Linkedin
Facebook
Email
more
Key takeaways
The NIS 2 Directive has a clear objective: to raise the overall level of cybersecurity across the EU
ANSSI has published the Cyber France Framework (ReCyF), translating NIS 2 requirements into operational security objectives
Our experts decode the directive, the compliance journey, and its practical implications
The NIS 2 Directive has a clear ambition: strengthening cybersecurity across the European Union. It significantly expands the scope of the previous NIS Directive and now applies to 18 sectors of activity. In France, transposition is still underway, but the direction is already clear: in-scope organisations will be required to implement appropriate risk management measures, report significant incidents, and demonstrate their level of preparedness.
The directive distinguishes between two categories of entities: Essential Entities (EE) and Important Entities (IE). This distinction reflects a principle of proportionality: the level of expected requirements depends on the organisation’s criticality, size, and, in some cases, revenue.
Companies can assess whether they fall within the regulatory scope using the simulator made available by ANSSI.
To support practical implementation, ANSSI has also published ReCyF (“Référentiel Cyber France”), a framework translating NIS 2 requirements into concrete operational security objectives.
Understanding NIS 2: three core obligations, four foundational pillars
To approach NIS 2 without immediately delving into legal detail, two reference points are useful. First, the directive revolves around three primary obligations:
- provide specific information to the competent authority;
- implement appropriate cybersecurity risk management measures;
- report significant security incidents
Second, ReCyF provides a highly operational framework structured around four major pillars:
Governance - Protection - Defence - Resilience
This analytical framework is particularly useful: NIS 2 is not limited to deploying appropriate technical tools. Above all, the directive expects organisations to demonstrate their ability to manage cybersecurity strategically, reduce risk exposure, respond effectively to incidents, and maintain operational continuity during a crisis.
The four key pillars
Governance
NIS 2 clearly brings cybersecurity into the scope of executive accountability. The topic is no longer solely the responsibility of IT departments or technical teams: management bodies are expected to approve implemented measures, monitor their deployment, and ensure that the cybersecurity strategy is effectively governed.
Within ReCyF, this pillar notably covers digital security governance, asset inventory management, ecosystem oversight, and integration of cybersecurity considerations into HR processes. For Essential Entities, it also includes risk-based approaches and information system audits.
Protection
This pillar encompasses measures aimed at reducing organisational exposure to cyber threats. It includes securing remote access, protection against malicious code, identity and access management, and privileged administration control.
In practical terms, these safeguards aim to limit both the likelihood and the potential impact of incidents.
Defence
Even with robust protection mechanisms in place, organisations must assume that incidents may occur. NIS 2 therefore requires the ability to detect, assess, respond to, and report incidents through a structured process.
Within ReCyF, this logic is reflected in objectives relating to incident identification and response, as well as — for Essential Entities — security monitoring of information systems.
Resilience
The final pillar is often the most tangible for executive leadership: what happens if a major incident occurs despite preventive measures?
NIS 2 expects organisations to be able to back up their data, restore systems, resume operations, and manage cyber crises effectively. ReCyF addresses backup strategies, business continuity, disaster recovery, crisis management, and testing exercises.
The regulation does not only aim to prevent incidents — it also requires organisations to remain operational when they occur.
ISO 27001 and NIS 2: differences and complementarities in achieving compliance
ANSSI’s comparative mapping shows strong alignment between ISO 27001 / ISO 27002 and a significant portion of ReCyF expectations, particularly in areas such as governance, security policies, roles and responsibilities, supplier risk management, backup procedures, business continuity, audit processes, and risk-based approaches.
ANSSI provides a detailed correspondence table mapping ReCyF NIS 2 requirements against ISO 27001 controls.
However, the expected level of implementation is not identical. ReCyF is often more prescriptive in how measures should be applied. For example, it requires:
- at least annual review of the Information Security Policy (PSSI);
- backup testing at least once per year;
- risk analysis review at least every three years;
- explicit periodic reviews of specific control mechanisms;
Where ISO standards allow flexibility in organisational implementation, the NIS 2 framework more frequently defines a specific cadence or structured baseline.
