• Facebook
  • Twitter
  • LinkedIn
  • YouTube
Nieuwsbrief
Contact
24003

NIS2 et ANSSI – l’un n’est pas l’autre

In early 2025, in a glass-walled boardroom overlooking Lyon, the tension was tangible. Jean-Luc Moreau, founder and CEO of a fast-growing French digital services company, leaned forward, fingers interlocked.

“Let’s not pretend,” he began. “France hasn’t fully transposed NIS2 yet. But that doesn’t mean we’re safe. Since October 2024, incident registration expectations through CERT-FR and ANSSI are already a reality. If something happens, we won’t be able to hide behind legal ambiguity.”

A silence followed. Board members exchanged glances. The concern was real — not just regulatory, but reputational. At the end of the table sat Claire Dubois, the company’s ISMS Manager. Calm, composed, she opened her laptop but didn’t look at it. She didn’t need to.

“Jean-Luc is right,” she said. “There is no hiding anymore. Enforcement has already started — operationally, if not fully legislatively.”

She paused, letting that settle. “But we are not exposed,” she continued. “We anticipated this shift.” The room shifted slightly — curiosity replacing tension. “Since January 2025, we are full-scope ISO/IEC 27001:2022 certified. Not as a badge — but as a system. And more importantly, we’ve aligned our maturity to Tier 3 and Tier 4 levels across critical domains.”

Jean-Luc raised an eyebrow. “That sounds reassuring, but ANSSI won’t audit certificates. They’ll audit reality. Where were our gaps?”

Claire nodded. “Exactly. And that’s what we addressed.” She stood up and walked to the screen. “Before this transformation, we had five critical exposure areas.” She raised her hand, counting them off.

“First — governance. Cybersecurity was discussed, but not owned. Today, accountability is formalized at executive level, aligned with NIS2 Article 20.”

“Second — risk management. It was fragmented. Now, we operate a continuous, enterprise-wide risk model, directly linked to business impact.”

“Third — incident response. We had procedures, but no real readiness. Today, we are aligned with ANSSI expectations, including detection, escalation, and 24/72-hour reporting capability.”

“Fourth — supply chain risk. We didn’t know our weakest links. Now, every critical supplier is classified, assessed, and contractually bound.”

“And fifth — monitoring and detection. We were reactive. Today, with centralized logging and threat intelligence, we are proactive.”

She turned back to the board. “These were not theoretical gaps. These were audit findings waiting to happen.”

A board member leaned forward. “And now?” Claire allowed herself a small smile.

“Now, we don’t prepare for compliance. We operate in a state of continuous audit readiness.” Jean-Luc looked at her, the tension easing from his expression. “So if ANSSI walks in tomorrow?” “They won’t find a company hiding behind incomplete legislation,” she said.
“They’ll find a company that understood early… that NIS2 is not about the law being published — it’s about resilience being proven.”

The room was quiet again — but this time, it was confidence. Outside, the city moved as always. But inside that boardroom, something had shifted. Not fear of regulation.

But ownership of resilience.

The cool facts – From Compliance to Resilience: A French Essential Entity’s Journey to NIS2 Alignment under ANSSI Oversight

1. Introduction: The French NIS2 Reality

With the transposition of the NIS2 Directive into French law under the supervision of ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), Essential Entities in France are entering a new era of cybersecurity accountability.

Unlike the original NIS Directive, NIS2 introduces:

  • Stronger governance obligations
  • Executive liability
  • Operational resilience requirements
  • Strict supervisory and enforcement mechanisms

For French Essential Entities, this is not merely regulatory compliance — it is a state-driven transformation toward measurable cyber resilience.

2. Initial State: Gap Landscape in a Typical Essential Entity

A baseline assessment against NIS2 and ANSSI guidance revealed systemic gaps, commonly observed across the French ecosystem:

2.1 Governance & Leadership Gaps

  • Cybersecurity not fully embedded at executive board level
  • Lack of formal accountability structures (Article 20 NIS2)
  • Limited integration between risk, compliance, and business strategy

2.2 Risk Management Fragmentation

  • Risk assessments performed in silos
  • Absence of a continuous risk management methodology
  • Weak linkage between risk scenarios and operational controls

2.3 Incident Response & Crisis Management

  • Incident response plans exist but are not ANSSI-aligned
  • Lack of real-time detection and escalation workflows
  • No structured post-incident learning loop

2.4 Supply Chain & Third-Party Risk

  • Incomplete third-party inventory
  • No structured risk classification of suppliers
  • Absence of contractual cybersecurity enforcement

2.5 Operational Security & Monitoring

  • Logging and monitoring inconsistent or incomplete
  • Limited threat intelligence integration
  • Reactive rather than proactive detection capabilities

3. Strategic Decision: ISO/IEC 27001:2022 as the Backbone

To address these gaps structurally, the organization adopted a full-scope ISO/IEC 27001:2022 certification strategy, not as a checkbox exercise, but as:

A governance and operational framework to operationalize NIS2 compliance and align with ANSSI doctrine

Why ISO 27001:2022?

