ReCyF: An Additional Lens for NIS 2

ReCyF: An Additional Lens for NIS 2

Depending on whether you are classified as an “important” or an “essential” entity, NIS 2 will apply differently.

The principle is familiar. ANSSI adds a fresh frame of reference through the ReCyF (Cyber France Reference Framework). It translates the directive’s provisions into 20 objectives.

While awaiting transposition into French law, the ReCyF is circulated only as a working document – and it has not yet undergone consultation. The agency plans to publish a supplementary framework that will cover a subset of its items for less mature entities.

A principle of proportionality applies. The important entities (IE) are thus exempt from five objectives, which apply only to the essential entities (EE). In broad terms, these cover the following:

  • Governance by risk
  • Information security audit program
  • Securing the configuration of IT resources (in particular, install only what is necessary and reduce risk otherwise)
  • Dedicated administration networks
  • Supervision of information security (scaling the IT system to the operational capacity of the team responsible for this supervision, a continual improvement approach to this activity, data retention of at least 3 months, etc.)

The remaining 15 objectives apply to both EE and IE. But the latter are not expected to deploy the same level of resources to achieve them.

Read also: How Generative AI is reshaping the cyber threat landscape

On governance of digital security

ANSSI expects the executive leader of an IE to be personally accountable for information security. But not only that—the leader should designate at least one person to advise and assist them in fulfilling this responsibility.

On integrating digital security into HR management

IE are not expected to include security clauses in employment contracts.

On mastery of information systems

Among the items expected of IE is a map of information systems. But not a procedure for the maintenance and operation of hardware and software resources, nor the planning and deployment of security patches across all these resources.

On mastery of physical access to premises

ANSSI expects an IE to implement measures to limit access by unauthorized individuals to its premises (visitor registry, badges…). But not that it ensures their physical protection (video surveillance, guarding, alarm systems). Nor that physical access rights are allocated strictly according to the minimal necessary need to perform the individuals’ duties.

On securing the architecture of information systems

IE will physically and/or logically segment their entire information systems from others.
However, they are not expected to reflect on the advisability of defining subsystems. And, in doing so, to define at least one “outgoing gateway” (proxy) and one “incoming gateway” (reverse proxy or relay).

Two other “expectations” do not apply to subsystems. First, ensuring that only interconnections necessary for the IE’s activities or for its maintenance and operations are implemented between its IS and third-party IS (as well as those to which it has chosen not to apply the security objectives). Second, defining and documenting these same connections.

Read also: Cyber threats 2025: ANSSI highlights the reconfiguration of state-sponsored attacks

On securing remote access to information systems

ANSSI expects IE to implement encryption and authentication mechanisms in line with its guidance. But it does not necessarily require multi-factor authentication with at least one knowledge factor. It also does not demand risk-reduction measures for access that MFA cannot cover for technical or operational reasons. Nor does it require state-of-the-art encryption and authentication for the disks of workstations and mobile devices that enable remote access from locations beyond the agency’s control.

On protection of information systems against malware

IE are expected to define the hardware resources authorized to connect to their information systems. But they are not required to connect only those devices that they—or a contractor—manage and that participate in their activities or in maintenance.

On identity and access management to information systems

ANSSI expects IE to implement an authentication mechanism involving at least one secret element. It anticipates risk-reduction measures when technical or operational reasons prevent changing the secret. But, within this exception, it does not require implementing an access traceability system.

On control of information system administration

It is expected that administrative actions be performed exclusively from administration accounts, and that these accounts are not used for other purposes.

ANSSI does not require IE to keep an up-to-date list of administrative accounts for their information systems, nor to verify the coherence of access rights and usage requirements when an account is modified.

Another element not expected for IE: the designation of a “trust core” bringing together a directory and the hardware and software resources that host it or allow control of it. Nor, consequently:

  • Carrying out administrative actions on this trust core from dedicated administration accounts
  • Filtering external connections to the trust core and to its administration resources

The annual review of directory configuration is not a requirement for IE either.

On identification and reaction to security incidents

Like EE, IE will implement mechanisms to analyze and categorize reported events and to identify incidents. However, they are not expected to provide:

  • Organizational and technical mechanisms to react to incidents and limit the impact on service delivery
  • Root-cause analysis of each security incident
  • Preservation of technical logs that could serve as evidence in case of judicialization
  • Protection of these logs from an incident that would render them unusable

On continuity and business resumption

Read also: Generative AI: the new cyber weapon that concerns ANSSI

ANSSI does not expect an IE to define and document, for each activity and service, the maximum allowable downtime and the data recovery point. Nor to have a business continuity plan (BCP) and disaster recovery plan (DRP) coherent with these two indicators.

On response to cyber-origin crises

As far as this area is concerned, there are no expectations for IE regarding:

  • Criteria to activate and deactivate the crisis management dispositif taking cyber threats into account
  • Procedures and crisis management mechanisms adapted to cyber threats and based on ANSSI recommendations
  • Measures to isolate, protect, and, where appropriate, rebuild the affected information systems
  • An appropriate communications strategy
  • Backup communication means

On exercises, tests and drills

ANSSI expects, for IE, at least one tabletop exercise—at a frequency deemed appropriate—for the individuals who would be mobilized in the cyber crisis management system.

It does not, however, require a training strategy that includes a list of participants in the various mechanisms, a catalog of exercises, objectives and means to measure their attainment, risk or attack scenarios to test as priorities, or a governance committee to oversee them.

Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt