035 for incident management, EBIOS RM for risk analysis, CIS Benchmarks and hardening guides for secure configuration, and strong IAM, PAM and monitoring practices from NIST CSF and modern zero trust approaches for technical depth. ReCyF does not replace those frameworks; rather, it forces organisations to use them in a more concrete, consistent and testable way.
The management lesson: granularity is no longer a luxury
What ReCyF is actually saying is managerially simple but operationally heavy: an essential entity can no longer hide behind general maturity. A board of directors or executive committee that says “we have a certificate, a policy and an audit cycle” will increasingly have to explain how remote access is actually protected, how suppliers are controlled contractually and technically, how administrative actions are separated from office activities, how logging is centralised, how crisis communication holds up when standard channels fail, and how it can be demonstrated that risks are not only described but are actually treated.
That is also why French companies will have difficulties if they read ReCyF merely as a future audit note. The essence of this working version is already visible: the country is moving toward a model in which cybersecurity must be managerially accountable, must have technically granular layers, and must be made operationally demonstrable. Organisations that today think only in terms of compliance documentation will tomorrow discover that the real test lies elsewhere: in segmentation, in administration, in supplier relationships, in monitoring and in resilience that can be exercised.
Conclusion
Although ReCyF v2.5 is still on the table today as a working version and the French audit framework has not yet been fully crystallised in all details, other European essential entities can already carry out a highly valuable exercise. The 20 proposed security objectives form a useful framework to test their own preparedness: from inventory and governance to supplier management, segmentation, identity management, incident response, continuity, audits, secure administration and monitoring. Even outside France, this set therefore offers a useful reference point to assess where the organisation is already sufficiently mature, and where technical or organisational granular layers are still missing.
The real lesson is not that companies should merely tick off the 20 objectives as a compliance checklist. The real lesson is that this entire exercise must be steered enterprise-wide and in a risk-driven manner. ReCyF itself makes clear that governance, conformity management, risk analysis, action plans, audits and continuous follow-up are inseparably linked, and that for essential entities, it is precisely the additional objectives around risk, audit, hardening, dedicated administration and monitoring that must further increase maturity. Therefore, no organisation should leave this transformation solely to IT, security or compliance. Steering must be consistently driven from Enterprise Risk Management, so that each security objective is linked to business impact, residual risk, ownership, investment decisions and demonstrable assurance. Only in this way do the 20 security objectives become not separate technical obligations, but a manageable model for real cyber resilience.
Technical explanation: the 20 security objectives of ReCyF
Inventory of information systems (Recensement des systèmes d’information)
Preparation: asset register, service register, business impact mapping, scope and exclusion logic. Best foundation: ISO 27001, ISO 27002, NIST CSF Identify.
Implementation of a governance framework for digital security (Mise en œuvre d’un cadre de gouvernance de la sécurité numérique)
Preparation: ISMS, PSSI, RACI, compliance analysis, action plan. Best foundation: ISO/IEC 27001:2022.
Control of the ecosystem (Maîtrise de l’écosystème)
Preparation: supplier register, interconnection matrix, security clauses, third-party risk management, contractual assurance. Best foundation: ISO 27002, ISO 27036, NIST CSF supply chain.
Integration of digital security into HR management (Intégration de la sécurité numérique dans la gestion des ressources humaines)
Preparation: awareness programme, acceptable use charter, joiner-mover-leaver process, role-based training. Best foundation: ISO 27002 HR controls, NIST awareness practices.
Control of information systems (Maîtrise des systèmes d’information)
Preparation: IS mapping, patch governance, vulnerability management, lifecycle management, supported software policy. Best foundation: ISO 27002, CIS Controls, NIST Protect.
Control of physical access to premises (Maîtrise des accès physiques aux locaux)
Preparation: badge management, visitor registration, physical access reviews, server room protection. Best foundation: ISO 27002 physical security.
Securing the architecture of information systems (Sécurisation de l’architecture des systèmes d’information)
Preparation: network segmentation, zoning, interconnection management, firewall matrices, gateway architecture. Best foundation: ISO 27002 network security, zero trust principles, architecture frameworks.
Securing remote access to information systems (Sécurisation des accès distants aux systèmes d’information)
Preparation: VPN/TLS, MFA, secure remote access, device encryption, managed endpoints. Best foundation: ISO 27002, NIST CSF identity/access, CIS Controls.
Protection of information systems against malicious code (Protection des systèmes d’information contre les codes malveillants)
Preparation: EDR/XDR, device control, removable media governance, secure mail/web filtering, source controls. Best foundation: ISO 27002, CIS Controls, NIST Protect/Detect.
Management of user identities and access to information systems (Gestion des identités et des accès des utilisateurs aux systèmes d’information)
Preparation: IAM roadmap, RBAC, account lifecycle, secrets management, periodic access reviews. Best foundation: ISO 27002, NIST CSF, zero trust identity.
Control of the administration of information systems (Maîtrise de l’administration des systèmes d’information)
Preparation: separate admin accounts, privileged access governance, Tier 0/AD hardening, admin logging. Best foundation: ISO 27002 privileged access, PAM practices, ANSSI guidelines.
Identification of and response to security incidents (Identification et réaction aux incidents de sécurité)
Preparation: incident process, triage, case management, forensic evidence, CSIRT/SOC roles. Best foundation: ISO 27035, NIST incident response, PACS support.
Continuity and recovery of activities (Continuité et reprise d’activité)
Preparation: backup and restore processes, cyber recovery, MTPD/DMIA, RPO/PRD, PRA/PCA. Best foundation: ISO 22301, ISO 27031, resilience testing.
Response to cyber crises (Réaction aux crises d’origine cyber)
Preparation: crisis cell, crisis criteria, stakeholder register, fallback communication, reconstruction playbooks, RETEX. Best foundation: ISO 22320, ISO 22361, PACS guidance.
Exercises, tests and training (Exercices, tests et entraînements)
Preparation: tabletop exercises, multi-year exercise programme, scenario development, crisis and recovery testing. Best foundation: ISO 22398, ISO 22301, PACS exercise support.
Implementation of a risk-based approach (Mise en œuvre d’une approche par les risques)
Preparation: formal risk methodology, risk acceptance, treatment plan, periodic reassessment, EBIOS RM. Best foundation: ISO/IEC 27001:2022, PACS, EBIOS RM.
Audit of the security of information systems (Audit de la sécurité des systèmes d’information)
Preparation: audit programme, pentest, architecture audit, configuration audit, code audit, audit reporting and follow-up plan. Best foundation: PASSI, ISO 19011, ISO 27007/27008.
Securing the configuration of information system resources (Sécurisation de la configuration des ressources des systèmes d’information)
Preparation: secure baselines, hardening standards, golden images, automated configuration reviews. Best foundation: CIS Benchmarks, ISO 27002 secure configuration.
Administration of information systems from dedicated resources (Administration des systèmes d’information depuis des ressources dédiées)
Preparation: PAWs, admin network, jump servers, out-of-band management, encrypted admin flows, strong separation between user and admin. Best foundation: PAMS, PAM architecture, zero trust administration.
Supervision of the security of information systems (Supervision de la sécurité des systèmes d’information)
Preparation: SIEM/SOC capability, use cases, log retention, correlation, secure storage of telemetry, continuous improvement. Best foundation: PDIS, ISO 27002 logging & monitoring, NIST Detect.
