NIS 2 · DORA · Cyber Resilience Act

Cyber defence is built before the incident, not enforced after it

France's national cyber agency is navigating four legal regimes and a twentyfold expansion of its remit at once. Because enforcement can only act after an event has happened, defending an ecosystem this much larger depends on training, tooling and staffing capacity built ahead of need, by every actor able to build it.

In a June 2026 interview with the French technology outlet Clubic, ANSSI director general Vincent Strubel described a cyber governance agenda that is striking less for any single item on it than for how many demanding items sit on it at once (Belfiore 2026). In the same conversation he addressed the future of encryption and lawful access, the qualification of cloud providers, a post-quantum migration running years into the next decade, a newly created coordinating body for digital governance, and a directive that will multiply the population of regulated entities by a factor of twenty or more. Read carefully, the interview is less a status report than a portrait of a difficult position held with composure, and it points to something structural about cyber defence that is worth stating plainly. Enforcement and remediation, by their nature, act after the fact. They can shape what happens next, but they cannot undo the incident that prompted them. That single observation reframes the entire question of how a much larger regulated population is actually going to be defended, and it suggests that the useful response from private capability is not to wait to be engaged, but to build capacity ahead of need toward a goal everyone in the field already shares.

The regulatory landscape, and who actually holds each mandate

French and European Union cyber governance now spans four overlapping legal instruments, and, importantly, no single authority holds all four. The LPM (loi de programmation militaire) and NIS 2 (the second Network and Information Security Directive) sit within ANSSI's own direct mandate. DORA (the Digital Operational Resilience Act) supervision in France sits with the ACPR (Autorite de Controle Prudentiel et de Resolution) for banks and insurers and the AMF (Autorite des Marches Financiers) for asset managers and market infrastructures (Autorite de controle prudentiel et de resolution 2026; Autorite des marches financiers 2026). Market surveillance under the CRA (Cyber Resilience Act) sits with the ANFR (Agence Nationale des Frequences), with ANSSI acting only as the notifying authority responsible for accrediting conformity assessment bodies, a role distinct from market surveillance itself (ANFR 2026; ANSSI 2026a). As the operational baseline for NIS 2 compliance, ANSSI published the ReCyF (Referentiel Cyber France, version 2.5) on 17 March 2026, setting twenty mandatory security objectives (Ledieu-Avocats 2026).

This mapping matters for a practical reason and a fair one. Practically, a reader moving between four frameworks needs to know which authority to approach for which question. Fairly, it establishes that ANSSI is coordinating a national posture across regimes it does not individually control, which is part of what makes its position difficult rather than deficient.

The shape of a hard, multi-front mandate

The most accurate way to read the Strubel interview is as a description of concurrency. Several demanding programmes are live at the same moment, each on its own clock. The encryption and lawful-access question is one that Strubel himself characterises as ultimately political rather than technical, which places its resolution outside any agency's engineering control and inside the slower machinery of legislation and public debate (Belfiore 2026). The post-quantum migration is a multi-year cryptographic transition that touches every organisation holding long-lived confidential data. The creation of a new coordinating body signals an attempt to consolidate digital governance rather than let it fragment further. And running underneath all of it is the NIS 2 scope expansion, which Strubel puts at a move from roughly 500 regulated entities to an estimated 10,000 to 15,000 (Belfiore 2026).

Any one of these would be a substantial programme on its own. Carried together, across regimes only two of which ANSSI directly controls, they describe a mandate that is genuinely hard to hold well. ANSSI has been candid and consistent about how it holds it: through an accompaniment-first, guidance-led posture rather than the fiction of an agent stationed behind every server. That is a rational choice under real constraints, and this piece takes it as exactly that, a legitimate strategy for a difficult brief, not evidence that anything is missing.

Enforcement is reactive by construction

From that mandate follows an observation that is structural rather than evaluative. Enforcement and remediation are, by their nature, things that happen afterward. An audit finding documents a state that already exists. A sanction responds to a breach that has already occurred. A remediation order restores a system that has already failed. Each of these instruments is valuable, and each shapes future behaviour, but none of them can reach backward and prevent the event that triggered it. This is not a property of ANSSI or of any particular regulator. It is a property of enforcement itself.

