As Europe's cybersecurity leaders gathered at the Monaco summit this week, a sobering new report reveals a troubling gap between what French companies say they're doing to protect themselves from cyber threats and what they can actually prove.
The study, produced by French cybersecurity assessment firm Cybervadis in partnership with CESIN, France's leading cybersecurity professionals association, analyzed over 1,000 French companies and found that while many have the right policies on paper, implementation remains patchy at best.
"What we bring to the market, the new thing we are doing, is that we perform evidence-based assessment at scale," said Thibault Lapedagne, who leads Cybervadis's 40-person analytics team and helped design the company's assessment framework.
Unlike traditional security ratings that rely on external scanning, Cybervadis requires companies to back up their claims with documentary proof—screenshots of configurations, log extracts, and other concrete evidence that security measures are actually working.
The timing is critical. The European Union's NIS2 directive, which dramatically expands cybersecurity requirements to thousands of previously unregulated companies, is already in force at the European level. Though, implementation has been slower than hoped in France due to government instability.
The Regulation Divide
The report reveals a stark stratification in cybersecurity maturity. In the context of the NIS2 directive, "Essential" and "Important" are two tiers of classification that determine which companies fall under the regulation's cybersecurity requirements.
Essential entities are organizations deemed most critical to a country's functioning and security. These typically include:
- Critical infrastructure operators (energy, transportation, healthcare, water)
- Financial services
- Digital infrastructure providers
- Many of these companies were already regulated under the previous NIS1 directive
Important entities are organizations whose disruption would still have significant impact, but perhaps not as immediately catastrophic. NIS2 dramatically expanded this category to include many sectors that weren't previously regulated, such as:
- Many manufacturing companies
- Postal and courier services
- Food production and distribution
- Chemical production
- Digital service providers
- And many others across various business sectors
In the context of cybersecurity regulations, this expansion is massive: France went from regulating "several hundreds of companies" under NIS1 to "several thousands" under NIS2.
In the study, companies classified as "Essential" under NIS2 scored an impressive 817 out of 1,000 on Cybervadis's maturity scale. However, as Lapedagne noted, this is largely because they've been dealing with regulations for years.
"Important" companies are newly brought under regulation and lag behind at 719. Those outside the regulatory scope score just 652.
Perhaps more telling than the overall scores are the specific areas where companies struggle. The study identified mobile device security and third-party risk management as particularly weak spots—areas that are increasingly critical as work becomes more distributed and supply chains more complex.
One of the report's most striking findings is the persistent gap between what companies document and what they actually do.
Take multi-factor authentication for remote access: while 88% of Essential companies can prove they've formalized a policy, only 73% can demonstrate it's actually implemented. For "Important" companies, the implementation rate drops to just 51%, and for those outside NIS2's scope, a mere 30% can show they're using strong authentication.
The mobile device problem is even worse. While 78% of Essential entities have formalized mobile security policies, only 21% can prove they're enforcing strong authentication for accessing company resources via smartphones and tablets.
Where the Money Goes
Log monitoring presents another instructive case study. Capturing logs—the digital breadcrumbs that record system activity—is relatively straightforward. But as Lapedagne observed, "It's easy to capture logs. Then what do we do? If you do nothing, it doesn't bring much."
The monitoring challenge is "quite a challenge because the solutions are a bit expensive, but also you need to set up tools, and you might need people to manage those," he said. For smaller companies newly brought under NIS2, this represents both a technical and financial hurdle.
The report identifies ecosystem management—overseeing the security of suppliers and partners—as particularly problematic.
Lapedagne said of newly regulated companies: "There is a big challenge on awareness, on support, on expertise, like bringing expertise on some specific areas."
Silver Linings
There is good news in the data. Companies that underwent reassessment after 12 months showed significant improvement, particularly those starting from a lower baseline. Small and medium enterprises that took the initial assessment seriously improved their scores by 19-25%, suggesting that awareness itself can drive meaningful change.
Governance structures are generally solid, with most companies having formalized security policies. Incident response processes are well-established, with 96% of Essential companies and 85% of Important ones able to demonstrate formal procedures.
As the Monaco summit spotlighted cybersecurity challenges facing Europe, Lapedagne was pleased to note that the Cybervadis-CESIN report was referenced by the event's director. For the thousands of French companies now racing to meet NIS2 requirements, the report's message is clear: policies are a start, but proof of implementation is what truly matters.
The Support Gap
Recognizing these challenges, French authorities and industry groups are beginning to establish support mechanisms. His company is in discussions with France's Cyber Campus, a government-backed initiative, "to collaborate in order to allow all those important companies to work towards compliance."
But the first step, he argued, is simply knowing where you stand. "It starts with the first maturity assessment, which is what we do. Knowing where you stand, and then, for the first time, having an action plan."
