ReCyF France and NIS 2: Complete Guide to the 20 Security Objectives and Becoming a PECB Certified Lead Implementer
ANSSI's ReCyF v2.5 turns the NIS 2 Directive into 20 auditable security objectives for organisations regulated in France. Here's the full breakdown, its mapping to NIS 2 Article 21, and the PECB Lead Implementer certification path.
ReCyF (Référentiel Cyber France) is the operational framework ANSSI published on 17 March 2026 to translate the NIS 2 Directive's Article 21 requirements into 20 concrete security objectives for organisations regulated in France. It is currently a working document pending the French transposition law, but ANSSI has explicitly told regulated entities not to wait for the final text before implementing it. This guide breaks down all 20 objectives, maps them against the Directive's core articles, and explains the fastest credible route to becoming a certified NIS 2 implementer: the PECB NIS 2 Directive Lead Implementer certification.
Key Takeaways
20
Security objectives in ReCyF v2.5 — 15 apply to all regulated entities, 5 apply only to Essential Entities
17 Mar 2026
Date ANSSI unveiled ReCyF at Campus Cyber, alongside a free ISO 27001 comparison tool
€10M
Maximum NIS 2 fine for Essential Entities, or 2% of global turnover, whichever is higher
Working Document
ReCyF is not yet law — it becomes binding once France's transposition decree is finalised
6
Exam domains in the PECB NIS 2 Directive Lead Implementer certification
EBIOS RM
ANSSI's recommended risk methodology for ReCyF Objective 16 (Essential Entities only)
On This Page
- What Is ReCyF and Why ANSSI Built It
- The 20 ReCyF Security Objectives, Explained
- Mapping ReCyF to the NIS 2 Directive
- Physical-Cyber Convergence: ReCyF's Sharpest Edge
- Running a ReCyF Gap Analysis Against ISO 27001
- Implementation Roadmap: From Gap Analysis to Compliance
- Becoming an Expert: PECB NIS 2 Directive Lead Implementer
- Training with reconn
What Is ReCyF and Why ANSSI Built It
ReCyF (Référentiel Cyber France) is the French national cybersecurity framework that operationalises NIS 2 for organisations regulated in France, published by ANSSI as a working document on 17 March 2026. It answers a question that had been left open since NIS 2 entered into force in January 2023: what, specifically, does "appropriate technical, operational, and organisational measures" under Article 21 actually require an organisation to do?
France was already significantly behind schedule on transposing NIS 2 into national law — the deadline was 17 October 2024 — and ANSSI's Director General, Vincent Strubel, used the Campus Cyber launch event to make one point unambiguously clear: ReCyF should not be treated as optional just because it isn't yet backed by a final decree. Examination of the transposition bill (the Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité, or PJL Résilience) was expected in the French parliament's extraordinary session in July 2026, and ReCyF stays a working document until that process concludes.
Structurally, ReCyF separates two things that NIS 2 sometimes blurs together: security objectives (the "what" — a regulatory requirement fixed by decree that a regulated entity must satisfy) and acceptable means of compliance (the "how" — specific measures ANSSI proposes, which are not themselves mandatory, but which an organisation can point to during an ANSSI audit as recognised evidence of having met the objective). An organisation can also demonstrate compliance through documented alternative measures, provided ANSSI can assess their appropriateness during a control.
Definition: ReCyF
ReCyF is the cybersecurity framework referenced at Article 14 of France's NIS 2 transposition bill. It sets out 20 security objectives, split between those applicable to all regulated entities and those reserved for Essential Entities, plus a companion set of acceptable means of compliance ANSSI recommends for demonstrating each objective is met.
ReCyF also builds in a principle of proportionality: the level of effort expected scales to an organisation's maturity and resources, rather than demanding the same posture from a 60-person energy distributor as from a national telecom operator. ANSSI has said it will publish a further, smaller reference document under the separate Cyber Départ initiative — a subset of ReCyF aimed at the least mature entities, prioritising the cheapest measures with the highest security impact.
