NIS2 - 2 Countries, 1 Directive, Very Different Answers
| 0 comments ]

Belgium published first, France went deeper. Belgium's CCB released CyFun well before the October 2024 NIS 2 transposition deadline, built on NIST CSF and officially mapped to ISO 27001/27002. France's ANSSI published ReCyF, but as of March 2026 the underlying legislation still has not passed - making it a technically superior but legally unenforceable framework.Bottom line: ISO 27001-certified organisations in Belgium are largely compliant with a manageable gap list. The same organisations in France still have significant work ahead - and no hard deadline yet to do it by.

Table of Contents

  1. Introduction
  2. Belgium - The Head Start (4 Level Architecture, Control Counts, ISO27002 clusters, What are key measure and why do they matter, self-assessment)
  3. France - The Thorough Approach (The objective and means architecture, still waiting for the law, ISO Alignement ANSSIs own assessment
  4. ISO27002 Mapping as a common Anchor
  5. The Divergences
  6. Practical Impliaction

Part I: Introduction - One Directive, Two Answers

When the EU adopted NIS 2 (Directive 2022/2555) in December 2022, it set a clear expectation: member states had until October 17, 2024 to transpose its requirements into national law. What followed, at least across the Franco-Belgian border, is a study in contrasting regulatory cultures, institutional histories, and practical philosophies.

NIS 2 expanded covered sectors from 7 to 18, lowered size thresholds, made supply chain security and multi-factor authentication explicit obligations, and - most significantly - introduced Article 21's detailed list of required risk management measures. What the directive deliberately does not do is specify how each measure should be implemented. That granularity was left to member states, producing genuine policy diversity: two technically credible frameworks that are compatible at the technical level but structurally different in regulatory philosophy, timing, and practical demands.

The timeline below tells the story at a glance. Belgium formalised an existing, mature framework and published its official cross-framework mapping nine months before the deadline. France is still working through its legislative process 18 months after that same deadline.

Article content

Figure 1 : NIS2 Transposition timeline. Belgium met the Octobre 2024 deadline, France Transposing law remains a bill of March 2026.



Part II: Belgium - The Head Start

To understand why Belgium was so far ahead, you need to understand the CCB's institutional history. The Centre for Cybersecurity Belgium was established in 2015, and had already developed CyFun as a voluntary self-assessment tool before NIS 2 existed. It was grounded in the NIST Cybersecurity Framework's five-function structure (Identify, Protect, Detect, Respond, Recover), cross-referenced to ISO 27001/27002, CIS Controls v8, and IEC 62443 for industrial environments.

The decision to ground CyFun in NIST CSF was consequential. By adopting its coding system, the CCB aligned the framework with an internationally recognised vocabulary from day one. The early voluntary character also meant CyFun had been tested in practice before it became legally significant. When NIS 2 arrived, the CCB did not build a new framework - it formalised an existing one. The official cross-framework mapping was published January 8, 2024, nine months before the compliance deadline.

Article content

Figure 2 - Proportionality Architecture. Cyfun uses fous self-selected cumulative levels, ReCyF uses two regulator assigned tiers (EI,EE)

Control counts and ISO 27002 clusters

At Essential level, the CCB's official mapping activates 83 controls across the five NIST CSF functions, with 8 designated as key measures. The widget below shows cumulative counts per function and their primary ISO 27002:2022 clusters, alongside a structural comparison to ReCyF EE

Article content

Figure 3 - CyFun Essential control counts per NIST CSF function, ISO27002 cluster mapping, and structural comparision to ReCyF.

What are key measures - and why do they matter?

Within CyFun's 83 Essential-level controls, the CCB designates 8 as key measures - a signal that these controls deliver the highest return on security investment and carry the most weight in any compliance assessment. They are not a separate tier; they sit within the normal control structure at various levels (Basic, Important, Essential). But their status changes two things materially.

For assessors, key measures are the first controls checked. Non-compliance with a key measure is weighted more heavily than gaps in standard controls - in practice, failing a key measure at your declared CyFun level constitutes a failed assessment regardless of performance elsewhere. For organisations, key measures represent the CCB's answer to the question: if resources are limited, where do you start? They are the minimum viable security posture at each assurance level.

The distribution across levels is itself instructive. Three key measures sit at Basic - credential management (PR.AC-1), physical access control (PR.AC-2), and authentication (PR.AC-7). The CCB is saying that even the entry level cannot skip these: identity and physical security are non-negotiable from day one. Three more activate at Important - data at rest encryption (PR.DS-1), threat intelligence (ID.RA-2), and vulnerability scanning (DE.CM-8). Only one, multi-source event correlation (DE.AE-3), is Essential-only - signalling that SIEM-level detection is a genuine differentiator between Important and Essential posture, not a baseline expectation.