The comparison also highlights differences in scope. Under ISO 27001, risk management measures apply primarily to the ISMS scope defined by the organisation. Under ReCyF, compliance assessment covers the entity’s entire information system and is not limited to a self-defined perimeter.
The same operational logic applies to requirements such as:
- ecosystem mapping;
- maintenance of contact points;
- account deactivation timelines;
- periodic review of accounts and privileges;
- communication filtering based on a default-deny approach
Another key point: several ReCyF measures explicitly refer to ANSSI guidance, particularly regarding encryption of remote access, authentication mechanisms, privileged administration, and compensating controls where standard requirements cannot be fully implemented. ISO 27001 and ISO 27002 establish principles, but do not typically prescribe implementation at this level of national specificity.
Finally, the ANSSI document shows that certain ReCyF expectations are only partially covered — or not explicitly addressed — by ISO 27001 and ISO 27002. Examples include cyber crisis management frameworks, dedicated training and simulation exercises, securing directory trust anchors, implementing segregated administration networks, and certain requirements related to security monitoring.
At first glance, NIS 2 may appear highly technical, but its underlying message is straightforward: in-scope organisations must improve cybersecurity governance, strengthen system protection, enhance incident response capabilities, and ensure operational continuity.
In France, ReCyF provides a concrete translation of these expectations. For organisations already engaged in DORA or ISO 27001 initiatives, the appropriate approach is not to start from scratch, but to identify which existing components can be reused, reinforced, or adapted as part of a coherent compliance roadmap.
This question frequently arises within the financial sector: is it mandatory to comply with both frameworks? The answer is no — at least not cumulatively.
Understanding why is important, as the boundary between the two frameworks is not always immediately clear.
NIS 2 and DORA pursue different primary objectives:
- NIS 2 aims to raise cybersecurity maturity across 18 sectors of activity;
- DORA, applicable since 17 January, specifically seeks to ensure the integrity and availability of the financial sector. DORA covers 21 categories of financial entities explicitly defined in the regulation, including banks, insurance companies, investment firms, and their critical ICT third-party providers. Its scope overlaps with NIS 2 on topics such as ICT risk governance, incident management, resilience testing, and third-party risk management.
From a legal standpoint, DORA is considered a lex specialis relative to NIS 2: a specific law prevails over a general one.
In practical terms, the 21 categories of financial entities covered by DORA are not required to apply NIS 2 provisions relating to cybersecurity risk management, reporting obligations, or supervisory mechanisms. DORA requirements apply in their place. This is substitution, not layering.
Two scenarios nevertheless require closer analysis:
- DORA does not necessarily cover all entities within a sector. Where financial entities fall within the scope of NIS 2 but are not covered by DORA, NIS 2 requirements apply.
- Where an organisation operates within the “digital infrastructure” or “ICT service management” sectors regulated under NIS 2 but provides services to the financial sector, NIS 2 — not DORA — applies. In such cases, risk management measures must align with the implementing act referenced in Article 21(5) of the directive.
RSM can support organisations in assessing whether they fall within the scope of NIS 2, analysing its articulation with DORA where relevant, conducting a ReCyF-based gap assessment, and leveraging ISO 27001 as a structuring framework.
Our approach aims to transform a dense regulatory framework into a clear, prioritised roadmap aligned with your organisation’s maturity level.
Voici des sources et liens de référence
- ANSSI – Directive NIS2 – 2026
- Mon Espace NIS2 – Directive NIS2 – 2026
- Mon Espace NIS2 – Simulateur – 2026
- Mon Espace NIS2 – Comment savoir si la directive NIS2 s’applique à mon entité – 2026
- Mon Espace NIS2 – Liens entre ISO 27001 et les règles de NIS2 – 2026
- Mes Services Cyber – NIS2 : exigences – 2026
- EUR-Lex – Digital Operational Resilience for the Financial Sector – 2023
- EUR-Lex – Règlement N° CELEX:52023XC0918(01) – 2023
- Légifrance – Dossier législatif NIS2 – 2023
