For IT & Tech Managers | Compliance Professionals | Career Development Practitioners
In 2026, cyber risk is no longer a back-office concern. It now sits at the board table—alongside finance, legal, and operations—demanding the same executive attention. Ransomware groups are better organized. AI-powered phishing is harder to detect. Supply chain compromises are redefining how breaches occur. And French regulators are watching closely.
Under GDPR, NIS2, and the upcoming AI Act, ignorance is no longer a defensible position. The CNIL and ANSSI expect active governance, tested response plans, and documented third-party oversight. For French leaders in 2026, cyber resilience isn't just an IT priority—it’s a legal obligation, a strategic asset, and a governance responsibility.
This guide provides you with practical tools to lead that conversation.
The French cyber threat landscape in 2026 is no longer an IT department's problem. It's an executive-level crisis waiting to happen—and for many organizations, it already has.
Three forces are reshaping the risk picture: the relentless persistence of ransomware, the rapidly evolving AI-driven phishing campaigns, and the systemic danger of supply chain attacks. Together, they create an interconnected, high-stakes risk environment that boards can no longer treat as a technical footnote.
Ransomware remains one of the most damaging and fastest-growing cyber threats for French organizations. Globally, attacks increased by more than 40% by the end of 2026 compared to 2024 (Source: Global Cybersecurity Outlook 2026), and almost eight out of ten organizations reported ransomware experiences in recent years. The consequences extend far beyond encrypted files—they paralyze essential operations, trigger regulatory investigations, and expose leadership teams to personal liability.
The €5 million fine imposed by the CNIL on FRANCE TRAVAIL perfectly illustrates how failures facilitating ransomware turn into regulatory actions. Weak authentication, insufficient logging, and overly broad access permissions—precisely the vulnerabilities that ransomware actors exploit—were at the heart of this sanction.
Key Insight: Ransomware isn't a technology problem. It’s a direct executive risk with financial, operational, and regulatory consequences. Waiting for IT to "handle it" is accepting that a decision has already been made for you.
French SMEs, mid-sized companies, and public institutions often lack mature security operations, leaving them disproportionately exposed. Boards that treat ransomware as an IT problem are operating with an outdated risk model.
Artificial intelligence has fundamentally changed the economics of cyberattacks. Adversaries can now automate, personalize, and escalate sophisticated social engineering campaigns at a fraction of the previous cost. In 2026, AI-orchestrated phishing—fueled by generative models that draft convincing messages in the recipient's native language, mimic internal communication styles, and clone executive voices—has become the primary vector for initial compromise (Source: Global Cybersecurity Outlook 2026).
According to the Global Cybersecurity Outlook 2026, cyber-powered fraud and phishing now rank among the top concerns at the executive level—in some risk assessments, they even surpass ransomware.
These attacks are dangerous precisely because they bypass technical controls and exploit human trust. A firewall won't stop a convincing message that appears to be from the CFO. This is why phishing is no longer a security team issue—it's a leadership issue.
Key Insight: When attackers can convince your leadership team, traditional perimeter defenses are insufficient. Phishing has crossed the boundary from IT to governance.
Supply chain attacks are among the most disruptive and difficult-to-detect threats of 2026. Rather than attacking organizations directly, adversaries exploit established trust relationships with third parties—software vendors, managed service providers, cloud platforms, and open-source dependencies—to infiltrate entire ecosystems from a single entry point.
For France, where critical infrastructures, finance, and public services operate under increasingly strict frameworks like the NIS2 directive, supply chain risk is not just a technical flaw—it's a compliance and governance priority. NIS2 obligations require robust third-party risk management and documented cyber risk assessments for the entire extended digital ecosystem. A successful supply chain attack can result in regulatory scrutiny and penalties faster than most organizations anticipate.
You can no longer delegate cyber risk to IT and expect it to stay there. Regulators, customers, insurers, and business partners now demand visible executive ownership of cyber resilience. A serious incident can trigger a CNIL review if personal data is affected, NIS2 obligations if you operate in a critical sector, and contractual repercussions across your entire supply chain. The NIS2 framework is unambiguous on this point: cyber is a responsibility of the management body.