One key measure stands out for the gap it exposes in ReCyF: PR.DS-1, data at rest encryption, has no dedicated counterpart in the French framework. This is not a minor omission - it is a key measure, meaning the CCB considers it among the most critical controls at Important level and above. Organisations subject to both frameworks cannot rely on ReCyF compliance to cover this requirement.

Article content

Figure 4 - The 8 CyFun key measures with ISO27002 references and ReCyF alignement assessment.

 

Self-assessment and market-driven assurance

Belgium's approach to demonstrating compliance is market-driven. Because CyFun is well-mapped to ISO 27001, certification from any accredited body carries significant weight. An organisation with a current ISO 27001 certificate implementing ISO 27002 controls at the corresponding level can demonstrate NIS 2 compliance without bespoke Belgian audits. This removes barriers for organisations already invested in the ISO ecosystem and reduces dependency on any single national market of assurance providers.

Part III: France - The Thorough Approach

ANSSI - the Agence Nationale de la Securite des Systemes d'Information, established in 2009 - sits within the French state's security apparatus with a culture that blends operational technical excellence with detailed regulatory thinking. Its qualification schemes (PASSI for audit providers, PACS for consulting, PDIS for detection services, PAMS for administration and maintenance) represent a deliberate attempt to build and certify a market of reliable security service providers. This institutional context shapes ReCyF profoundly.

The objective-and-means architecture

ReCyF is built around 20 security objectives - 15 for both Important (EI) and Essential (EE) entities, 5 for EE only. Each objective is the mandatory what: the outcome the regulated entity must achieve, set by decree under Article 21 of NIS 2. Beneath each sit moyens acceptables de conformite (acceptable compliance means) proposed by ANSSI as ways to achieve the objective. These are not themselves mandatory (with limited exceptions), but implementing them provides safe harbour evidence during ANSSI inspection.

This is a sophisticated regulatory construct. It provides predictability while preserving flexibility for equivalent approaches, and future-proofs the framework: ANSSI can update compliance means without requiring new legislation.

Still waiting for the law

The most salient fact about ReCyF is on its cover page: it is a document de travail (working document), version 2.5, dated 17 March 2026. France has not yet passed the legislation transposing NIS 2 into national law. The document references throughout a projet de loi (PJL) on critical infrastructure resilience - a bill whose Article 14 provides the legal basis for the framework. As of March 2026, that bill has not been enacted.

The delay reflects genuine complexity in the French legislative process - NIS 2 interacts with existing obligations under the LPM, OIV regulation, and the RGPD, requiring careful legislative threading. For an overview of the EU-wide transposition status, ENISA maintains a NIS 2 implementation tracker. The consequence for France is real: organisations cannot be inspected, penalties cannot be applied, and investment decisions stall.

ISO alignment - ANSSI's own assessment

ANSSI's official correspondence table - available on the ANSSI NIS 2 page - scores each of ReCyF's 20 objectives against ISO 27001/27002, using three ratings: eleve (strong), moyen (partial), and faible (weak). The results are more nuanced than the ISO safe harbour framing might suggest.

Article content

Figure 5 - ANSSI's Official ISO 27001/27002 correspondence ratings for all 20 ReCyF objectives.


ANSSI's observations are revealing. ISO 27001 does not explicitly name the CEO as legally responsible. ISO 27002:8.2 covers privileged access but does not prohibit dual-use of admin accounts or require dedicated networks. ISO mandates backup testing but sets no minimum frequency; ReCyF mandates annual. France consistently converts principles into measurable obligations.

Part IV: The Mapping - ISO 27002 as Common Anchor

Despite their structural differences, both frameworks draw from the same well. ISO 27002:2022 provides the common technical vocabulary - and mapping both official sources against it reveals where the two frameworks genuinely converge and where they diverge.

ISO 27002 coverage heatmap

The heatmap below shows all 93 ISO 27002:2022 controls, coloured by which framework references them. Navy cells are shared by both; blue cells are CyFun-only; green cells are ReCyF-only. The pattern is striking: 57 controls (61%) are shared, 31 are CyFun-only, and only 5 are ReCyF-only.

Article content

Figure 6 : ISO27002:2022 coverage Heatmap between France and Belgium

The heatmap reveals CyFun's broader ISO coverage immediately: the blue cluster at 8.25-8.34 represents secure development controls (SDLC, secure coding, security testing) unique to CyFun. The green cluster in Chapter 5 reflects ReCyF-specific governance and IAM framing. The dense navy in Chapters 7 and most of 8 shows the deep common ground in physical and technical controls.

The ISO 27002 bridge

The bridge table below maps each key ISO 27002 control cluster to its CyFun and ReCyF equivalents, highlighting where both frameworks converge and the gaps where one goes further than the other.

Article content

Figure 7 : ISO27002 bridge Table. Cyfun and ReCyF objectives mapped to each 27002 cluster.