The 20 ReCyF Security Objectives, Explained
ReCyF v2.5 organises its 20 objectives into two tiers. Objectives 1 through 15 apply to every regulated entity in France — both Important Entities (IE) and Essential Entities (EE). Objectives 16 through 20 apply only to Essential Entities, reflecting NIS 2's higher supervisory bar for organisations in the most critical sectors.
Objectives Common to All Regulated Entities (1–15)
| # | Objective | What It Requires |
|---|---|---|
| 1 | Information system inventory | A maintained register of systems, applications, and assets in scope |
| 2 | Digital security governance framework | A formal security policy covering encryption, access control, and periodic review of measures |
| 3 | Ecosystem control | Assessing and contractually managing the cybersecurity posture of suppliers and service providers |
| 4 | Digital security in HR management | Security clauses in employment terms and a unified joiner/mover/leaver process covering logical and physical access together |
| 5 | Information system control | Mapping of systems and formal maintenance-in-operational-condition / maintenance-in-security-condition (MCO/MCS) procedures |
| 6 | Physical access control | Badge systems, visitor registers, and protection of premises and technical rooms housing critical systems |
| 7 | Architecture security | Network segmentation and filtering that isolates critical systems from general IT |
| 8 | Remote access security | Hardened, authenticated remote connections to information systems |
| 9 | Protection against malicious code | Anti-malware controls appropriate to the systems and data at risk |
| 10 | Identity and access management | Authentication mechanisms, account security, and least-privilege access |
| 11 | Administration control | Administration actions performed exclusively from dedicated administration accounts |
| 12 | Incident identification and response | Detection, escalation, and response procedures for security incidents |
| 13 | Continuity and recovery | Business continuity and disaster recovery plans for critical systems |
| 14 | Reaction to cyber-origin crises | Crisis management procedures specific to cybersecurity events |
| 15 | Exercises, tests, and drills | Regular testing of incident response and crisis management plans, with documented lessons learned |
Objectives Reserved for Essential Entities (16–20)
| # | Objective | What It Requires |
|---|---|---|
| 16 | Risk-based approach | A structured cyber risk analysis under the accountability of the executive director, with ANSSI citing EBIOS Risk Manager as an appropriate method |
| 17 | SSI audit | Periodic internal or independent audits of the information security management system |
| 18 | Secure configuration of system resources | Hardened baseline configurations across infrastructure |
| 19 | Administration from dedicated resources | Administration performed only from a hardened, isolated set of resources — what ANSSI calls a "trusted core" |
| 20 | SSI supervision | Continuous monitoring and supervision of the information security posture, typically via a SOC function |
Why This Matters
Because ReCyF v2.5 is still a working document, the exact objective count, numbering, and wording may shift before France's final transposition decree is published. The structure and logic described here — 15 shared objectives plus 5 Essential-Entity-only objectives, each backed by acceptable means of compliance — is the version ANSSI presented on 17 March 2026 and is what implementation teams should plan against today, cross-checking updates on ANSSI's MesServicesCyber portal as the legislative process advances.
Mapping ReCyF to the NIS 2 Directive
Each ReCyF objective is France's operational answer to a specific requirement in the NIS 2 Directive, primarily Article 21's ten risk management measures, with governance tied to Article 20 and reporting tied to Article 23. Reading ReCyF without holding the Directive text alongside it means implementing measures without understanding which legal obligation they satisfy — and, just as importantly, where ReCyF adds French-specific expectations the Directive itself leaves more open.
