ReCyF, backdoors and USB sticks: France in cybersecurity, between clarity and anachronism
France produces a cyber framework of international quality while being incapable of passing the law that makes it applicable, because the DGSI wants to read your Signal messages. And the framework itself illustrates human risk with a USB stick in 2026.

Imagine you are handed the detailed plans for a house, the materials, the tools, the plot ready to build on, and you are told: "Go ahead, get started. But the building permit, we'll see about that later. Maybe in July. If the parliamentary calendar allows. And subject to an extraordinary session."
That is exactly the situation now facing the 15,000 French entities covered by the European NIS 2 directive.
On 17 March 2026, ANSSI unveiled the ReCyF (Référentiel Cyber France) at the Campus Cyber. 47 pages, version 2.5, co-built with the French cybersecurity ecosystem. 20 security objectives, spread across four pillars (governance, protection, defence, resilience), with a clear distinction between the mandatory "what" and the recommended "how". Vincent Strubel, ANSSI's director general, summed up the situation in a single sentence: "It will remain a working document until NIS 2 is transposed into French law, but above all we must not wait to implement it."
The framework is ready. The threat is here. But the law is stuck. And the reason for that gridlock deserves a pause, because it says something profound about our collective priorities.

A text stuck on a debate about backdoors
The Résilience bill was presented in October 2024, passed by the Sénat on 15 October 2024 (two days before the European deadline), then approved unanimously by the Assemblée's special committee in September 2025. Since then: nothing. No examination in session. Likely horizon: July 2026, subject to an extraordinary session.
The reason is not a legislative traffic jam. It is a targeted political disagreement. Article 16 bis, introduced in the Sénat, prohibits requiring encryption service providers to build backdoors into messaging services. This provision reportedly displeases the DGSI. And that disagreement is enough to freeze the entire text.
Read that again slowly. A bill meant to protect 15,000 entities against mass cybercriminal threats is being delayed because two institutions cannot agree on whether the State should be able to read your encrypted messages.
The Commission supérieure du numérique et des postes (CSNP) issued a statement on 18 March to say out loud what many think quietly: this point of contention "cannot justify deliberately delaying the adoption of such an essential text". Member of parliament Philippe Latombe wrote to the Prime Minister back in February to warn of the risk of a European fine.
Meanwhile, 20 of the 27 member states have already transposed the directive. France, one of the most heavily targeted countries for cyberattacks in Europe, looks like a laggard. And the signal sent to the 15,000 future entities subject to the rules is devastating. Because the human brain does not work in watertight compartments: when Parliament does not treat a text as urgent, the head of an SME gets the implicit message that they too have no need to hurry. It is a classic framing bias, and it is killing the momentum ANSSI is trying to create.

A solid framework, but anchored in a worldview that is dated
Let's turn to the content. Because the ReCyF deserves better than the "here are the 4 pillars and the 20 objectives" treatment you read everywhere this week. I read all 47 pages. What I found is serious work, structurally intelligent, with a genuine principle of proportionality built in from the design stage. The comparison tool with ISO 27001 is a real contribution. The mapping tables with NIS 2 are clean. This is good work from ANSSI.
But the ReCyF carries within it a blind spot that I find in almost every compliance framework I have audited over the past ten years. It secures systems by assuming that the humans who use them are controlled variables. They are not. And several choices in the document reveal this glaringly.
The example that says it all. The justification for objective 4 (human factor), on page 39, illustrates the risk with "the connection of an infected removable device". In 2026. The infected USB stick. A compromise vector that accounts for a marginal fraction of real incidents. Not targeted phishing, not vishing by voice deepfake, not prompt injection on an internal AI agent, not the compromise of credentials via an infostealer on the personal machine of a remote-working employee. The example chosen by ANSSI to illustrate human danger is a physical object you plug in. Not the cognitive click that happens in the brain of a tired human faced with a well-crafted email. This is not a detail: it reveals the mental model underlying the framework.
The human factor reduced to a charter. Objective 4 is five measures: a usage charter, an awareness programme, contractual clauses, an onboarding/offboarding process, training for digital roles. In other words: explain the rules, get a paper signed, train those who touch the machines. No mention of a security culture, of cognitive biases, of measuring the real effectiveness of awareness efforts, of the cognitive load imposed by security controls. Phishing does not work because people have not been made aware. It works because the human brain is wired to respond to urgency, authority and curiosity, and attackers know this better than the people who draft frameworks.
The blind compliance of important entities. Risk analysis (objective 16) is required only of essential entities. Important entities apply the 15 objectives of the common base without having to identify what specifically threatens them. A healthcare SME and a transport SME will have the same framework, without knowing whether that framework addresses their real exposures. Compliance without risk analysis is compliance with your eyes closed. Between a full EBIOS RM and nothing at all, there was a vast space for a simplified tool to prioritise by exposure. The ReCyF does not fill it.
Risk management is part of our daily life: when we lock the door, or when we put on sunscreen. That is a risk management strategy. So why exclude a significant slice of the entities covered by NIS2?
And by the way, speaking of EBIOS RM, we are going to have to talk one day about this methodology, which has more to do with religion than with risk management.
Banning BYOD in 2026. Objective 9.2 bans BYOD for essential entities. In 2026, that denies a reality of how people work. Remote work is structural. Employees check Teams on their personal phone, look at an email at 10 pm, scan a document from the mobile app. Banning BYOD does not secure a perimeter, it pushes people toward shadow IT: people will use their device anyway, but without a controlled framework, without visibility for the CISO. A managed BYOD is infinitely safer than a clandestine one.
No mention of AI or the software supply chain. Not a word on deepfakes, automated phishing, AI agents deployed internally. Nothing on SBOMs, the integrity of software dependencies, unmaintained open source libraries. In March 2026, after SolarWinds, Log4Shell and XZ Utils, this is a silence that reality will quickly catch up with.

