The publication of the ReCyF framework by ANSSI (French National Cybersecurity Agency) marks a major step in the operational implementation of the European NIS2 Directive. Although the directive has not yet been formally transposed into French law, ANSSI is already setting expectations regarding cyber resilience. The message is clear: the ability to withstand a cyberattack, to keep essential activities running and to recover quickly is now a central component of cybersecurity programs.
Cyber incidents are no longer exceptional events. They are now part of the normal functioning of organizations, sometimes with major operational, financial and reputational impacts.
Yet a gap persists. For more than ten years, businesses have invested heavily in prevention, protection and detection. On the other hand, their ability to withstand a major cyber crisis, preserve their critical activities, protect their most sensitive data and return to normal operations often remains insufficient. Resilience still too often remains the poor relation of cybersecurity policies.
ReCyF: a paradigm shift
The ReCyF framework responds to a now widely shared observation: despite the investments made in protection and detection, a major incident remains a credible, even inevitable, scenario.
ReCyF thus formalizes a profound shift in doctrine. The question is no longer solely “How do we prevent a cyberattack?”, but also “How do we continue to operate when one occurs?”. Cyber resilience becomes a full-fledged pillar of cybersecurity governance.
This evolution is reinforced by an ever more demanding threat context. The rise of generative AI, whether frontier models or open-source ones, is gradually lowering the level of expertise required to prepare, automate or industrialize certain attacks. In this context, the ability to absorb an incident is becoming as important as the ability to prevent it.
With ReCyF, ANSSI is not simply publishing another technical framework. It is formalizing a reference baseline for cyber resilience that concretely foreshadows the future expectations tied to NIS2:
- BCPs and DRPs genuinely oriented toward cyber, integrating backups, recovery scenarios and regular testing;
- structured, equipped and steered crisis management, based on procedures, a clear organization and operational tools;
- a long-term training strategy, with regular exercises involving the various stakeholders.
A major challenge for essential entities
The ReCyF requirements arrive at a time when organizations’ maturity levels remain highly uneven. The results of the 2026 CESIN Barometer¹ illustrate the scale of the road ahead:
- one organization in two has never tested its DRP under real-world conditions;
- fewer than 30% involve business lines in their continuity tests;
- more than 60% do not regularly train their executive committee or their management board in cyber crisis management;
- exercises remain mostly “tabletop” and only marginally immersive;
- fewer than 35% have a structured exercise program;
- fewer than 20% conduct exercises simultaneously involving IT teams, business lines and executive leadership.
The gap between the requirements set out by ReCyF and organizations’ current level of maturity is significant.
Cyber resilience can therefore no longer be treated as a secondary undertaking: it is becoming a strategic governance issue and a factor of operational resilience.
A window of opportunity to seize
The NIS2 Directive has not yet been formally transposed into French law. Its transposition law could be adopted during the second half of 2026, subject to the parliamentary calendar.
Nevertheless, with the publication of ReCyF, the framework is already in place. Expectations are now explicit and the level of requirement leaves no room for doubt.
This transitional period, which could extend until an entry into force in late 2026 or early 2027, represents a genuine window of opportunity for organizations. It allows them to:
- anticipate future requirements rather than face last-minute compliance;
- gradually structure their cyber resilience programs;
- test, train and improve their capabilities before the first audits… or before having to manage a real crisis.
Beyond regulatory compliance, ReCyF above all represents an opportunity to sustainably strengthen organizational resilience. The companies that undertake this transformation today will not only have a head start when NIS2 comes into force, but will also be better prepared to face a cyber threat whose level remains particularly high.
Cyber resilience cannot be improvised on the day the crisis strikes. It is built well before, through preparation, training and continuous improvement. ReCyF now provides a reference framework; it is up to organizations to turn it into operational capability. This is precisely the meaning of ALCYCONIE’s commitment.
Guillaume CHÉREAU – COO Alcyconie
FAQ: The ReCyF framework and NIS2
Read the article
How to operationalize AI in your cyber crisis management workflows?
6 July 2026Read the article
Offensive AI and the summer period: 5 actions to launch now to prepare your organization
6 July 2026Read the article