The table below is a practical cross-reference for implementation teams. It is not ANSSI's official 1:1 mapping — for a definitive, article-by-article comparison, use the free ANSSI comparison tool on MesServicesCyber, linked in Further Reading below, which also maps ReCyF against ISO 27001/27002/27005 and the Annex to EU Implementing Regulation 2024/2690.
| ReCyF Objectives | NIS 2 Article 21 Measure |
|---|---|
| 1, 2, 5, 16 (EE) | Measure 1 — Risk analysis and information security policies |
| 12 | Measure 2 — Incident handling |
| 13, 14, 15 | Measure 3 — Business continuity and crisis management |
| 3 | Measure 4 — Supply chain security |
| 7, 18 (EE) | Measure 5 — Security in acquisition, development, and maintenance |
| 17, 20 (EE) | Measure 6 — Assessing effectiveness of risk management measures |
| 9 | Measure 7 — Basic cyber hygiene and training |
| 2 (encryption clauses) | Measure 8 — Cryptography and encryption |
| 4, 6, 10, 11, 19 (EE) | Measure 9 — HR security, access control, and asset management |
| 8 | Measure 10 — MFA, secured communications, emergency systems |
Two other Directive articles matter as much as Article 21 for anyone implementing ReCyF:
Article 20 — Governance. Management bodies must approve the cybersecurity risk management measures, oversee their implementation, and receive cybersecurity training themselves. ReCyF Objective 2's governance framework and Objective 16's risk-based approach both explicitly place accountability with the executive director for Essential Entities — this is the operational expression of Article 20's personal liability provision, not a separate French invention.
Article 23 — Incident reporting. The Directive's three-stage timeline (24-hour early warning, 72-hour notification, 30-day final report) is the obligation that ReCyF Objective 12 must be built to satisfy. A ReCyF-compliant incident response process has to be able to produce that 24-hour early warning to ANSSI's CSIRT without waiting for the full picture — something implementation teams routinely underestimate until they run their first tabletop exercise against the real deadline.
Physical-Cyber Convergence: ReCyF's Sharpest Edge
ReCyF formally folds physical security into cybersecurity compliance, requiring badge systems, visitor logs, and premises protection to be governed and audited alongside logical access controls rather than left to a separate facilities function. This is the single biggest operational surprise for organisations that treat NIS 2 as a purely IT and network security exercise.
Three ReCyF objectives carry this convergence explicitly:
Objective 6 (Physical Access Control) is entirely dedicated to badge system implementation, visitor management, and protection of server rooms and technical facilities — with access logging and audit trails expected as standard evidence.
Objective 4 (Digital Security in HR Management) requires that when an employee leaves or changes role, logical access revocation and physical access revocation happen as one coordinated process — not two separate tickets in two separate systems that may or may not close on the same day.
Objective 7 (Architecture Security) extends zoning beyond network segmentation into physical or logical isolation of critical systems, which for organisations running industrial control systems or OT environments means separating those networks from corporate IT at both the network and facility level.
Risk Alert
Badge access systems, CMDBs, vulnerability scanners, and SIEM platforms typically run in separate silos, owned by facilities and IT security teams that rarely coordinate. ReCyF makes this coordination a compliance requirement, not a nice-to-have — a vulnerability on a server in a badge-controlled, camera-monitored room is a materially different risk than the same vulnerability on hardware in an open-plan office, and ReCyF expects that context to inform vulnerability prioritisation.
Running a ReCyF Gap Analysis Against ISO 27001
ANSSI's free comparison tool on MesServicesCyber lets organisations already certified to ISO 27001, 27002, or 27005 map their existing controls against ReCyF's 20 objectives to identify what's already covered and what still needs building. The honest answer to "does ISO 27001 certification cover ReCyF?" is: partially, and unevenly.
ISO/IEC 27001:2022 certification is explicitly recognised by ReCyF as acceptable evidence for governance-related objectives — particularly Objective 2. ANSSI-qualified services (PASSI for audit, PACS for consulting, PAMS for secure administration, PDIS for incident detection) similarly count as acceptable evidence for the objectives they touch. But ISO 27001's Annex A controls were not written with ReCyF's physical-cyber convergence requirements in mind, and organisations relying solely on an existing ISO certificate typically find gaps concentrated in three areas: the unified logical-and-physical offboarding process under Objective 4, the badge-and-premises evidence trail under Objective 6, and — for Essential Entities — the EBIOS RM-based risk methodology expected under Objective 16.