GDPR Enforcement
For leaders, GDPR cyber exposure is most acute in personal data breaches. If a breach is likely to create a risk to individuals' rights and freedoms, your organization must notify the CNIL within 72 hours of becoming aware of it—and document the breach internally, in all cases (Source: CNIL – Notifier une violation de données). When the risk is high, affected individuals must also be notified directly. The clock starts when you become aware.
Implementation of the NIS2 Directive in France
NIS2 significantly expands the scope of organizations subject to cybersecurity obligations, reinforcing expectations for risk management and incident reporting at the organizational level. French transposition is underway, and in-scope organizations must prepare for NIS2 requirements now—not after national measures are finalized.
ANSSI Guidelines
ANSSI systematically frames cyber risk as a top-level organizational responsibility and provides detailed and practical guidance for building a digital risk management policy that leaders can own, drive, and document. Its publications connect risk, governance, and decision-making—making them directly actionable by boards.
NIS2 has raised the bar for executive conduct in concrete and measurable ways. The "management body" is now expected to approve cybersecurity risk management measures, oversee their implementation, and may face personal liability for non-compliance (Source: NIS2 Directive – Article 20). This changes how governance must operate: formal decisions, clear responsibilities, and documented evidence are no longer options—they are legal requirements.
Most major cyber incidents in France do not happen due to sophisticated zero-day exploits. They occur because of governance gaps. Here are the three most prevalent failures—and why each is an executive problem, not just an IT one.
Attackers frequently enter through vendors—IT providers, payroll platforms, CRM tools, cloud integrators. The recurring failure is treating vendor onboarding as an administrative formality rather than a risk control. Lack of security clauses, insufficient access rules, and limited monitoring create dangerous blind spots. NIS2 pushes for strengthened supply chain security expectations precisely because this pattern is so common.
Many organizations have an incident response plan on paper. Far fewer have actually tested it. During a real incident, gaps emerge in escalation processes, containment procedures, evidence handling, customer communications, and CNIL notification workflows (Source: CNIL – Gestion des violations de données). The 72-hour GDPR notification window is unforgiving. Practice is not optional.
When cyber risk is isolated within IT and absent from enterprise risk management, boards only see costs—not exposure. ANSSI's guidance is explicit: cyber must be addressed at the highest organizational level, with a structured policy and a clear decision trail linking technical controls to strategic risk.
Effective board-level cyber governance rests on four practical foundations:
Define a cyber risk appetite — what level of disruption or data loss is truly tolerable for your organization.
Maintain a board-reviewed risk register — categorized by scenario (ransomware, vendor compromise, fraud) and reviewed at regular intervals.
Define decision-making responsibilities — clear, documented roles for CEO, CIO, CISO, Legal, and DPO, with an explicit escalation path.
Demand evidence — audit trails, tested response plans, vendor controls, and training records that regulators can examine.
Use this as a governance audit tool—not just a to-do list.
Confirm if your organization is in scope for NIS2 and map your specific obligations.
Approve a written cyber risk policy at the management body level.
Maintain an executive-owned cyber risk register, linked to enterprise risk management.
Conduct vendor risk scoring and integrate security clauses into all contracts.
Enforce least-privilege access controls across all systems.
Ensure backups are resilient, tested, and recovery times validated.
Test incident response at least twice a year—tabletop exercises and technical simulations.
Validate your CNIL breach workflow: assessment, decision log, 72-hour process, and communications.
Conduct executive and staff training: phishing simulations, crisis roles, and reporting discipline.
Report cyber posture to the board using measurable KPIs—risk reduction, detection time, recovery time.
In the French regulatory environment, cyber risk now sits alongside finance, legal, operations, and brand risk as a central board concern. A single incident can simultaneously trigger GDPR exposure with the CNIL, sector-specific scrutiny via ANSSI, and broader EU obligations under NIS2. This combination makes cyber a governance issue—not an IT budget line item.