Part V: The Divergences

The shared ISO ground is extensive, but the gaps matter. The gap analysis below maps the areas where each framework goes materially beyond the other.

Article content

Figure 8 - Gap Anaylsis - Cyfun EE and ReCyf EE Divergence

The privileged administration gap - France goes furthest

The most architecturally significant ReCyF requirement - and the one most grounded in real incident patterns - is the coeur de confiance (core of trust) concept across Obj.11 and Obj.19. EE entities must isolate Active Directory or LDAP and everything that can control it: dedicated admin accounts, dedicated admin workstations, a fully separate administration network, and no external connections to administration resources. ANSSI's guidance on Active Directory hardening, published on the CERT-FR website, gives operational detail on what this means in practice.

This requirement exists because the dominant pattern in France's worst ransomware incidents has been: phishing compromises a dual-use admin workstation, lateral movement reaches directory services, domain-level control is achieved, ransomware is deployed at scale. Obj.11 and Obj.19 together are an argument written in incident reports. CyFun addresses privileged access through least-privilege principles and privileged user training, but does not require network-level isolation. Neither does ISO 27002.

The data security gap - CyFun goes furthest

CyFun's PR.DS-1 through PR.DS-8 represent eight dedicated data lifecycle controls with no ReCyF equivalent: encryption at rest and in transit, storage media handling, data disposal, capacity planning, DLP, integrity checking, and development/test environment separation. These map directly to ISO 27002:2022 controls 8.10-8.13 and 8.25-8.31. ReCyF addresses these concerns only tangentially through the encryption policy in Obj.2 and remote access encryption in Obj.8. For organisations handling sensitive personal data, this is a material gap in the French framework.

Part VI: Practical Implications

For Belgian organisations

ISO 27001-certified organisations have a clear, manageable gap list. Residual work is primarily: structured threat intelligence (ID.RA-2 - mapped to ISO 27002:5.7), SIEM-level multi-source event correlation (DE.AE-3), data at rest encryption (PR.DS-1), and full data lifecycle management (PR.DS series). All are precisely scoped and deliverable within a normal programme cycle.

For French organisations

The principal challenge is uncertainty. With the law not yet passed, compliance investment is hard to mandate internally. When it does pass, EE entities face a substantial programme. Obj.19 alone - the dedicated admin network - may require multi-year architectural transformation. Obj.17's PASSI-qualified audits create a dependency on a specifically French qualification market with finite capacity. Obj.14 and Obj.15 require building crisis response capability and exercise discipline - including ANSSI's recommended EBIOS RM methodology for risk analysis - that cannot be acquired quickly.

For organisations operating in both jurisdictions

The overwhelming majority of technical ground is shared. Governance, supply chain, HR, physical security, IAM, incident management, and monitoring are closely aligned. A single programme can cover both with deliberate design. The four non-trivial divergences requiring explicit treatment:

- Admin architecture: Obj.19/ReCyF requires dedicated admin networks not mandated by CyFun - the largest potential delta for organisations using VPN-based remote administration.

- Data lifecycle: PR.DS-1 to 8/CyFun requires dedicated data security controls not covered in ReCyF - largely addressed via GDPR compliance programmes in practice.

- Audit: Obj.17/ReCyF requires PASSI-qualified technical audits separately from whatever assurance mechanism serves Belgian compliance.

- Crisis and exercising: Obj.14 and Obj.15/ReCyF require operational crisis capability and formal exercise programmes beyond CyFun requirements.

Part VII: Conclusion

Belgium got the incentives right. Publishing a clear, standards-aligned framework with official ISO mappings nine months before the deadline gave organisations the signal they needed. The maturity model creates a functioning compliance market. The ISO equivalence claim, well-supported by the official mapping, let certified organisations move efficiently rather than starting over. CyFun's data security category (PR.DS) and threat intelligence requirement (ID.RA-2) are genuine contributions that ReCyF has not fully incorporated.

France got the depth right. The cyber crisis management requirements, the structured exercise programme, and the administration infrastructure isolation rules reflect hard-won operational lessons from real incidents. The ANSSI qualification ecosystem provides something valuable: a curated, vetted market of security service providers whose quality ANSSI has independently verified. Regulation that mandates only what organisations already do is decoration; ReCyF is attempting to mandate what organisations should do based on evidence about what prevents catastrophic outcomes.

The delay in France's legislative process is a failure of execution, not of conception. When ReCyF takes legal effect, French Essential entities will face among the most technically rigorous NIS 2 transposition requirements in the EU. For ongoing coverage of this and related EU cybersecurity regulatory developments, see Directive Signal - Newsletter.


Sources and further reading

Primary sources used in this analysis:

Key reference documents:

ANSSI qualified provider schemes:



0 comments

Post a Comment