The comparison tool filters requirements by theme and by whether they apply to Important or Essential Entities, and cross-references them against ISO 2700X and the Annex to EU Implementing Regulation 2024/2690. Running this comparison before starting an implementation programme is the fastest way to avoid rebuilding controls that already exist under a different name.
Implementation Roadmap: From Gap Analysis to Compliance
Phase 1 — Scope and Classify
Confirm whether your organisation meets the Important or Essential Entity threshold under NIS 2, map your services against Annex I and Annex II sectors, and determine which of ReCyF's 20 objectives apply to you.
Phase 2 — Gap Analysis
Run ANSSI's ISO comparison tool against any existing certifications, then conduct a formal objective-by-objective assessment across all 20 ReCyF objectives, documenting what's in place, partially implemented, or entirely absent.
Phase 3 — Governance and Physical-Cyber Coordination
Assign accountability at the executive level per Objective 2 and Article 20, and — critically — bring facilities and IT security teams into a shared governance structure before touching technical controls. This is the phase most implementations underestimate.
Phase 4 — Technical and Physical Control Implementation
Deploy the objective-specific controls: segmentation, IAM, encryption, malware protection, hardened administration, badge systems, and the integration points between them (CMDB cross-referenced with room assignments, vulnerability scanners tagged with physical access context).
Phase 5 — Incident Response and Crisis Testing
Build the Objective 12 incident response process against Article 23's real deadlines, then test it — Objective 15 explicitly requires documented exercises and drills, not a plan that has only ever existed on paper.
Phase 6 — Essential Entity Layer (If Applicable)
For Essential Entities, add the EBIOS RM-based risk programme (Objective 16), an audit schedule (Objective 17), hardened baseline configurations (Objective 18), a dedicated administration "trusted core" (Objective 19), and continuous SOC-based supervision (Objective 20).
Becoming an Expert: PECB NIS 2 Directive Lead Implementer
The PECB Certified NIS 2 Directive Lead Implementer is the credential most consistently recognised by EU regulators and employers as evidence someone can lead a NIS 2 compliance programme end to end — including in France, where ANSSI accepts PECB-certified staff as evidence of qualified personnel during controls. For anyone who has just worked through ReCyF's 20 objectives above, this is the structured, examinable version of the same competency.
The 6 Exam Domains
| Domain | Focus | % of Exam |
|---|---|---|
| D1 | Fundamental concepts and definitions of NIS 2 | 12.5% |
| D2 | Planning NIS 2 requirements implementation | 25% |
| D3 | Cybersecurity roles, responsibilities, and risk management | 18.75% |
| D4 | Cybersecurity controls, incident management, and crisis management | 18.75% |
| D5 | Communication and awareness | 12.5% |
| D6 | Testing and monitoring of a cybersecurity programme | 12.5% |
Notice how closely this maps to ReCyF: D3's risk management content lines up with Objective 16, D4's incident and crisis management content lines up with Objectives 12 through 15, D5's communication domain covers the awareness obligations under NIS 2 that ReCyF's HR and governance objectives assume are already running, and D6's testing and monitoring content is the exam-level version of Objectives 15, 17, and 20.
Credential Levels and Experience Requirements
| Credential | Total Experience | Project Hours |
|---|---|---|
| Provisional Implementer | None required | None |
| Implementer | 2 years (1 year cybersecurity) | 200 hours |
| Lead Implementer | 5 years (2 years cybersecurity) | 300 hours |
| Senior Lead Implementer | 10 years (7 years cybersecurity) | 1,000 hours |
The exam itself is open-book — candidates can reference the NIS 2 Directive text, official training materials, and personal notes. This is deliberate: PECB is testing whether you can apply the Directive under exam conditions, not whether you have memorised it.