The corollary is worth stating directly, because it is easy to miss. ANSSI is not, and structurally cannot be, a remediation agency in the sense of a body that defends systems in the moment an attack is underway. No enforcement authority can be. Real-time cyber defence, the actual detection, containment and recovery that happens while an incident is live, is carried out inside the affected organisations and by the practitioners and tools they have on hand at that moment. Enforcement sets the standard those organisations are held to. It does not, and cannot, stand in for the capability they need when the standard is tested. Recognising this is not a criticism of how much anyone enforces. It is a clarification of what enforcement is for.

What defending a twentyfold-larger ecosystem requires

Put the two previous points together. The population of entities expected to defend themselves is growing by a factor of twenty or more, and the primary instrument the state can bring to bear, enforcement, is by construction unable to do the defending itself. Defence in practice therefore depends on something enforcement cannot manufacture on demand: capacity. People who can implement and operate controls. Tools that make evidence continuous rather than assembled in a scramble before an audit. Training that reaches an organisation before it finds itself in scope rather than after. And all of it has to exist ahead of need, because capability built after an incident is, by definition, built too late for that incident.

Public guidance is a real part of this response and should be credited as such. ANSSI's own accompaniment materials under ReCyF, including guidance documents, webinars and a training obligation written into the referential, are aimed squarely at helping organisations build capacity before enforcement dates arrive (ANSSI 2026b). But the arithmetic of a twentyfold expansion is unforgiving, and no single institution, however well run, can supply the entire training, tooling and staffing curve for an ecosystem that size on the timeline the regulation sets. That is not anyone's failing. It is a shared problem, and it is best treated as one.

The benevolent partner: building capacity without waiting to be asked

This is where private capability has a role that does not depend on being hired to play it. A firm with training content, with tooling, or with skilled practitioners has a reason to invest in building and sharing that capacity now, independent of any specific contract, audit engagement or regulatory trigger, for a simple reason: the shared goal, cyber defence that actually functions across an ecosystem twenty times larger than it was, is served by that investment regardless of who ultimately pays for what. A partner who acts on that reasoning, contributing capacity because the problem is real rather than because a transaction is on the table, is what this piece means by a benevolent partner. The word is meant literally, not decoratively. The test of it is whether the contribution is useful to an organisation whether or not that organisation ever becomes a customer.

Cambridge Cyber International (CCI) intends to act as one such partner, and is candid that it is one contributor among many who could and should. Its stance is deliberately simple: educate, train and tool, rather than assign blame. In practice that resolves into two things it has already built. The first is its Academy, whose training is useful to any organisation building the cyber skills its teams will need, regardless of where that organisation later sources the rest of its capability. The second is the CySSURANCE suite, which carries the same idea onto the tooling side by bringing a range of readiness functions into one place: automated evidence collection, enterprise architecture modelling, resilience calculation, financial loss evaluation, staffing assessment, information and communication technology (ICT) exercises, prioritised remediation, vendor management, audit preparation, and board-level dashboards. Taken together, education, training and tooling answer the audit-readiness and workforce burdens that the scope expansion multiplies, which is precisely the work that has to be done ahead of need rather than after an incident. These are named here as an instance of the argument, not as its purpose. The argument stands whether the reader engages CCI, engages one of its peers, or builds the capacity entirely in house.

Counterarguments and limitations

The obvious objection is that a firm describing its own offerings as benevolent contribution is simply advertising with better manners. The objection deserves a real answer rather than a reassurance. The answer is a test the reader can apply: does the contribution help an organisation that never buys anything? Training that raises a team's readiness whether or not it leads to a contract, guidance that is accurate whether or not it is monetised, and honesty about when a competitor or an in-house build is the better fit, all pass that test; a resource that is useless unless purchased fails it. Readers are entitled to hold this piece, and CCI, to that standard.

A second objection is that private capability cannot substitute for public authority, and it should not try. This is correct, and nothing here proposes it. The argument is complementary, not substitutive. ANSSI's mandate, standard-setting and coordination are precisely the things private actors cannot and should not provide. The claim is narrower: that the real-time defence enforcement cannot perform is built from capacity, and that capacity can and should be contributed from more than one direction.

