As the NIS2 directive is still being transposed in France (the draft law relating to the resilience of critical infrastructures and the reinforcement of cybersecurity), the study “Panorama of the cybersecurity maturity of French companies,” conducted by CyberVadis in partnership with CESIN, offers a nuanced snapshot of the cybersecurity maturity of French businesses.
First takeaway: a direct correlation exists between being subject to the NIS2 directive and the level of cybersecurity maturity. Essential entities score an average of 817, compared with 719 for those deemed “Important” and 652 for those outside the regulatory perimeter.
Size is also a determining factor: large enterprises register a score of 865, mid-sized companies (ETIs) 762, small and medium-sized enterprises (SMEs) 694, and micro-enterprises (TPE) 647.
A notable finding concerns progress: less mature structures show greater improvement. Micro-enterprises gain 25% between two assessments, SMEs 19%, and ETIs 15%, while large enterprises, already advanced, progress only 3%.
The study reveals a major gap between the formalization of security policies and their concrete implementation. Companies readily produce policies and procedures, but struggle to provide evidence of actual deployment (configurations, event logs).
Domains mastered and weaknesses
French companies demonstrate solid foundations in governance and the integration of security into human resources management, particularly among essential entities. Incident management also appears to be a mastered area, with formalized processes in 96% of essential companies and 67% of those outside the NIS2 scope. Finally, backup policies are widely documented, covering 92% of essential entities and 80% of companies outside the perimeter.
Conversely, several areas of vulnerability persist. Third-party and partner management remains problematic across the broader economic fabric. Securing remote access and mobile devices shows significant vulnerabilities, while the configuration of information systems remains insufficiently secured.
Monitoring and threat detection also constitute a major weakness, particularly for small organizations that struggle to move beyond simple event logging to real-time analysis.
Strong authentication, an incomplete rollout
Adoption of multi-factor authentication (MFA) varies strongly by context. For remote access, 73% of essential companies have deployed it, compared with 51% of important ones.
The gap widens for mobile devices: only 21% of essential, 14% of important, and 10% of perimeter-excluded companies actually implement MFA. This situation is largely explained by the constraints linked to using employees’ personal phones.
Third-party management: from contractual clause to verification
While 85% of essential companies include security clauses in their contracts with third parties, the effective verification of partners’ security practices remains uneven: 67% of essential ones carry out this due diligence, vs. 40% of important and 24% of those outside the perimeter.
Regarding security audits, 72% of essential companies regularly perform intrusion tests, but other categories of companies show gaps in how these efforts are structured.
Operational resilience: plans that are rarely tested
Although backup policies are formalized, demonstrating their regular execution and carrying out restoration tests remain limited, particularly outside the NIS 2 perimeter. Similarly, business continuity plans are documented but rarely updated and concretely tested.
Methodology : Panorama of the cybersecurity maturity of French companies is based on the analysis of 1,049 assessments conducted in France since 2023. The evaluation relies on a hybrid framework combining international standards (NIST CSF 2.0, ISO 27002:2022) and regulatory requirements (NIS2, DORA).
Dawn Liphardt