ANSSI actively promotes structured cyber crisis preparedness, including crisis management exercises that test decision-making, communications, and recovery under real pressure. Organizations that practice these exercises measurably outperform those that don't during actual incidents.
CNIL enforcement has significantly intensified. The authority's 2024 activity report states that the number of sanctions has doubled, accompanied by an increase in compliance orders and formal reprimands. For leaders, the implication is direct: cybersecurity shortcomings that expose personal data constitute breaches of GDPR security obligations—and poor management of breaches amplifies this exposure.
NIS2 sets EU-wide security and incident reporting expectations—energy, transport, health, digital infrastructure, public administration—placing explicit responsibility on management bodies. French implementation is tracked at the European level, with ANSSI and CERT-FR playing central national coordination roles (Source: CERT-FR).
For the financial sector, DORA has been applicable since January 2025, introducing stricter requirements for operational resilience and oversight of third-party ICT. European supervisors now have a framework to oversee critical third-party ICT providers—treating cloud concentration as a systemic stability issue, not just vendor management (Source: DORA – Digital Operational Resilience Act).
NIS2 is unambiguous: governing bodies must approve risk management measures, oversee their implementation, and bear personal responsibility for governance failures (Source: NIS2 Directive – Article 20). In practice, boards need documented evidence—risk reports, testing results, vendor oversight, and active monitoring—not just shelved policies.
Under GDPR, organisations must notify the competent supervisory authority without undue delay—and where feasible, within 72 hours of becoming aware of a personal data breach (Source: GDPR Article 33). This timeline mandates simultaneous executive decisions on containment, legal assessment, and communications.
In France, whistleblowing can be internal or external, with legal protections for individuals reporting breaches of EU rules (Source: EU Whistleblowing Directive). Cyber incidents and data breaches often involve process failures—in access control, vendor management, data retention, and logging—that employees identify before management. A credible report can accelerate a regulatory investigation faster than any technical alert.
Public reporting, customer complaints, or high-profile service disruptions can simultaneously trigger follow-ups from customers, insurers, and regulators. When a situation becomes visible, executives are judged on the speed, transparency, and control of the narrative—as much as on the technical response.
The recurring pattern behind large cyber penalties isn’t a missing technical control. It's weak governance: unclear risk ownership, insufficient documentation, and controls that exist on paper but were never tested. Under GDPR, organisations must implement technical and organisational security measures appropriate and proportionate to the risk—and regulators will evaluate if those measures were reasonable in context (Source: GDPR Article 32).
Key Insight: The question regulators ask isn't "Did you have a policy?" It's "Can you prove it worked?"
The headline fine is rarely the most significant cost of a cyber incident. The true damage runs deeper and lasts longer.
Trust collapses when customers feel kept in the dark or experience repeated service disruptions. The long-term consequences—customer churn, lost contracts, tougher sales cycles—are particularly severe in regulated sectors and public procurement, where reputation is a qualifying criterion.
For listed organisations, uncertainty and operational downtime directly affect valuation, forecasts, and investor confidence. Cyber incidents have caused measurable share price declines even when direct fines were relatively modest.
Ransomware and vendor outages can cripple billing, fulfillment, healthcare delivery, or logistical operations. The costs of recovery—forensics, system rebuilds, legal fees, crisis communications, and customer support—consistently dwarf the headline regulatory penalty.
French executives must connect cyber risk to organisational strategy through three board habits:
Defining risk appetite and priorities tied to critical processes and strategic data.
Demanding evidence: tested incident response, measurable vendor oversight, and documented control effectiveness—not just policies. ANSSI’s crisis exercise methodology is a proven basis.
Linking compliance to operations: GDPR breach readiness (72-hour notification), NIS2 governance expectations, and DORA-style resilience thinking for financial environments.
The numbers speak for themselves. In 2024, 5,629 data breaches were notified to the CNIL—an increase of approximately 20% over the previous year. In the same period, ANSSI recorded 1,361 cybersecurity incidents across all sectors. Many breaches originated in vendor or subcontractor systems—highlighting how interconnected risk has become the norm, not the exception.
