ReCyF

Definition of ReCyF

ReCyF stands for Référentiel Cybersécurité France (France Cybersecurity Reference Framework). It was published by ANSSI (the French national agency for information system security) to formalise the cybersecurity requirements applicable to essential and important entities under the French transposition of the NIS2 directive.

The current version, ReCyF v2.5, provides a common framework for all NIS2-subject organisations to demonstrate compliance. It builds on ANSSI's earlier sector best practices (notably the IT hygiene guide and the OIV/OSE frameworks) but structures them to make audit and proof operational.

Structure of ReCyF

ReCyF is organised in about twenty objectives grouped into main domains: governance, risk management, IT system mastery, architecture security, incident management, continuity, monitoring and audit. Each objective is a NIS2-aligned security theme, and each comes with a dedicated sheet specifying context, requirements and assessment method.

Each objective is evaluated on a maturity scale, typically five levels: not covered, partial, documented, effective, optimised. This scale lets the entity identify weak spots and prioritise corrective actions, and lets ANSSI objectify its inspection.

Main ReCyF objectives

Without going into every sheet, here are the most structuring objectives for a CISO:

IT system inventory mandates keeping an up-to-date list of essential activities, services and supporting IT systems with a named owner. Foundation of the whole approach.

Governance and ISP mandate compliance analysis per system, gap identification and a board-approved action plan.

Ecosystem control requires tracing suppliers, providers and their access to IT systems. Central with the rise of supply-chain attacks.

IT system mastery mandates knowledge of components, configurations, owners and dependencies. This is where application mapping is decisive.

Architecture security demands segmentation, criticality zoning and documented defence in depth.

Incident response formalises notification procedures within NIS2 deadlines (24h, 72h, one month).

Business continuity requires the identification of critical IT systems, documentation of dependencies and regular testing of recovery plans.

Security audit mandates regular audits with recommendations tracked over time. Monitoring requires centralisation and analysis of security events.

How to self-assess against ReCyF

ReCyF self-assessment unfolds in three stages.

Stage 1: review the objective sheets and identify those applicable to your organisation. Not all are mandatory: some (e.g. Security audit or Risk-based approach) only apply to essential entities, not to important entities.

Stage 2: for each applicable objective, evaluate the current maturity level and justify it with proof (formalised policy, documented procedure, audit log, tool screenshot). This stage assumes good knowledge of the IT system, which brings back the importance of an up-to-date map.

Stage 3: build a prioritised action plan. The typical logic is to identify the three or four objectives at the lowest level and set targets at 30, 90 and 180 days.

Is ReCyF mandatory?

ReCyF is not strictly imposed by the NIS2 transposition law published on 30 October 2024, but it is officially published by ANSSI as the reference framework for demonstrating compliance. In practice, in an audit context, presenting an assessment structured along ReCyF is the most credible and direct route.

Organisations adopting ReCyF now take a considerable lead over the ANSSI control phase intensifying in 2025-2026.