ReCyF France and NIS 2: Complete Guide to the 20 Security Objectives and Becoming a PECB Certified Lead Implementer

ANSSI's ReCyF v2.5 turns the NIS 2 Directive into 20 auditable security objectives for organisations regulated in France. Here's the full breakdown, its mapping to NIS 2 Article 21, and the PECB Lead Implementer certification path.

Share
ReCyF France and NIS 2: Complete Guide to the 20 Security Objectives and Becoming a PECB Certified Lead Implementer

ReCyF (Référentiel Cyber France) is the operational framework ANSSI published on 17 March 2026 to translate the NIS 2 Directive's Article 21 requirements into 20 concrete security objectives for organisations regulated in France. It is currently a working document pending the French transposition law, but ANSSI has explicitly told regulated entities not to wait for the final text before implementing it. This guide breaks down all 20 objectives, maps them against the Directive's core articles, and explains the fastest credible route to becoming a certified NIS 2 implementer: the PECB NIS 2 Directive Lead Implementer certification.

Key Takeaways

20

Security objectives in ReCyF v2.5 — 15 apply to all regulated entities, 5 apply only to Essential Entities

17 Mar 2026

Date ANSSI unveiled ReCyF at Campus Cyber, alongside a free ISO 27001 comparison tool

€10M

Maximum NIS 2 fine for Essential Entities, or 2% of global turnover, whichever is higher

Working Document

ReCyF is not yet law — it becomes binding once France's transposition decree is finalised

6

Exam domains in the PECB NIS 2 Directive Lead Implementer certification

EBIOS RM

ANSSI's recommended risk methodology for ReCyF Objective 16 (Essential Entities only)

On This Page

What Is ReCyF and Why ANSSI Built It

ReCyF (Référentiel Cyber France) is the French national cybersecurity framework that operationalises NIS 2 for organisations regulated in France, published by ANSSI as a working document on 17 March 2026. It answers a question that had been left open since NIS 2 entered into force in January 2023: what, specifically, does "appropriate technical, operational, and organisational measures" under Article 21 actually require an organisation to do?

France was already significantly behind schedule on transposing NIS 2 into national law — the deadline was 17 October 2024 — and ANSSI's Director General, Vincent Strubel, used the Campus Cyber launch event to make one point unambiguously clear: ReCyF should not be treated as optional just because it isn't yet backed by a final decree. Examination of the transposition bill (the Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité, or PJL Résilience) was expected in the French parliament's extraordinary session in July 2026, and ReCyF stays a working document until that process concludes.

Structurally, ReCyF separates two things that NIS 2 sometimes blurs together: security objectives (the "what" — a regulatory requirement fixed by decree that a regulated entity must satisfy) and acceptable means of compliance (the "how" — specific measures ANSSI proposes, which are not themselves mandatory, but which an organisation can point to during an ANSSI audit as recognised evidence of having met the objective). An organisation can also demonstrate compliance through documented alternative measures, provided ANSSI can assess their appropriateness during a control.

Definition: ReCyF

ReCyF is the cybersecurity framework referenced at Article 14 of France's NIS 2 transposition bill. It sets out 20 security objectives, split between those applicable to all regulated entities and those reserved for Essential Entities, plus a companion set of acceptable means of compliance ANSSI recommends for demonstrating each objective is met.

ReCyF also builds in a principle of proportionality: the level of effort expected scales to an organisation's maturity and resources, rather than demanding the same posture from a 60-person energy distributor as from a national telecom operator. ANSSI has said it will publish a further, smaller reference document under the separate Cyber Départ initiative — a subset of ReCyF aimed at the least mature entities, prioritising the cheapest measures with the highest security impact.

The 20 ReCyF Security Objectives, Explained

ReCyF v2.5 organises its 20 objectives into two tiers. Objectives 1 through 15 apply to every regulated entity in France — both Important Entities (IE) and Essential Entities (EE). Objectives 16 through 20 apply only to Essential Entities, reflecting NIS 2's higher supervisory bar for organisations in the most critical sectors.