What this means for organisations
The ReCyF remains the best available roadmap for getting ahead of NIS 2 in France. ANSSI says entities that apply it right now will be able to point to that in the event of an inspection. It is a clear signal, and it should be taken seriously.
But if you are a CISO or the head of an entity concerned, do not treat this framework as a checklist. Run a gap analysis, yes. Use the comparison tool on MesServicesCyber if you are already certified to ISO 27001. But above all: even if the ReCyF does not require it, do a risk analysis. And invest in the human factor beyond a charter and an annual awareness session. Phishing simulations with impact measurement. Post-incident lessons learned that include behavioural analysis, not just the technical side. Thinking about the points where your teams work around controls not out of malice, but because the process is badly designed.
Compliance protects you before an auditor. Only a real understanding of your exposure protects you before an attacker.
The final word
France is capable of producing a cybersecurity framework of international quality, co-built over two years with the entire ecosystem, while being incapable of passing the law that makes it applicable because the DGSI wants to be able to read your Signal messages. And the framework itself, however serious, illustrates human risk with a USB stick in 2026.
There is something very French in this double image: technical excellence, strategic clarity, and at the same time a persistent gap with reality on the ground. The ReCyF protects systems. But cybersecurity in 2026 is no longer a matter of systems. It is a matter of human decisions under cognitive constraint. And as long as our frameworks fail to account for that, attackers will keep coming through the door we leave wide open: the one between the chair and the keyboard.
Again and always, the human factor.
Useful links
- ReCyF v2.5 (PDF): https://messervicescyber-ressources.cellar-c2.services.clever-cloud.com/20260317_NIS_V2_ReCyF_v2.5.pdf
- Reference framework comparison tool: https://messervices.cyber.gouv.fr/nis2#exigences
Questions fréquentes
What is the ReCyF?
The Référentiel Cyber France, unveiled by ANSSI on 17 March 2026 at the Campus Cyber. In version 2.5 (47 pages), it comprises 20 security objectives spread across four pillars (governance, protection, defence, resilience), with a distinction between the mandatory "what" and the recommended "how".
Why is the Résilience bill stuck?
Because of article 16 bis, introduced in the Sénat, which prohibits requiring encryption providers to build backdoors into messaging services. This provision displeases the DGSI, and that disagreement freezes the entire text, whose examination is pushed back toward July 2026.
Do we need to wait for NIS 2 to be transposed before applying the ReCyF?
No. ANSSI encourages implementing it right now; entities that apply it will be able to point to that in the event of an inspection. It is the best available roadmap for getting ahead of NIS 2 in France.
What are the main limits of the ReCyF according to the article?
It treats the human factor as a mere awareness charter, illustrates human risk with an infected USB stick, exempts important entities from risk analysis, bans BYOD for essential entities, and mentions neither AI nor the software supply chain (SBOM, dependencies).
What should the CISOs and executives concerned actually do?
Run a gap analysis, use the comparison tool on MesServicesCyber if already certified to ISO 27001, and carry out a risk analysis even when the framework does not require it. They should also invest in the human factor beyond a charter: measured phishing simulations, behavioural lessons learned, and thinking about the ways people work around controls.
Sources & méthodologie

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
