With NIS2, businesses are entering a new era of cybersecurity. But while some organizations have already begun their transformation, many still remain insufficiently prepared.
The recent publication of the ReCyF framework by ANSSI, which details the cybersecurity requirements expected under NIS2, marks an important turning point for companies. In France, nearly 15,000 organizations are concernedAnd 160,000 on a European scale. However, many are still waiting for the publication of the final texts to act. A risky approach in a context where cyber threats are increasing. This wait-and-see posture is no longer tenable in a context where cyber threats are becoming industrialized and accelerating.
A directive that changes scale
Adopted to strengthen the level of cybersecurity within the European Union, NIS2 marks a break with the first NIS directive of 2016. It considerably expands the number of organizations concerned, now integrating many mid-caps and SMEs, while imposing much more structured requirements.
With this directive, cybersecurity is no longer limited to a technical perimeter, it becomes a real subject of governance. It directly engages the responsibility of managers, who can no longer delegate these issues without strategic management. It is placed at the heart of organizations’ strategic decisions, integrating key dimensions such as risk management, supply chain security, incident management.
Even if the transposition is still underway in several countries, including France, the broad outlines are already known. THE ReCyF specifies cybersecurity expectations, offering companies a concrete basis for initiating compliance procedures, without having to wait for the publication of the final texts. In other words, all the conditions are in place to act now.
Existing cybersecurity foundations, but still insufficient
In companies, cybersecurity maturity remains very heterogeneous. Large organizations, already subject to regulatory obligations, generally have solid foundations. Conversely, many ETIs and SMEs are still behind the times, with poorly formalized governance, incomplete risk mapping or a still unclear cybersecurity strategy.
This observation is all the more worrying since Cybermalveillance.gouv.fr indicated that it had supported more than 500,000 victims in 2025, an increase of 20% compared to 2024illustrating the intensification of cyber threats. We are now facing mass, structured and professionalized cybercrime.
However, mid-sized companies and SMEs rarely start from scratch. In the majority of cases, cybersecurity practices already exist, such as access management, backups or monitoring tools. Certain systems are sometimes put in place, but they are neither systematically formalized nor sufficiently structured or supported.
The challenge is therefore not to rebuild everything, but to structure the approaches, prioritize actions and give overall coherence to existing practices. It is precisely this scaling up that is lacking today.
Preparing for NIS2: where to start?
The first step consists of assessing its level of maturity, through an audit or diagnosis, in order to identify gaps between existing practices and the requirements of the directive. On this basis, companies can define a clear roadmap, prioritizing actions according to risks. To lay a solid foundation, it is essential to structure governance, clarify roles, formalize incident management procedures and strengthen system security.
However, the success of this transformation depends above all on the involvement of management. With the NIS2 directive, managers are directly responsible for cybersecurity issues, which makes it a real strategic subject for the company, and no longer just a technical subject. Failure to prepare for it today means taking a major legal, operational and reputational risk.
But beyond the organizational aspects, the success of this transformation depends above all on people. In many attacks it remains the main entry point. Developing a real culture of cybersecurity is therefore essential to limit the risks linked to phishing, handling errors or social engineering.
This involves rethinking awareness-raising approaches, favoring continuous, concrete measures adapted to the professions. Training becomes a strategic lever to sustainably strengthen internal capacities and improve overall resilience. Training is no longer an option, it is a lever for action in the face of current attacks.
From a regulatory obligation to a strategic opportunity
Reducing NIS2 to a simple regulatory obligation would be a mistake. On the contrary, this directive represents a concrete opportunity to sustainably structure cybersecurity and strengthen the resilience of organizations.
Companies that commit to this approach today have a clear advantage. They can anticipate requirements, plan their investments to avoid urgent expenses, and integrate cybersecurity into their overall strategy. They also strengthen the trust of their customers, partners and investors.
Conversely, waiting for complete transposition means submitting to the regulatory timetable, at the risk of having to act urgently. As the regulatory framework becomes clearer, the requirements will continue to strengthen and become more structured. It is no longer a question of whether to comply, but how quickly organizations are able to do so.
In an increasingly exposed digital environment, cybersecurity can no longer be considered a secondary subject. NIS2 must be seen as a lever to sustainably integrate cybersecurity at the heart of performance and trust.