Objectives Common to All Regulated Entities (1–15)

# Objective What It Requires
1Information system inventoryA maintained register of systems, applications, and assets in scope
2Digital security governance frameworkA formal security policy covering encryption, access control, and periodic review of measures
3Ecosystem controlAssessing and contractually managing the cybersecurity posture of suppliers and service providers
4Digital security in HR managementSecurity clauses in employment terms and a unified joiner/mover/leaver process covering logical and physical access together
5Information system controlMapping of systems and formal maintenance-in-operational-condition / maintenance-in-security-condition (MCO/MCS) procedures
6Physical access controlBadge systems, visitor registers, and protection of premises and technical rooms housing critical systems
7Architecture securityNetwork segmentation and filtering that isolates critical systems from general IT
8Remote access securityHardened, authenticated remote connections to information systems
9Protection against malicious codeAnti-malware controls appropriate to the systems and data at risk
10Identity and access managementAuthentication mechanisms, account security, and least-privilege access
11Administration controlAdministration actions performed exclusively from dedicated administration accounts
12Incident identification and responseDetection, escalation, and response procedures for security incidents
13Continuity and recoveryBusiness continuity and disaster recovery plans for critical systems
14Reaction to cyber-origin crisesCrisis management procedures specific to cybersecurity events
15Exercises, tests, and drillsRegular testing of incident response and crisis management plans, with documented lessons learned

Objectives Reserved for Essential Entities (16–20)

# Objective What It Requires
16Risk-based approachA structured cyber risk analysis under the accountability of the executive director, with ANSSI citing EBIOS Risk Manager as an appropriate method
17SSI auditPeriodic internal or independent audits of the information security management system
18Secure configuration of system resourcesHardened baseline configurations across infrastructure
19Administration from dedicated resourcesAdministration performed only from a hardened, isolated set of resources — what ANSSI calls a "trusted core"
20SSI supervisionContinuous monitoring and supervision of the information security posture, typically via a SOC function

Why This Matters

Because ReCyF v2.5 is still a working document, the exact objective count, numbering, and wording may shift before France's final transposition decree is published. The structure and logic described here — 15 shared objectives plus 5 Essential-Entity-only objectives, each backed by acceptable means of compliance — is the version ANSSI presented on 17 March 2026 and is what implementation teams should plan against today, cross-checking updates on ANSSI's MesServicesCyber portal as the legislative process advances.

Mapping ReCyF to the NIS 2 Directive

Each ReCyF objective is France's operational answer to a specific requirement in the NIS 2 Directive, primarily Article 21's ten risk management measures, with governance tied to Article 20 and reporting tied to Article 23. Reading ReCyF without holding the Directive text alongside it means implementing measures without understanding which legal obligation they satisfy — and, just as importantly, where ReCyF adds French-specific expectations the Directive itself leaves more open.

The table below is a practical cross-reference for implementation teams. It is not ANSSI's official 1:1 mapping — for a definitive, article-by-article comparison, use the free ANSSI comparison tool on MesServicesCyber, linked in Further Reading below, which also maps ReCyF against ISO 27001/27002/27005 and the Annex to EU Implementing Regulation 2024/2690.

ReCyF Objectives NIS 2 Article 21 Measure
1, 2, 5, 16 (EE)Measure 1 — Risk analysis and information security policies
12Measure 2 — Incident handling
13, 14, 15Measure 3 — Business continuity and crisis management
3Measure 4 — Supply chain security
7, 18 (EE)Measure 5 — Security in acquisition, development, and maintenance
17, 20 (EE)Measure 6 — Assessing effectiveness of risk management measures
9Measure 7 — Basic cyber hygiene and training
2 (encryption clauses)Measure 8 — Cryptography and encryption
4, 6, 10, 11, 19 (EE)Measure 9 — HR security, access control, and asset management
8Measure 10 — MFA, secured communications, emergency systems

Two other Directive articles matter as much as Article 21 for anyone implementing ReCyF:

Article 20 — Governance. Management bodies must approve the cybersecurity risk management measures, oversee their implementation, and receive cybersecurity training themselves. ReCyF Objective 2's governance framework and Objective 16's risk-based approach both explicitly place accountability with the executive director for Essential Entities — this is the operational expression of Article 20's personal liability provision, not a separate French invention.

Article 23 — Incident reporting. The Directive's three-stage timeline (24-hour early warning, 72-hour notification, 30-day final report) is the obligation that ReCyF Objective 12 must be built to satisfy. A ReCyF-compliant incident response process has to be able to produce that 24-hour early warning to ANSSI's CSIRT without waiting for the full picture — something implementation teams routinely underestimate until they run their first tabletop exercise against the real deadline.

