ReCyF (Cyber France Framework): Definition, Objectives, and NIS 2 Requirements

‍

The ReCyF is the French cybersecurity framework derived from the European NIS 2 Directive. It defines 20 security objectives for significant and critical entities and specifies the acceptable means for demonstrating compliance.

‍

What is ReCyF?

‍

ReCyF (Référentiel Cyber France) is the national regulatory framework that translates the requirements of the European NIS 2 Directive into concrete measures for cyber risk management.

It consists of two distinct levels:

Safety objectives: These are the regulatory requirements established by decree. Compliance with them is mandatory. They answer the question "What should be done?"

Acceptable means of compliance: these are the specific measures proposed by ANSSI to achieve each objective. Their implementation is not mandatory (an entity may substitute alternative measures), but adopting them makes it easier to demonstrate compliance during an audit. They answer the question "How should this be done?"

‍

Why was ReCyF created?

‍

The ReCyF is part of the national implementation of the NIS 2 Directive through the Draft Law on Critical Infrastructure Resilience and Strengthening Cybersecurity (PJL).

Its objective is twofold: to provide the entities concerned with a clear and actionable framework for improving their security, and to enable ANSSI to monitor compliance with these requirements in a consistent manner throughout the country.

‍

Who is subject to the ReCyF?

‍

The ReCyF applies to three categories of entities:

Significant Entities (SE)

Theyare subject to security objectives 1 through 15. This foundation covers governance, system protection, defense, and basic resilience.

Essential Entities (EE)

Theyare subject to all 20 objectives—the 15 shared with EIs, plus 5 additional objectives (16 through 20) that require, among other things, a risk-based approach, regular audits, hardened configurations, administration from dedicated resources, and security oversight.

Operators of Vital Importance (OVI)

Critical Infrastructure Operators (CIOs) may also be affected with regard to certain information systems, depending on how the LPM and ReCyF frameworks are ultimately aligned.

‍

The principle of proportionality applies: Objectives 16 through 20 apply only to EE, due to their higher level of criticality.

‍

How does ReCyF work? Objectives vs. Compliance Measures

‍

The logic behind ReCyF is based on a clear distinction between the end (the goal) and the means (the way to achieve it).

An entity can demonstrate compliance with a requirement in two ways:

• By applying the acceptable means of compliance listed in the standard;
• By implementing alternative measures, provided that the rationale for them is documented. ANSSI can then assess the appropriateness of these alternatives during an audit.

Certain methods also allow organizations to rely on recognized certifications or qualifications: the ISO/IEC 27001:2022 standard and ANSSI-certified services (PASSI, PACS, PAMS, PDIS) constitute acceptable evidence to meet all or part of certain objectives.

‍

The 20 safety goals of ReCyF

‍

The 4 pillars of ReCyF

ReCyF organizes its 20 objectives around four pillars:

‍

Governance (6 objectives): Laying the organizational and strategic foundations for digital security.

• OS1 — Inventory of Information Systems
• OS2 — Implementation of a Digital Security Governance Framework
• OS3 — Ecosystem Management (Suppliers and Service Providers)
• OS4 — Integrating Security into Human Resources Management
• OS16 — Implementation of a risk-based approach (EE only)
• OS17 — Information Systems Security Audit (EE only)

Security (9 objectives): securing systems, access, and technical architecture.

• OS5 — Mastery of Information Systems (mapping, patching)
• OS6 — Control of Physical Access to Premises
• OS7 — Securing Information Systems Architecture
• OS8 — Securing Remote Access
• OS9 — Malware Protection
• OS10 — Identity and Access Management (IAM)
• OS11 — Mastery of Information Systems Administration
• OS18 — Securing Resource Configuration (EE only)
• OS19 — Management via Dedicated Resources (EE only)

Defense (2 objectives): detect and respond to incidents.

• OS12 — Identifying and Responding to Security Incidents
• OS20 — IT Security Oversight (EE only)

Resilience (3 objectives): maintaining operations and recovering from cyber crises.

• OS13 — Business Continuity and Disaster Recovery
• OS14 — Response to cyber-related crises
• OS15 — Exercises, Tests, and Practice Sessions

‍

ReCyF and NIS 2: What’s the connection?

‍

ReCyF is the French operational implementation of the requirements set forth in Article 21 of the NIS 2 Directive, which requires entities to take appropriate measures to manage the risks affecting their networks and information systems.

Each ReCyF security objective corresponds to one or more provisions of NIS 2. For example: OS12 (incident management) corresponds to Article 21.2.b; OS13 (business continuity) corresponds to Article 21.2.c; OS10 (identity management) corresponds to Article 21.2.j.

‍

How can you demonstrate compliance with ReCyF?

‍

During an ANSSI audit, an organization may rely on several types of evidence:

• Internal documentation: list of information systems, compliance analysis, action plan, information security policy, ecosystem mapping;
• Recognized certifications: ISO/IEC 27001:2022 for governance and risk management objectives;
• ANSSI-certified services: PASSI (audit), PACS (consulting), PAMS (secure administration), PDIS (incident detection);
• Documented alternative measures, the appropriateness of which will be assessed by ANSSI.

‍

FAQ

Is the ReCyF already in effect?

Thedocument is currently a working draft (v2.5 dated March 17, 2026). Its final entry into force is contingent upon the publication of the decree issued pursuant to Article 14 of the draft law.

What is the difference between EI and EE in the ReCyF?

Essential Entitieshave more extensive obligations (20 objectives versus 15) and stricter requirements in certain areas, such as multi-factor authentication, network segmentation, monitoring, and a risk-based approach.

Can an ISO 27001 certification be used to comply with ReCyF?

Yes, to some extent. An ISO/IEC 27001:2022 certification can be cited during an audit to demonstrate compliance with the objectives it covers, within the scope of the certification.

What is an "acceptable means of compliance"?

This isa specific measure proposed by ANSSI to achieve a specific objective. Its implementation is not mandatory, but if an organization implements it, it can cite it during an audit without having to further demonstrate its relevance.

Does ReCyF apply to outsourced IT systems?

Yes. When an entity outsources all or part of its information system, the system remains under its responsibility and is not considered a third-party information system as defined by the framework. The obligations therefore apply in full.

‍