A third and more prosaic limitation concerns the source. An interview is not a legal instrument, and specific figures and dates, including the exact scope numbers and the status of the NIS 2 transposition law, should be cross-checked against primary texts once they are final. The transposition timetable in particular sits with the French Parliament rather than with any executive agency. None of this changes the structural argument, which does not rest on any single date, but it is a reason to verify particulars before acting on them.

Practice or policy implications

For a board or CISO, the practical consequence of treating defence as something built ahead of need rather than enforced after the fact is a change in sequencing. Capacity decisions, who is trained, what tooling makes evidence continuous, how staffing scales, move earlier, ahead of the enforcement date rather than in response to it. Concretely, that means beginning workforce readiness before scope inclusion is confirmed, treating continuous evidence collection as a standing capability rather than a pre-audit sprint, and planning staffing against a labour market that will be tightest exactly when the largest cohort of newly regulated entities reaches for the same skills.

For private actors with relevant capability, the implication is an invitation to contribute ahead of demand: to make education, training and tooling useful independent of a sale, and to be plain about it. CCI's Academy and its CySSURANCE suite are offered in that spirit, as options among several rather than as the only path, and the choice of provider matters far less than the fact of building capacity before it is needed.

For the public-private relationship as a whole, the implication is a change of register. The productive frame is a shared goal, cyber defence that works in practice, rather than a ledger of who did or did not do enough. Its practical expression is straightforward: educate, train and tool ahead of need, rather than apportion blame after the fact. Enforcement and contribution are not competitors. They are different parts of the same undertaking.

Conclusion

ANSSI is holding a genuinely difficult brief, four legal regimes, a political debate it cannot resolve alone, a multi-year cryptographic migration, a new coordinating body, and a regulated population growing twentyfold, and it is holding that brief with a coherent, guidance-first strategy chosen under real constraints. Reading its position honestly leads to a structural conclusion rather than a critical one: because enforcement can only act after an incident, the defence that matters in the moment is built beforehand, out of capacity that has to exist ahead of need. That capacity is a shared problem, larger than any single institution, and it is best met by everyone able to contribute to it, from more than one direction, in service of a goal the whole field already holds in common. The useful posture for private capability, then, is not to wait to be engaged but to build and share ahead of demand, expecting nothing in particular in return, because a better-defended ecosystem is the return. Cyber defence is built before the incident. The work worth doing is the building.

Where to start

If your teams are building cyber readiness for what is coming, CCI Academy is an open starting point, whether or not you ever work with CCI further. Its training is useful on its own terms. Consider it an open door rather than a destination.

Explore CCI Academy →

References

Agence Nationale des Frequences (2026). Cyber Resilience Act. https://www.anfr.fr/proteger/equipements-radio-electriques/cyber-resilient-act

ANSSI, cyber.gouv.fr (2026a). Cyber Resilience Act. https://cyber.gouv.fr/reglementation/cybersecurite-des-produits/cyber-resilience-act/

ANSSI, cyber.gouv.fr (2026b). NIS 2: l'ANSSI poursuit et renforce sa dynamique d'accompagnement. https://cyber.gouv.fr/actualites/nis-2-lanssi-poursuit-et-renforce-sa-dynamique-daccompagnement/

Autorite de controle prudentiel et de resolution (2026). FAQ sur la directive et le reglement DORA. https://acpr.banque-france.fr/fr/reglementation/focus-sur-la-reglementation/transverse/digital-operational-resilience-act-dora/faq-sur-la-directive-et-le-reglement-dora

Autorite des marches financiers (2026). The Regulation on Digital Operational Resilience in the Financial Sector (DORA). https://www.amf-france.org/en/news-publications/depth/dora

Belfiore, G. (2026). Chiffrement vs Police: "Le choix sera politique", previent le patron de l'ANSSI. Clubic. https://www.clubic.com/dossier-618682-interview-anssi.html

Ledieu-Avocats (2026). ANSSI, projet de decret NIS2 "mesures techniques" v2.5, ReCyF du 17 mars 2026. https://ledieu-avocats.fr/anssi-projet-decret-nis2-mesures-techniques-v2-5-recyf-du-17-mars-2026/

Enforcement sets the standard. It cannot stand in for the capability the standard tests.

The CCI angle

Solutions referenced: Academy · CySSURANCE. See all products · talk to a practitioner.

Is your organisation exposed to this?

Talk to a practitioner →