Physical-Cyber Convergence: ReCyF's Sharpest Edge

ReCyF formally folds physical security into cybersecurity compliance, requiring badge systems, visitor logs, and premises protection to be governed and audited alongside logical access controls rather than left to a separate facilities function. This is the single biggest operational surprise for organisations that treat NIS 2 as a purely IT and network security exercise.

Three ReCyF objectives carry this convergence explicitly:

Objective 6 (Physical Access Control) is entirely dedicated to badge system implementation, visitor management, and protection of server rooms and technical facilities — with access logging and audit trails expected as standard evidence.

Objective 4 (Digital Security in HR Management) requires that when an employee leaves or changes role, logical access revocation and physical access revocation happen as one coordinated process — not two separate tickets in two separate systems that may or may not close on the same day.

Objective 7 (Architecture Security) extends zoning beyond network segmentation into physical or logical isolation of critical systems, which for organisations running industrial control systems or OT environments means separating those networks from corporate IT at both the network and facility level.

Risk Alert

Badge access systems, CMDBs, vulnerability scanners, and SIEM platforms typically run in separate silos, owned by facilities and IT security teams that rarely coordinate. ReCyF makes this coordination a compliance requirement, not a nice-to-have — a vulnerability on a server in a badge-controlled, camera-monitored room is a materially different risk than the same vulnerability on hardware in an open-plan office, and ReCyF expects that context to inform vulnerability prioritisation.

Running a ReCyF Gap Analysis Against ISO 27001

ANSSI's free comparison tool on MesServicesCyber lets organisations already certified to ISO 27001, 27002, or 27005 map their existing controls against ReCyF's 20 objectives to identify what's already covered and what still needs building. The honest answer to "does ISO 27001 certification cover ReCyF?" is: partially, and unevenly.

ISO/IEC 27001:2022 certification is explicitly recognised by ReCyF as acceptable evidence for governance-related objectives — particularly Objective 2. ANSSI-qualified services (PASSI for audit, PACS for consulting, PAMS for secure administration, PDIS for incident detection) similarly count as acceptable evidence for the objectives they touch. But ISO 27001's Annex A controls were not written with ReCyF's physical-cyber convergence requirements in mind, and organisations relying solely on an existing ISO certificate typically find gaps concentrated in three areas: the unified logical-and-physical offboarding process under Objective 4, the badge-and-premises evidence trail under Objective 6, and — for Essential Entities — the EBIOS RM-based risk methodology expected under Objective 16.

The comparison tool filters requirements by theme and by whether they apply to Important or Essential Entities, and cross-references them against ISO 2700X and the Annex to EU Implementing Regulation 2024/2690. Running this comparison before starting an implementation programme is the fastest way to avoid rebuilding controls that already exist under a different name.

Implementation Roadmap: From Gap Analysis to Compliance

Phase 1 — Scope and Classify

Confirm whether your organisation meets the Important or Essential Entity threshold under NIS 2, map your services against Annex I and Annex II sectors, and determine which of ReCyF's 20 objectives apply to you.

Phase 2 — Gap Analysis

Run ANSSI's ISO comparison tool against any existing certifications, then conduct a formal objective-by-objective assessment across all 20 ReCyF objectives, documenting what's in place, partially implemented, or entirely absent.

Phase 3 — Governance and Physical-Cyber Coordination

Assign accountability at the executive level per Objective 2 and Article 20, and — critically — bring facilities and IT security teams into a shared governance structure before touching technical controls. This is the phase most implementations underestimate.

Phase 4 — Technical and Physical Control Implementation

Deploy the objective-specific controls: segmentation, IAM, encryption, malware protection, hardened administration, badge systems, and the integration points between them (CMDB cross-referenced with room assignments, vulnerability scanners tagged with physical access context).

Phase 5 — Incident Response and Crisis Testing

Build the Objective 12 incident response process against Article 23's real deadlines, then test it — Objective 15 explicitly requires documented exercises and drills, not a plan that has only ever existed on paper.

Phase 6 — Essential Entity Layer (If Applicable)

For Essential Entities, add the EBIOS RM-based risk programme (Objective 16), an audit schedule (Objective 17), hardened baseline configurations (Objective 18), a dedicated administration "trusted core" (Objective 19), and continuous SOC-based supervision (Objective 20).

