By clicking on “Accept all cookies”, you agree that cookies may be stored on your device in order to improve site navigation, to analyze the use of the site and to contribute to our marketing efforts. Check out our privacy policy for more information.

Preferences
RefuseAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
icone fleche gauche
Return
Compliance

ReCyF (ANSSI): understand the Cyber France Framework and prepare NIS 2 now

Everything you need to know about ReCyF (ANSSI): the French framework to strengthen your cybersecurity and effectively prepare the NIS 2 directive.

ReCyF (ANSSI): understand the Cyber France Framework and prepare NIS 2 now

The Cyber France Repository (ReCyF) is a working paper published byANSSI as part of the National transposition of the NIS 2 directive. It proposes a clear structuring of security goals Expected of significant entities (EI) and essential entities (EE), as well as acceptable means of compliance to achieve it.

ANSSI encourages organizations to get involved without waiting in this dynamic of security, even before the publication of the final transposition framework.

In this article, we take stock of:

  • What is RecYF and what is the purpose of it.
  • Who does it apply to (EI/EE) and how to approach it in a proportionate manner.
  • The main security goals covered by ReCyF.
  • How to save time by empowering compliance, in particular with Egerie, which already integrates RecYF to speed up your procedures.

What is RecYF? (Cyber France Repository)

ReCyF is the cybersecurity framework mentioned in the NIS 2 transposition bill. It is structured around:

  • Ofsecurity goals (the” whats ”): mandatory once the national framework is in force,
  • And of acceptable means of compliance (the” how ”): measures proposed by ANSSI, which are not mandatory as such, but which are a recognized way of demonstrating the achievement of the objective.

Important: ANSSI recalls that ReCyF is, at this stage, distributed as a working document, as long as the transposition is not finalized and a consultation has not taken place.

It is a significant change because we are moving from a context where NIS 2 may still seem “vague” (a lot of requirements, varying interpretations, action plans that are difficult to justify) to a framework that Put things in order : RecyF formalizes What is expected in the form of objectives, and proposes recognized ways to demonstrate compliance. For cyber teams, this turns the process into something controllable : we start from a clear perimeter, we map what exists, we identify the differences, then we develop a prioritized and traceable trajectory — instead of a list of projects “by intuition”.

Why is ANSSI urging action now (before transposition)

The ANSSI message is clear: in a context ofintensifying the threat, you have to start a large-scale security dynamics and encourage actors to register now in an approach consistent with NIS 2.

This approach aims to:

  • distribute more quickly the best practices,
  • facilitate the appropriation of future requirements,
  • enable organizations to prioritizing the most effective actions, according to their maturity and resources.

In fact, RecYF integrates a principle of proportionality : the expected effort is adapted to the maturity and resources of the entities.

ReCyF, EI, EE: who do the objectives apply to?

The document distinguishes between:

  • objectives applicable to important and essential entities (objectives 1 to 15),
  • and additional objectives applicable only to essential entities (objectives 16 to 20), in application of the principle of proportionality.

Concretely, this helps to structure a compliance trajectory without trying to “do everything at once”, and without oversizing the level of requirements for the least mature organizations.

RecYF objectives: the main thing to remember (and the real “twist” for essential entities)

RecYF brings together 20 safety goals. Rather than reading them one by one, it is more useful to understand them as one framework for upgrading the security base, structured in 4 blocks.

  • Governance and steering (obj. 1 to 5)
  • IS scope, roles/responsibilities, SSI policy, compliance, third party management, mapping, and MCO/MCS.
  • IT protection (obj. 6 to 11)
  • Physical access, segmentation and filtering, remote access, remote access, anti-malware, IAM, account security, and administration practices.
  • Detection, Response, and Resilience (obj. 12 to 15)
  • Incident management, backups and tests, crisis management, regular exercises.
  • Strengthened requirements for essential entities (obj. 16 to 20)
  • Risk approach, audits, configuration hardening, dedicated administration, supervision and continuous improvement.

