The French state's cybersecurity roadmap: the document that says everything without meaning to
An official document lands on your desk. It comes from the Prime Minister. It is called "Roadmap of priority efforts for the state's digital security 2026-2027". You open it.

You are a CISO in a French company. For months you have been told to prepare for NIS2, to structure your governance, to prove that your access is under control, that your backups are tested, that your systems are up to date for a solid level of cybersecurity. You are working on it, with tight budgets and constant trade-offs. And then an official document lands on your desk. It comes from the Prime Minister. It is called "Roadmap of priority efforts for the state's digital security 2026-2027". You open it. And you discover that the state, the very one that sets the rules, has not yet done what it demands of you.
This document, approved by the strategic committee on digital security, is meant to be a roadmap. In reality, it is an inventory of admissions. Not because what it asks for is absurd. On the contrary, every action listed is perfectly sensible. The problem lies elsewhere. The problem is that these actions should have been in place for years, and that the entities involved are not small rural businesses. They are ministries.
What the document really says
Action 7.a asks ministries to put in place multi-factor authentication for all information system administrators by 31 December 2026. Which means that in April 2026, privileged accounts, the ones with total access to the state's most sensitive infrastructure, are still running on a simple password. We are not talking about guest Wi-Fi access. We are talking about the keys to the kingdom. MFA on administrator accounts is the foundation. It is the first thing any auditor checks. And the state is giving itself another eight months to do it.
Action 6.e calls for the removal of generic accounts by 30 June 2026. A generic account is a login shared between several people. When an incident occurs, it is impossible to know who did what. It is anti-traceability by design. Every security framework for the past fifteen years has banned this practice. And yet the document admits that these accounts still exist in ministerial information systems, and that a formal target is needed to eliminate them.
Action 6.b provides for reviews of access rights "at least once a year" for high-stakes systems. Once a year. For critical state systems. In the banking sector, privileged accounts are reviewed quarterly. In most compliance frameworks, an annual review is the minimum for standard access, not for the systems that support a ministry's essential missions.
Action 8.b calls for the rollout of EDR or XDR solutions across all workstations and servers by 31 December 2026. Which means that ministries are today operating without advanced detection capability on their endpoints. In a context that the document itself describes as "a general rise in the threat and a degraded geopolitical situation". Companies have been asked to monitor their endpoints for years, and the state has not yet finished doing so at home.
Action 9.b concerns backup tests. The document specifies that a first test was "previously planned from 31 March 2025" and that a new test must be carried out by 30 June 2026. The wording is telling. It does not say "continue regular testing". It says "a test must be carried out". Which suggests that the first appointment was not kept everywhere, or that the results were bad enough to justify a reminder.
The context the document tries not to name
The roadmap says it itself, without dwelling on it: "the multiple intrusions and data breaches that affected the information systems of ministries and of the bodies under their supervision in 2025 are a reminder of the persistence of serious vulnerabilities". It is a remarkable sentence, both for what it contains and for what it does not develop. It gives no figures. It does not name the ministries hit. It does not describe the nature of the breaches. But it acknowledges, in an official document approved at the highest level, that the state's systems were breached and that data leaked. And that the response is a two-year catch-up plan.
The document also acknowledges, again between the lines, that budget constraints slowed the implementation of the previous roadmap. This is not trivial. It means that the 2025-2026 roadmap was not fully carried out, and that the 2026-2027 version "takes up its actions" and "firms up certain deadlines". In other words, we push back and start over. The cycle is familiar to anyone who has worked with large organizations, but it takes on a particular dimension when the organization in question is the one writing the rules for everyone else.
The structural paradox
This is where the dissonance becomes hard to ignore. Through NIS2, the French state is building a regulatory framework that will impose strict obligations on essential and important entities regarding governance, risk management, detection and incident response. These obligations are necessary. No serious person disputes it. But when the state itself fails to apply these same principles to its own systems, the regulator's credibility is at stake.
And the problem goes beyond credibility. In 2025, during the debates on the anti-narcotrafficking law, the National Assembly seriously discussed installing access mechanisms in encrypted messaging. The government found the time and the political energy to propose weakening encryption, while it had not yet managed to impose MFA on its own administrators. There is in that sequence an inconsistency that goes beyond political clumsiness. It is a problem of priority ordering, and it reveals a deep confusion about what "digital security" means in practice.
What this roadmap says about us
The document is not bad in itself. It is clear-eyed about the gaps, precise in its deadlines, structured in its priorities. The addition of the post-quantum dimension (Actions 10.a to 10.d) shows a genuine capacity for anticipation. The intent to oversee the cybersecurity of public bodies under ministerial supervision is a step in the right direction. The problem is not the plan. The problem is that we are still at the plan stage.
When a state publishes a roadmap in 2026 asking its ministries to remove generic accounts, to test their backups and to put MFA on admin accounts, that is not a signal of maturity. It is a signal of emergency disguised as a governance document. And any professional who reads it with a minimum of field experience understands exactly what it means about the real state of the systems behind the facade.
The state asks French companies to bring themselves into compliance. It would do well to start by applying that to itself. Not because it would be symbolically elegant, but because attackers do not read roadmaps. They read vulnerabilities.
Questions fréquentes
What does Action 7.a of the roadmap require?
It requires putting in place multi-factor authentication for all information system administrators in the ministries by 31 December 2026. This reveals that in April 2026, privileged accounts were still running on a simple password.
Why is removing generic accounts important?
A generic account is a login shared between several people, which makes it impossible to know who did what during an incident. Action 6.e sets their removal for 30 June 2026, even though this practice has been banned by security frameworks for fifteen years.
Does the document acknowledge security incidents?
Yes. It mentions "the multiple intrusions and data breaches that affected the information systems of ministries in 2025", without giving figures, naming the ministries, or describing the nature of the breaches.
What is the paradox with NIS2?
Through NIS2, the state is building a framework that imposes strict obligations on companies for governance, risk management and detection, while it has not yet applied these same basic principles to its own systems. This weakens the regulator's credibility.
Does the roadmap include forward-looking measures?
Yes. Actions 10.a to 10.d add a post-quantum dimension, which the author recognizes as a genuine capacity for anticipation, as is the oversight of the cybersecurity of public bodies under ministerial supervision.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