ANSSI’s cyber threat landscape confirms that organised criminal groups and state-affiliated actors continue to elevate the sophistication of their operations—from ransomware campaigns to espionage targeting critical infrastructure.
Key Insight: Attacks in France are neither rare nor isolated. A single breach can rapidly cascade into regulatory, legal, and economic consequences across multiple business units simultaneously.
Delegating cybersecurity entirely to IT teams weakens organisational resilience and creates direct regulatory exposure. French regulators expect cyber risk to be appropriated at board and executive level, with visibility into risk registers, test results, and mitigation strategies.
Many major breaches involve third parties whose security practices do not meet their clients’ standards. NIS2 and GDPR both mandate active management of extended supply chain risks. Executives must ensure subcontractor compliance is regularly assessed, monitored, and contractually enforced—not assumed.
Cloud environments are at the heart of modern business operations—but misconfigured services expose sensitive data and critical systems. ANSSI guidance emphasises encryption, access control, and continuous monitoring of cloud configurations as non-negotiable elements of a robust cybersecurity posture.
CNIL and ANSSI look for living evidence and traceable decisions—not corporate policies filed away in a drawer. Documentation must show decisions made, responsibilities assigned, tests conducted, and risk treatment outcomes in an easily auditable form.
Under GDPR, organisations must notify the CNIL within 72 hours of a personal data breach. Late or inadequate notification exacerbates regulatory exposure and signals fundamental weakness in incident response capability.
Human error remains a major contributing factor to breaches. Without ongoing, documented, and measurable staff training and phishing simulations, organisations remain structurally vulnerable, no matter how robust their technical controls.
Compliance is not an annual audit. It is a continuous posture. Organisations that treat NIS2, GDPR, and DORA obligations as one-off exercises will never meet regulatory expectations and will be caught flat-footed during incidents.
French NIS2 guidance demands comprehensive and auditable risk mapping—covering threats, vulnerabilities, controls, and residual exposure across internal systems and all third-party relationships.
Regulators expect records of risk review meetings, board decisions on cybersecurity priorities, and documented active oversight of compliance programmes. “We discussed it” is not enough. “Here’s the decision record” is.
CNIL and ANSSI guidance both stress that business continuity and incident response plans must be regularly tested—with clear criteria, cross-functional participation, and documented outcomes. An untested plan is not a plan.
Human error is a major factor in breaches, and regulators expect ongoing, documented, and measurable staff training and awareness programmes with effectiveness metrics.
Preparing for a regulatory audit isn't a one-time exercise—it requires building continuous evidence cycles. Organisations that are truly audit-ready do four things consistently:
Maintain a documented compliance cycle capturing risk assessments, mitigation actions, and control test results.
Keep versioned logs with clear ownership of all risk and compliance artefacts.
Conduct internal audits and simulated reviews to identify and close gaps before regulators do.
Align GDPR breach management processes with NIS2 incident reporting expectations as transposition progresses.
Review and update your cyber risk register—with clear ownership and documented, measurable controls.
Audit subcontractor security practices—and embed third-party risk monitoring into your enterprise risk management framework.
Test incident response and business continuity plans—with senior stakeholder presence, not just IT teams.
Document all compliance decisions—and feed them into regular board reporting cycles.
Launch a fresh staff awareness and phishing simulation programme—to systematically reduce human factor risk.
French organisations will operate in an increasingly active enforcement environment through 2026-2028. The CNIL has already demonstrated a firm regulatory stance, issuing hundreds of decisions and significant fines in 2025-2026 for breaches involving inadequate security measures and poor incident disclosures (Source: CNIL – Sanctions and decisions). For executives and compliance officers, the message is direct: regulators are not just monitoring privacy controls—they are directly linking security failures and poor breach management to tangible, measurable consequences.
