All our expertises
Our expertise

Cybersecurity governance & compliance

With the massive increase of cyber attacks and the reinforcement of regulatory framework, companies need to drastically strengthen their cybersecurity governance and treat these regulatory constraints as an opportunity to increase their competitive advantage.

How to build your cybersecurity to answer your challenges?

Faced with increasingly higher costs for businesses, significant economic and societal impacts, cyber risks have gradually become established among the priorities of CIOs and risk management functions.

Cybersecurity has also become a priority for European Union countries, which are stepping up their directives and regulations in this area. The companies and organizations concerned have every interest in organizing themselves to strengthen their cybersecurity governance, ensure their IT resilience and thus transform regulatory constraints into a competitive advantage.

Key figures for cyber damages in France

  • 2 Bn€ overall cost of successful cyber attacks in France in 2022
  • 385 000 number of cyberattacks against public and private organizations with an operational and/or financial impact in 2022
  • 15 M€ average cost of expenses and losses following a cyber incident for large companies

Sources: Statistical evaluation — Astérès (20−06−2023) and “Risques cyber analyse de la sinistralité : quels enseignements?” — Bessé and Stelliant (10−2022)

Noting the heterogeneous level of preperation of the companies, The European Union has aknowledged the cyber risk and the need to strengthen IT security not only in the financial sector, but also in all activities considered as strategic for the economy and society (energy, water, health, telecoms, transport, etc.). And this, in an end-to-end approach, including in particular suppliers of information and communication technologies (ICT).

Through new directives and regulations (NIS2, DORA…), the EU aims to enhance the IT resilience capacity of companies. The EU and the European Supervisory Authorities (ESAs) intend to shift the approach to operational risk management from one focused on risk prevention and loss limitation to a more comprehensive and proactive approach. Preventing cyberattacks is unrealistic, but companies must prepare to address them and ensure the continuity of critical or important activities and services.

Before the implementation of NIS2 in October 2024 and DORA in January 2025, the impacted companies must swiftly initiate a compliance process based on the following transformation pillars.

Acculturation and Governance

Cybersecurity must become a priority area of governance for company management to ensure corporate compliance. Training of senior management and employees, and creation of a culture of IT security are key to compliance.

Technical trajectory

Identify and address the technical parts that need to be secured to guarantee enhanced security to face attacks, the IT resilience of the company.

Legal

Review all requirements and documents to be included in existing and future contracts with suppliers. Keep abreast of regulatory changes and AES control procedures.

Organization and processes

Incorporate the recommendations of the ISO 27001 standard, taking into account the expectations of the European Supervisory Authorities (ESAs) regarding the formalization of processes and procedures.

Monitoring Tests and Audits

Organize and conduct penetration tests. Structure and implement ICT monitoring and penetration testing, corporate auditability in cybersecurity and resilience.

Collaboration and communication

Breaking out of the culture of secrecy in the face of attacks. Organize and anticipate crisis management. Develop collaboration and active communication between companies and with ESAs in the event of an incident.

Requirements will be proportional to company size and criticality. The burden of proof will lie with the company. If they fail to do so, the penalties provided for by law and envisaged by the ANSSI authorities could be considerable. For example

  • heavy fines corresponding to a percentage of sales.
  • temporary withdrawal of the right to do business.
  • temporary suspension of the right to exercise managerial responsibilities at CEO level…).

Regulatory authorities will also reserve the right to publish sanction decisions.

Faced with these obligations, companies will be able to seize the opportunity and transform the regulatory constraint into a commercial asset, to be promoted at both B2B and B2C levels. For example, proven resilience will become a key argument of choice for customers of information and communication technology (ICT) providers or financial institutions.

Because cybersecurity is not just an IT problem, but a business issue, our multidisciplinary team and our partners who are technical specialists in cybersecurity enable us to address your ambitions and issues.

We offer customized support tailored to your context, your business and your objectives:

How we can help

  • Carry out a NIS2 or DORA Flash Compliance Diagnostic

    Establish the current state of affairs and measure the compliance effort required, thanks to a structured/industrialized approach based on proven tools and questionnaires

  • Define your cyber compliance strategy

    Design the target in terms of cyber governance and compliance. Design a progressive and realistic implementation plan

  • Manage your compliance program

    Coordinate all the players involved in the project: management, business units, IT teams, legal teams, suppliers, auditors, etc.