Becoming an Expert: PECB NIS 2 Directive Lead Implementer

The PECB Certified NIS 2 Directive Lead Implementer is the credential most consistently recognised by EU regulators and employers as evidence someone can lead a NIS 2 compliance programme end to end — including in France, where ANSSI accepts PECB-certified staff as evidence of qualified personnel during controls. For anyone who has just worked through ReCyF's 20 objectives above, this is the structured, examinable version of the same competency.

The 6 Exam Domains

Domain Focus % of Exam
D1Fundamental concepts and definitions of NIS 212.5%
D2Planning NIS 2 requirements implementation25%
D3Cybersecurity roles, responsibilities, and risk management18.75%
D4Cybersecurity controls, incident management, and crisis management18.75%
D5Communication and awareness12.5%
D6Testing and monitoring of a cybersecurity programme12.5%

Notice how closely this maps to ReCyF: D3's risk management content lines up with Objective 16, D4's incident and crisis management content lines up with Objectives 12 through 15, D5's communication domain covers the awareness obligations under NIS 2 that ReCyF's HR and governance objectives assume are already running, and D6's testing and monitoring content is the exam-level version of Objectives 15, 17, and 20.

Credential Levels and Experience Requirements

Credential Total Experience Project Hours
Provisional ImplementerNone requiredNone
Implementer2 years (1 year cybersecurity)200 hours
Lead Implementer5 years (2 years cybersecurity)300 hours
Senior Lead Implementer10 years (7 years cybersecurity)1,000 hours

The exam itself is open-book — candidates can reference the NIS 2 Directive text, official training materials, and personal notes. This is deliberate: PECB is testing whether you can apply the Directive under exam conditions, not whether you have memorised it.

Best Practice

If your organisation is specifically regulated in France, study ReCyF's 20 objectives alongside the PECB course material rather than after it. The certification teaches the Directive's structure; ReCyF teaches you what ANSSI will actually check during a control. Together, they turn exam knowledge into an implementation-ready gap analysis you can run on day one.

Training with reconn

reconn's founder, Shenoy Sandeep, personally delivers all NIS 2 Directive Lead Implementer training and mentoring — there is no sales team and no handoff to a generic trainer reading PECB's slide deck. Sessions are built around the real tools and frameworks EU compliance teams actually use: ENISA guidance, ISO 27001 control mapping, and — where relevant to your organisation — the ReCyF-specific requirements covered in this guide.

CERTIFICATION PATHWAY

Ready to become a certified NIS 2 Directive Lead Implementer?


Official PECB self-study course with 2 exam attempts included, plus a free 1-on-1 guidance session with Shenoy to work through your organisation's ReCyF or NIS 2 gap analysis directly.

reconn.io  |  Dubai  |  Remote delivery worldwide

Conclusion

ReCyF is what turns NIS 2 from a directive full of "appropriate measures" language into a checklist ANSSI can actually audit against — and for organisations regulated in France, understanding it is no longer optional just because the transposition decree isn't finalised yet. The objectives, the physical-cyber convergence requirement, and the Essential Entity risk-based layer are all things ANSSI has said plainly it expects to see now, not once the law catches up.

For professionals building or leading these programmes, the PECB NIS 2 Directive Lead Implementer certification is the credential that proves you can do this work — recognised by ANSSI, BSI, and regulators across the EU, and directly aligned with everything ReCyF asks an implementer to deliver.

NEXT STEPS

Ready to lead your organisation's NIS 2 and ReCyF compliance programme?


Whether you're pursuing the PECB Lead Implementer certification yourself or need a technical expert to guide your team's ReCyF gap analysis, Shenoy works directly with you — no sales team, no generic slide decks.