The EU AI Act reshapes compliance obligations in France and across the EU. High-risk AI systems must comply by August 2026, with rolling deadlines through 2027 (Source: EU AI Act). Organisations deploying AI for content moderation, automated decision-making, customer profiling, or critical infrastructure management must align their usage with robust governance policies, risk assessments, human oversight mechanisms, and documentation standards.
Many AI systems in operational use already fall under the “high-risk” category—meaning compliance readiness needs to be demonstrated precisely when GDPR, NIS2, and AI Act obligations converge.
The AI Act builds directly on existing cyber and privacy laws by adding specific cybersecurity, risk assessment, and documentation obligations for high-risk AI systems. These include risk assessments, resilience controls, evidence of robust datasets, and continuous security monitoring aligned with GDPR’s data protection mandates (Source: AI Act – High-risk systems).
Alongside AI-specific obligations, reporting and transparency requirements are tightening across the board. Operators of high-risk AI and critical services under NIS2 must adopt stricter reporting timelines—including rapid incident alerts and detailed transparency on system design and risk mitigation measures. This reflects a broader EU trend towards near-immediate reporting for regulated technology incidents with national and cross-border impacts.
CISOs, DPOs, and risk managers operate under heightened regulatory and executive scrutiny—because compliance risk now simultaneously intersects multiple frameworks: GDPR, NIS2, the AI Act, and sector-specific rules like DORA. This convergence puts pressure on operational managers to demonstrate not just compliance documentation, but also evidence of effective, traceable controls, incident readiness, and continuous preventative actions.
Regulators are increasingly treating cybersecurity and privacy as corporate governance issues, not isolated technical functions. Board-level committees in France — especially in finance, healthcare, and digital services sectors — are demanding proactive roadmaps, compliance dashboards, cross-functional documentation, and risk trend analysis spanning all relevant regulatory domains.
Boards and senior teams must engage in continuous cyber and regulatory training programs that go well beyond basic awareness. Effective programs address regulatory understanding (GDPR, NIS2, AI Act), incident response leadership, risk-based decision-making, and scenario planning. This equips senior decision-makers to speak the same compliance language as their technical teams — and act decisively when regulators come calling.
Cyber and privacy compliance must span all departments — legal, security, operations, procurement, and product development. Clear role assignments, documented workflows, and traceable evidence of control implementation create the accountability frameworks French regulators are increasingly expecting to find.
Compliance is no longer a point-in-time exercise. It demands continuous monitoring of cyber posture, frequent control reviews, automated evidence capture, and real-time reporting mechanisms. This aligns directly with NIS2's emphasis on continuous resilience and transparency — and with the AI Act's future reporting obligations as high-risk systems become operational.
Forward-thinking French organizations are turning regulatory compliance into a genuine competitive differentiator. When companies demonstrate not only risk mitigation, but also robust governance, transparent reporting, and the integration of cyber into strategic planning, they build customer trust, attract investor interest, and reduce the risk of operational disruption.
In a market like France — where data protection standards are high, enforcement is active, and trust is a business asset — a proactive compliance culture isn't purely a defensive posture. It's a business advantage.
Key Insight: The organizations that will lead in the French digital economy are not those that avoid cyber incidents entirely — they are the ones that can demonstrably prove they are prepared to handle them.
Q1. What is the difference between NIS2 and GDPR, and do both apply to my organization?
They serve different but complementary purposes. GDPR governs how you protect personal data and applies to virtually any organization processing EU residents' data. NIS2 focuses on cybersecurity governance and incident reporting for critical sectors — energy, healthcare, finance, transport, and digital infrastructure. If you operate in a regulated sector and process personal data, then both apply simultaneously. In short: GDPR covers how you protect data; NIS2 holds your management body accountable that your cyber governance meets the required standard. (Source: NIS2 Directive) (Source: GDPR Full Text)
Q2. As an executive, can I be personally liable for a cyber incident?
Yes. NIS2 explicitly places responsibility on the “management body” to approve and oversee cybersecurity measures. If governance failures contribute to a serious incident, executives can face personal fines and — in some jurisdictions — temporary bans from executive roles. The best protection is a documented audit trail: board decisions, tested plans, and active risk oversight. (Source: NIS2 Directive – Article 20)
Q3. What must we do within 72 hours of discovering a data breach?
