ECP vs ReCyF (France): CyFun vs the French NIS2 Framework
ReCyF (Référentiel Cyber France) is ANSSI's official NIS2 compliance framework for French entities — a government-issued document that defines 15 security objectives for important entities and 20 for essential ones, published in March 2026. Easy Cyber Protection is a CyFun audit-readiness platform sold to Belgian MSPs. Both sit in the NIS2 compliance space, but for different countries and different delivery models. Note: Tom's April 2026 LinkedIn post referred to this framework informally as "CyDeF" — the official ANSSI name is ReCyF.
At a glance
| ReCyF (France) | Easy Cyber Protection / CyFun | |
|---|---|---|
| Owning authority | ANSSI — Agence nationale de la sécurité des systèmes d'information | CCB — Centre pour la Cybersécurité Belgique (ECP implements CyFun) |
| Published / last version | v2.5, March 17, 2026 (working document) | CyFun 2025 (aligned with NIST CSF 2.0) |
| Legal status | Non-mandatory today; becomes binding when Loi Résilience is enacted (expected H2 2026) | Operational — Belgian CCB-issued NIS2 compliance path; audits running |
| Entity coverage | ~10,000–15,000 French enterprises in 18 sectors | Belgian entities registered under NIS2 (CCB portal) |
| Structure | 15 objectives (Important Entities) + 20 objectives (Essential Entities) | 4 tiers: Small, Basic, Important, Essential — each with YAML-implemented controls |
| Certification / assessment | ANSSI inspections — no separate accredited certification body; ISO 27001:2022 recognized as means of compliance | CAB audit by accredited body; ECP generates signed .ecpbundle.zip audit bundle |
| Compliance cost | €100–200K initial (Important Entities); €450–880K (Essential Entities) + ~10%/year (ANSSI estimates) | MSP charges client €100–400/month via ECP platform — absorbed into MSP service fee |
| MSP / portfolio model | No multi-tenant track — entity-level framework; MSPs themselves are regulated as Important Entities | Purpose-built for MSP portfolio delivery: partner dashboard, white-label, per-client management |
| ISO 27001 relationship | ANSSI provides official ReCyF ↔ ISO 27001:2022 crosswalk | CyFun 2025 overlaps with NIST CSF 2.0; ISO 27001 support planned |
| Geography | France (ANSSI jurisdiction) | Belgium-first; Ireland co-adopting CyFun as of 2026 |
Sources: ANSSI ReCyF v2.5 (March 2026), cyber.gouv.fr, ccb.belgium.be. Last verified 2026-05-11.
Where ReCyF applies
- Your clients are French companies that fall within NIS2's 18 mandatory sectors (energy, transport, health, digital infrastructure, etc.) and exceed the Important or Essential Entity thresholds
- You deliver compliance services in France and will be audited by ANSSI against ReCyF objectives
- You need a framework with an ISO 27001:2022 crosswalk built in — ANSSI publishes an official mapping tool
- You are a French MSP/IT provider — you are yourself classified as an Important Entity under NIS2 and must follow ReCyF for your own operations
- You want a government-issued framework with clear "acceptable means of compliance" for each security objective
Where ECP / CyFun applies
- Your clients are Belgian (or Irish) — CyFun is the CCB's official NIS2 compliance path, the one Belgian auditors and the CCB assess against
- You are a Belgian MSP and want to package CyFun audit-readiness as a repeatable service across your client portfolio — not a bespoke €100K+ compliance project per client
- You need NL / FR / EN materials with Belgian regulatory context (CCB alignment, VLAIO kmo-portefeuille leverage for Flemish clients)
- You want predictable two-axis MSP economics: Starter (€399 flat) / Practice (€499 + per-client) / Studio (€999 + per-client) / Firm (€1,999 + per-client) plus per-client size brackets (XS €25 / S €75 / M €250 / L €750)
- Your clients need a CAB audit deliverable — ECP generates the signed .ecpbundle.zip that an accredited audit body accepts
The compliance cost comparison
This comparison is framework-vs-platform, not tool-vs-tool. ReCyF is a free government document — the cost is the compliance project it demands. ECP is a platform that MSPs pay for and resell to clients. The numbers below illustrate what each path costs a typical Belgian SME vs a typical French Important Entity.
