🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in🏆 We helped secure 10% of French MiCA licenses · Fixed fees, no lock-in
All articles
Compliance9 min read

ReCyF: the ANSSI cyber framework for NIS2

Published on June 23, 2026

With the transposition of the NIS2 directive, ANSSI published the ReCyF, the Référentiel Cyber France, which translates regulatory requirements into concrete security measures. It is now the central working document for any entity covered by NIS2 in France.

What is the ReCyF?

The Référentiel Cyber France (ReCyF) is the cybersecurity measures framework published by ANSSI in the context of NIS2. Its version 2.5 (March 2026) defines 20 security objectives broken down into more than 120 concrete measures. ANSSI's goal: give organizations a clear, consistent framework to reach the expected security level, rather than leaving them to interpret the legal text alone.

The 4 themes of the ReCyF

ANSSI organizes the 20 security objectives around four main themes:

  • Information systems governance (objectives 1 to 5)
  • Information systems protection (objectives 6 to 11)
  • Information systems defense (objective 12)
  • Information systems resilience (objectives 13 to 15)

Objectives 16 to 20 complement these themes and cover the most advanced requirements.

Important (IE) or essential (EE) entities: the proportionality principle

The ReCyF applies a proportionality principle based on the entity's status: important entities (IE) are subject to objectives 1 to 15 (with some sub-measures excluded), while essential entities (EE) must cover all 20 objectives and all measures. Essential first step: determine your category.

The 20 security objectives of the ReCyF

  • 1. Inventory of information systems
  • 2. Implementation of a digital security governance framework
  • 3. Control of the ecosystem
  • 4. Inclusion of digital security in HR management
  • 5. Control of information systems
  • 6. Control of physical access to premises
  • 7. Securing the information systems architecture
  • 8. Securing remote access
  • 9. Protection against malicious code
  • 10. User identity and access management
  • 11. Control of information systems administration
  • 12. Identification and response to security incidents
  • 13. Business continuity and recovery
  • 14. Response to cyber crises
  • 15. Exercises, tests and drills
  • 16. Implementation of a risk-based approach
  • 17. Information systems security audit
  • 18. Securing the configuration of resources
  • 19. Administration from dedicated resources
  • 20. Information systems security monitoring

Why start with the risk analysis (RA)?

Even though the risk-based approach is objective 16 of the ReCyF, it is where you should start in practice. The risk analysis (RA) is the foundation that drives the whole approach, for three reasons:

  • It defines the scope: the inventory of systems and the RA determine which systems are actually exposed. The ReCyF even allows excluding a system not exposed to a given risk, provided it is documented.
  • It enables proportionality: without an RA, it is impossible to prioritize the 120+ measures or adapt the effort to the real risk level.
  • It makes compliance defensible: before ANSSI or the supervisory authority, implementation choices must rest on a traceable, justified risk analysis.

In short

Starting with the RA avoids blindly rolling out 120 measures. You secure what matters first, justify what you exclude, and build a realistic compliance plan.

How to comply with the ReCyF

  • Determine your status (IE or EE) and the scope of the information systems concerned.
  • Inventory the systems (objective 1) and run the risk analysis (RA).
  • Perform a gap analysis between your practices and the applicable ReCyF objectives.
  • Build a compliance plan prioritized by risk.
  • Formalize governance and the security policy, then deploy technical and organizational measures.
  • Set up audit and monitoring to sustain compliance over time.

Cyber-SSI supports you on the ReCyF

We run your risk analysis, perform the gap analysis against the objectives of the ANSSI ReCyF and build your NIS2 compliance plan, step by step.

The ReCyF is not just a checklist: approached well, starting from the risk analysis, it becomes a clear roadmap to NIS2 compliance and a genuinely better security level.

Go further

Compliance

A cybersecurity project?

Our experts support you on compliance, audit and operational security.

Contact an expert

We use audience measurement cookies (Google Analytics) to improve your experience. No cookie is set without your consent. Learn more