reconn.io  |  Dubai  |  Remote delivery worldwide

Further Reading

Frequently Asked Questions

Is ReCyF mandatory right now?
Not yet in the strict legal sense — ReCyF remains a working document until France finalises its NIS 2 transposition law, expected to be examined in the French parliament's extraordinary session in July 2026. However, ANSSI's Director General has explicitly told regulated entities not to wait, since implementing ReCyF now both prepares them for the eventual legal requirement and protects against a cyber threat that is already active regardless of the law's status.
How many objectives does ReCyF have, and do they all apply to my organisation?
ReCyF v2.5 sets out 20 security objectives. Objectives 1 through 15 apply to every regulated entity, whether classified as an Important Entity or an Essential Entity. Objectives 16 through 20 — covering the risk-based approach, security audits, system hardening, dedicated administration resources, and SSI supervision — apply only to Essential Entities, reflecting NIS 2's proportionality principle.
Does having ISO 27001 certification mean I already comply with ReCyF?
Only partially. ISO/IEC 27001:2022 is explicitly recognised as acceptable evidence for some ReCyF objectives, particularly governance under Objective 2, but it does not cover ReCyF's physical-cyber convergence requirements in full — especially the unified logical-and-physical offboarding under Objective 4 and the badge/premises evidence trail under Objective 6. ANSSI's free comparison tool on MesServicesCyber lets you run a precise gap analysis against your existing ISO certification.
What is the difference between Important Entities and Essential Entities under ReCyF?
Both entity types must meet ReCyF Objectives 1 through 15 and are subject to identical Article 21 security requirements under NIS 2. Essential Entities additionally face Objectives 16 through 20 — a formal risk-based approach using methods like EBIOS RM, periodic security audits, hardened system configurations, dedicated administration resources, and continuous SSI supervision — reflecting their higher-criticality status and NIS 2's proactive, ex-ante supervision model for this category.
Why does ReCyF include physical security requirements like badge systems?
ReCyF formally treats physical security as inseparable from cybersecurity compliance. A vulnerability on a server in a badge-controlled, camera-monitored room carries materially different risk than the same vulnerability on hardware in an open-plan office, and ANSSI expects that context to inform how organisations prioritise and evidence their security posture — which is why Objectives 4, 6, and 7 explicitly require physical access control, unified offboarding, and physical zoning alongside their logical equivalents.
What is the PECB NIS 2 Directive Lead Implementer certification?
It is a globally recognised professional certification validating the competence to plan, implement, manage, and maintain a NIS 2 compliance programme. The exam covers 6 domains — fundamentals, implementation planning, risk management, cybersecurity controls and crisis management, communication and awareness, and testing/monitoring — and follows the ISO/IEC 17024:2012 personnel certification standard. National regulators including France's ANSSI and Germany's BSI accept PECB-certified staff as evidence of qualified personnel.
Do I need work experience to take the PECB NIS 2 Lead Implementer exam?
No experience is required to sit the exam and earn the Provisional Implementer credential. To apply for the full Lead Implementer credential, PECB requires 5 years of total professional experience, including 2 years in cybersecurity, plus 300 hours of implementation project activities such as risk assessments, incident response plan management, and security control implementation.
How does ReCyF relate to NIS 2 Article 23's incident reporting deadlines?
ReCyF Objective 12 (Incident Identification and Response) is the operational requirement France uses to ensure organisations can actually meet Article 23's three-stage reporting timeline: a 24-hour early warning, a 72-hour full notification, and a 30-day final report to the national CSIRT. Building an incident response process that satisfies Objective 12 in practice means it must be capable of producing that 24-hour early warning before the full scope of an incident is even known.
EXPERT GUIDANCE

Still have questions about ReCyF or your NIS 2 implementation?


Every PECB NIS 2 Directive Lead Implementer enrolment with reconn includes a free 1-on-1 session with Shenoy to work through your specific implementation questions, ReCyF gap analysis, or exam strategy.

reconn.io  |  Dubai  |  Remote delivery worldwide
Shenoy Sandeep

About the Author

Shenoy Sandeep

Shenoy Sandeep is the Founder of reconn, an AI-first cybersecurity firm based in Dubai, UAE. With 20+ years across cybersecurity focussing on offensive security and threat intelligence portfolio, and over 10 years in Enterprise AI, AI governance and data protection, he has assisted over 25+ startups in scaling their business in the Middle East and African region.

Training is Shenoy's passion project and reconn has associated themselves with PECB, the global leaders in personal certifications for AI, cybersecurity, data protection, privacy and business continuity professionals. He is a PECB-certified trainer and one of the world's early PECB-certified AI professionals, also specialising in ISO/IEC 27001, ISO/IEC 27701, ISO 42001, ISO 22301, and GDPR.

Via Reconn, Shenoy runs an advisory service assisting organisations in the EMEA with compliance and certification on ISO 42001, ISO 27001, ISO 27701, ISO 22301 and local data protection and privacy laws. His current interests include EU AI Act, NIS2, DORA, EU/UK GDPR, UAE PDPL and SDAIA PRPL.