Focus: the introduction of a risk management approach for essential entities (objective 16)

This is a major differentiating point in the framework: for essential entities, RecYF is not limited to a logic of compliance. It explicitly introduces a risk-based approach under the responsibility of the executive director.

In practice, this involves:

  • to make a risk analysis (by IS, or by activity/service covering the associated IS),
  • to define and monitor a treatment plan risks,
  • And ofembrace residual risks at the right level of governance.

In particular, RecYF cites the possibility of using EBIOS RM to conduct this analysis.

In other words: for essential entities, compliance becomes inseparable from a structured approach to cyber risk management, which drives the prioritization of measures (and not just a “generic” action plan).

💡 “RecYF marks an important evolution: compliance is no longer limited to a checklist, but is becoming a framework for structuring a security base managed over time. The challenge is to transform these objectives into concrete and traceable measures, and, for the entities subject to them, to articulate them with a risk-based approach.” Jean Larroumets, CEO and founder of Egerie

How to implement RecYF without waiting

For most organizations, the challenge is not to “check boxes”, but to transform ReCyF into controllable action plan.

In this logic, the most effective is often to start with what already exists and identify what is already covered.

We see very frequently in the field: an organization already certified ISO/IEC 27001 (ISMS in place) and based on best practices ISO/IEC 27002 usually already ticked off a large part of expectations related to governance, policies, access control, incident management, continuity, etc.

The challenge is therefore not necessarily to “start over”, but to:

  • know what's already covered,
  • objectify the remaining differences,
  • and Connect this existing base in the ReCyF/NIS 2 framework with usable traceability.

RecYF also provides procedures for obtaining certifications, in particular ISO/IEC 27001:2022, to demonstrate compliance with certain objectives, within the scope covered.

Here is a simple and effective approach, in line with the spirit of the framework:

  1. Define the perimeter : activities/services, associated IS, and managers (objective 1).
  2. Structuring governance and compliance : PSSI, roles, gap analysis, action plan (objective 2).
  3. Mapping ISO coverage → RecYF : quickly identify what is already in place via your ISMS (ISO 27001/27002) and what needs to be completed.
  4. Prioritize : start with high-impact measures and reasonable costs (hygiene, IAM, patch, segmentation, backups, detection).
  5. Industrialize : provide tools for monitoring, proof, discrepancies, and traceability, to avoid a “compliance project” that depends on scattered files.

RecYF is already integrated into Egerie

ReCyF provides a concrete framework for Deploy a security base consistent with NIS 2, with a logic of objectives, proportionality and traceability. It allows you to start right away, by structuring the governance, the IS perimeter, the key measures and the action plan.

To help organizations move from repository to execution, Egerie integrated RecYF very quickly so that teams can Start without waiting and support customers right now, even before the final transposition.

In this way, we can help organizations:

  • Achieve a State of play their security base (including when an ISO 27001/27002 approach is already in place),
  • identify common measures and the overlaps between the existing and RecYF,
  • objectify the discrepancies leftovers,
  • and build a compliance trajectory prioritized and controllable.

📅 Are you preparing NIS 2/ReCyF?

Book a demo (30 min) with our experts to see how to transform ReCyF into a controllable action plan in Egerie.

Learn how Egerie helps you manage ISO, NIS2, DORA, PART-IS,...

One of our experts will give you a personalized demonstration of the Egerie platform, so that it meets your objective of complying with DORA as quickly as possible.

Articles

You will love these other items

RGPD: master your 5 compliance obligations
Discover your GDPR compliance obligations in 2026 to protect your data. Anticipate risks and avoid sanctions.
Compliance
Discover
eIDAS 2: the guide to comply with this European regulation
eIDAS 2 Regulation: its impact on your data governance, the security of your transactions and how Egerie helps you comply
Compliance
Discover
COBIT framework: definition, principles and implementation for effective IT governance
Learn how the COBIT framework strengthens IT governance, risk management, and compliance in an integrated GRC approach.
Governance
Discover
icone fleche gauche
icone fleche droite
Discover our platform

Book a demo now to learn how Egerie can help you and your team.

Request a demo