Publications

NIS 2

Cyber defence is built before the incident, not enforced after it

2026-07-02 · NIS 2 · DORA · Cyber Resilience Act

ANSSI is navigating four legal regimes and a move from roughly 500 to between 10,000 and 15,000 regulated entities at once. Because enforcement and remediation act only after an incident, real-time cyber defence cannot come from enforcement; it comes from capacity built ahead of need. This is the case for private actors educating, training and tooling ahead of demand, in service of a shared goal rather than a blame game.