The clock starts ticking the moment anyone in your organization becomes aware of the breach — not when senior management is formally informed. Within this timeframe, notify the CNIL unless the breach is unlikely to result in a risk to individuals. Your notification must cover: the nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken. Always document the breach internally, even if you decide not to notify. (Source: GDPR Article 33) (Source: CNIL – Breach Notification)
Q4. How do I know if my organization is in scope for NIS2?
NIS2 covers two tiers — “essential” entities (energy, transport, banking, healthcare, digital infrastructure, public administration) and “important” entities (postal services, food production, manufacturing, digital providers). Medium and large organizations — typically 50+ employees or €10M+ revenue — in these sectors are typically in scope. When in doubt, assume you are and prepare accordingly. The cost of under-preparation far outweighs the cost of proper preparation. (Source: NIS2 Directive – Annexes)
Q5. What is DORA, and does it apply to us if we aren't a bank?
DORA applies more broadly than many think. It covers banks, insurers, investment firms, payment institutions — and crucially, third-party ICT service providers that serve the financial sector. If your organization provides IT services, cloud infrastructure, or software to financial entities, DORA may apply to you directly as a “critical ICT third-party provider,” even without being a financial institution. It's enforceable as of January 2025. (Source: DORA – EU Regulation 2022/2554)
Q6. What does the AI Act require from a cybersecurity perspective?
High-risk AI systems — those used in critical infrastructure, employment, credit scoring, biometrics, law enforcement, or essential services — must meet specific obligations: risk assessments, technical resilience measures, data governance, detailed documentation, and human oversight. These requirements must align with your existing GDPR and NIS2 obligations. AI governance cannot be isolated from your cyber risk framework. High-risk systems must comply by August 2026. (Source: EU AI Act)
Q7. We have an incident response plan — is that enough?
No. A plan that's never been tested is a document, not an operational capability. Both the CNIL and ANSSI expect you to prove your processes work under pressure — that escalation paths are understood, the 72-hour workflow is drilled, and communications are coordinated. Conduct tabletop exercises and technical simulations at least twice a year, involve senior stakeholders, and document the outcomes.
Q8. How do we manage the cyber risk from our vendors and subcontractors?
Start before onboarding: conduct security assessments of critical vendors, embed contractual clauses covering minimum controls, notification obligations, and audit rights, and tier vendors by risk level. After onboarding, monitor their posture continuously — not just at contract renewal. NIS2 explicitly demands supply chain security within your risk management obligations. A vendor's weakness is your organization's risk. (Source: NIS2 Directive – Article 21)
Q9. What does an audit from the CNIL or ANSSI actually look like?
A CNIL audit typically starts with a formal request for documentation — processing records, impact assessments, breach logs, security policies, and training evidence — followed by potential onsite visits. ANSSI engagements are more technical, focusing on network architecture, access controls, and incident response. Both are looking for the same thing: not just policies, but traceable, tested, and actively governed evidence. (Source: CNIL – Sanctions and Decisions)
Q10. What is the single most important action an executive can take right now?
Own it. The most common governance failure is treating cyber as someone else's problem — usually IT's. The moment a board formally adopts a cyber risk appetite, reviews a risk register, and demands evidence of tested controls rather than policy documents, the posture of the entire organization improves. It's not about technical expertise — it's about governance habits. Set the agenda, ask the right questions, and demand evidence, not assurances. (Source: NIS2 – Article 20)
Découvrez pourquoi la stratégie ESG est essentielle pour les entreprises françaises. Apprenez-en davantage sur les réglementations, la responsabilité des conseils d'administration, les risques ESG et...
Découvrez les 8 exigences obligatoires de la loi Sapin II pour les organisations françaises, de la cartographie des risques et la diligence envers les tiers...
Les délégués à la protection des données (DPD) jouent un rôle central en veillant à ce que les organisations se conforment aux lois sur la...