  • Provides a risk-based management system (ISMS)
  • Aligns naturally with NIS2 Articles 20–21 requirements
  • Enables auditability and continuous improvement
  • Recognized by regulators, including ANSSI, as a baseline maturity indicator

4. The Transformation Model: From Gaps to Control Maturity

4.1 Governance Reinforcement (NIS2 Article 20)

Actions implemented:

  • Establishment of a Cybersecurity Governance Committee
  • Formal designation of accountable executives
  • Integration of cybersecurity into enterprise risk management (ERM)

Outcome:

  • Clear top-down accountability
  • Board-level visibility and decision-making

4.2 Unified Risk Management Framework

Actions implemented:

  • Deployment of a centralized risk methodology (ISO 27001 Clause 6)
  • Mapping of risks to:
    • Business processes
    • Assets
    • Threat scenarios
  • Introduction of continuous risk monitoring

Outcome:

  • Transition from static to dynamic risk management
  • Direct linkage between risk and controls

4.3 ANSSI-Aligned Incident Management

Actions implemented:

  • Redesign of incident response procedures aligned with:
    • ANSSI reporting requirements
    • NIS2 24h / 72h notification timelines
  • Implementation of:
    • SOC capabilities
    • Detection use cases
    • Crisis simulation exercises

Outcome:

  • Reduced detection and response time
  • Structured regulatory reporting readiness

4.4 Supply Chain Security Reinforcement

Actions implemented:

  • Creation of a third-party risk management (TPRM) framework
  • Supplier classification based on:
    • Criticality
    • Data sensitivity
    • Operational dependency
  • Integration of security clauses in contracts

Outcome:

  • Full visibility of supply chain exposure
  • Enforceable security obligations

4.5 Monitoring, Detection & Operational Security

Actions implemented:

  • Implementation of centralized logging (SIEM)
  • Integration of threat intelligence feeds
  • Continuous monitoring aligned with:
    • ISO 27001 Annex A (2022 controls)
    • ANSSI operational expectations

Outcome:

  • Shift from reactive to proactive cybersecurity posture
  • Measurable operational resilience

5. Bridging NIS2 and ISO 27001:2022

The organization established a control mapping model, ensuring that:

NIS2 RequirementISO 27001:2022 AlignmentOperational Outcome
Risk ManagementClauses 6 & 8Continuous risk lifecycle
Incident HandlingAnnex A 5.24–5.28Structured response & reporting
Supply Chain SecurityAnnex A 5.19–5.22Third-party governance
Business ContinuityAnnex A 5.29–5.30Resilience & recovery
Monitoring & DetectionAnnex A 8.15–8.16Real-time visibility

6. Measurable Outcomes and Maturity Gains

After implementation:

  • ISO/IEC 27001:2022 Certification achieved (full scope)
  • NIS2 compliance posture moved from:
    • Ad hoc → Structured → Controlled
  • Key improvements:
    • ↓ Incident response time
    • ↑ Detection capability maturity
    • ↑ Executive engagement
    • ↑ Supplier security assurance

7. ANSSI Perspective: From Compliance to Trust

From an ANSSI supervisory perspective, this transformation demonstrates:

  • A shift from formal compliance → operational resilience
  • The ability to:
    • Detect
    • Respond
    • Recover
    • Adapt

This aligns with ANSSI’s broader objective:

Ensuring that Essential Entities contribute to national cybersecurity resilience, not just regulatory adherence

8. Key Lessons Learned

  1. ISO 27001 is not the goal — it is the enabler
  2. NIS2 requires executive ownership, not just IT involvement
  3. Supply chain risk is the weakest link if unmanaged
  4. Operational capabilities (SOC, IR) are critical for ANSSI alignment
  5. Continuous improvement is mandatory — not optional

9. Conclusion: A Blueprint for French Essential Entities

This journey demonstrates that:

A full-scope ISO/IEC 27001:2022-certified ISMS, when properly implemented, provides a robust and scalable foundation for NIS2 compliance under ANSSI supervision

However, success depends on:

  • Integration into business strategy
  • Operational execution
  • Continuous maturity evolution

For French Essential Entities, the path forward is clear:

👉 From compliance → to resilience → to trust

Laat een reactie achter

Deel dit artikel

Aanbevolen artikels

Meer items

Blijf up to date met NIS2.news

Schrijf je in voor de nis2.news nieuwsbrief en mis nooit het laaste nieuws over NIS2