Best Practice
If your organisation is specifically regulated in France, study ReCyF's 20 objectives alongside the PECB course material rather than after it. The certification teaches the Directive's structure; ReCyF teaches you what ANSSI will actually check during a control. Together, they turn exam knowledge into an implementation-ready gap analysis you can run on day one.
Training with reconn
reconn's founder, Shenoy Sandeep, personally delivers all NIS 2 Directive Lead Implementer training and mentoring — there is no sales team and no handoff to a generic trainer reading PECB's slide deck. Sessions are built around the real tools and frameworks EU compliance teams actually use: ENISA guidance, ISO 27001 control mapping, and — where relevant to your organisation — the ReCyF-specific requirements covered in this guide.
Ready to become a certified NIS 2 Directive Lead Implementer?
Official PECB self-study course with 2 exam attempts included, plus a free 1-on-1 guidance session with Shenoy to work through your organisation's ReCyF or NIS 2 gap analysis directly.
Conclusion
ReCyF is what turns NIS 2 from a directive full of "appropriate measures" language into a checklist ANSSI can actually audit against — and for organisations regulated in France, understanding it is no longer optional just because the transposition decree isn't finalised yet. The objectives, the physical-cyber convergence requirement, and the Essential Entity risk-based layer are all things ANSSI has said plainly it expects to see now, not once the law catches up.
For professionals building or leading these programmes, the PECB NIS 2 Directive Lead Implementer certification is the credential that proves you can do this work — recognised by ANSSI, BSI, and regulators across the EU, and directly aligned with everything ReCyF asks an implementer to deliver.
Ready to lead your organisation's NIS 2 and ReCyF compliance programme?
Whether you're pursuing the PECB Lead Implementer certification yourself or need a technical expert to guide your team's ReCyF gap analysis, Shenoy works directly with you — no sales team, no generic slide decks.
Further Reading
- NIS 2 Directive: The Complete Guide — Article 21's 10 mandatory measures, incident reporting timelines, penalties, and the full PECB Lead Implementer breakdown.
- ReCyF: Publication du référentiel d'exigences et du comparateur — ANSSI's own announcement of the ReCyF working document and the ISO comparison tool, from the Lab ANSSI innovation blog.
- MesServicesCyber — ReCyF Requirements & Comparator — ANSSI's official portal for exploring every ReCyF requirement and running a live comparison against ISO 2700X and EU Implementing Regulation 2024/2690.
Frequently Asked Questions
Still have questions about ReCyF or your NIS 2 implementation?
Every PECB NIS 2 Directive Lead Implementer enrolment with reconn includes a free 1-on-1 session with Shenoy to work through your specific implementation questions, ReCyF gap analysis, or exam strategy.
About the Author
Shenoy Sandeep
Shenoy Sandeep is the Founder of reconn, an AI-first cybersecurity firm based in Dubai, UAE. With 20+ years across cybersecurity focussing on offensive security and threat intelligence portfolio, and over 10 years in Enterprise AI, AI governance and data protection, he has assisted over 25+ startups in scaling their business in the Middle East and African region.
Training is Shenoy's passion project and reconn has associated themselves with PECB, the global leaders in personal certifications for AI, cybersecurity, data protection, privacy and business continuity professionals. He is a PECB-certified trainer and one of the world's early PECB-certified AI professionals, also specialising in ISO/IEC 27001, ISO/IEC 27701, ISO 42001, ISO 22301, and GDPR.
Via Reconn, Shenoy runs an advisory service assisting organisations in the EMEA with compliance and certification on ISO 42001, ISO 27001, ISO 27701, ISO 22301 and local data protection and privacy laws. His current interests include EU AI Act, NIS2, DORA, EU/UK GDPR, UAE PDPL and SDAIA PRPL.