ReCyF compliance — French Important Entity (EI), ~100 employees
- • ReCyF document: free (PDF on messervicescyber.fr)
- • Initial compliance project (gap analysis, policy writing, controls implementation): €100–200K (ANSSI estimate)
- • Annual recurring cost (maintenance, audits, testing): ~10% of initial = €10–20K/year
- • Internal CISO or external consultant required — no "guided wizard" reduces complexity
- • ANSSI inspects directly; fines up to €7M or 2% of turnover for Important Entities
ANSSI cost estimates are official figures shared in public briefings, not independently verified quotes. Costs vary widely by entity complexity, sector, and existing maturity. Source: various ANSSI briefings and NIS2 implementation guides (2025–2026).
ECP / CyFun — Belgian SME via MSP (20-client portfolio, S-size avg)
- • MSP base (Practice tier, 10–49 clients): €499 / month
- • Per-client (S-size, 100–999 entities): 20 × €75 = €1,500 / month
- • Total ECP platform cost to MSP: €1,999 / month
- • MSP charges SME client: €200 / month (suggested range €100–400)
- • Client's annual cost: €2,400 — vs €100K+ direct ReCyF project cost
- • MSP revenue: 20 × €200 = €4,000 / month — gross margin ~€2,000 / month (~€24K / year)
Per-client brackets (XS €25 / S €75 / M €250 / L €750) are uniform across ECP tiers — what changes is the monthly base. Starter (< 10 clients) is €399 flat with no per-client fee. Studio (50–99 clients) is €999 + per-client. Firm (100–999) is €1,999 + per-client. Enterprise (1,000+) is custom.
Framework coverage overlap
ReCyF and CyFun both implement NIS2 security requirements — in their respective countries. The control areas overlap significantly (both trace back to NIS2 Article 21 and NIST CSF 2.0 influences). The difference is jurisdiction, not philosophy.
| Control area | ReCyF (France) | CyFun / ECP |
|---|---|---|
| Governance & risk management | Objectives 1–2 (EI + EE); risk approach mandatory for EE only | CyFun Basic + Important includes governance controls; ECP wiki enforces policy ownership |
| Access control & identity | Objective 10 — identity management; objective 11 — admin mastery | CyFun PR.AC controls; ECP access register + evidence collection |
| Incident detection & response | Objectives 12–14 — incident response, business continuity, crisis management | CyFun DE.CM + RS controls; ECP incident log + CSIRT notification workflow |
| Supply chain / ecosystem | Objective 3 — ecosystem control (MSPs must comply themselves as EI) | CyFun ID.SC; ECP vendor register template |
| Secure configuration & hardening | Objective 18 (EE only) — resource configuration | CyFun PR.IP controls in Basic and above |
| Security supervision (SOC/SIEM) | Objective 20 (EE only) — active supervision | CyFun DE.CM; included in Important / Essential tiers |
| ISO 27001:2022 mapping | Official ANSSI crosswalk available (messervicescyber.fr comparateur) | Overlap significant; dedicated ISO 27001 support planned but not yet shipped |
| NIS2 Article 21 compliance | Yes — ReCyF is France's implementation of Article 21 obligations | Yes — CyFun is Belgium's implementation of Article 21; CCB-issued |
Sources: ANSSI ReCyF v2.5 (March 2026); CCB CyFun 2025 documentation. Mapping is indicative — actual gap analysis requires professional assessment.
Common questions
Does following ReCyF satisfy NIS2 in Belgium?
No. ReCyF is France's national NIS2 compliance framework, assessed by ANSSI. Belgium's NIS2 compliance path is CyFun, issued by the CCB. A Belgian entity audited by a Belgian CAB body (Centre d'Audit Belge) is assessed against CyFun — not against ReCyF. The two frameworks overlap in spirit (both implement NIS2 Article 21) but are not interchangeable across borders. If you operate in both France and Belgium, you will need to satisfy both ANSSI (ReCyF) and CCB (CyFun) — they do not mutually recognize each other today.
Can ECP help French clients comply with ReCyF?
Not natively today. ECP implements CyFun (the Belgian CCB framework). The control areas overlap significantly — ReCyF's 20 objectives and CyFun's controls both derive from NIS2 Article 21 and NIST CSF 2.0 influences — but ECP does not generate an ANSSI-ready compliance bundle. A French entity using ECP would get a strong head start on the control areas, but would still need to map evidence to ReCyF's specific "acceptable means of compliance" language for an ANSSI inspection. ECP's framework engine is designed to support multiple national frameworks; French ReCyF support is on the product radar but not yet scheduled.
Why is ReCyF compliance so much more expensive than CyFun via ECP?
Different delivery models. ReCyF is a government compliance framework — it sets obligations but does not bundle a guided platform, pre-built templates, or evidence workflows. Compliance requires hiring a CISO or consultant to run the project from scratch, which explains ANSSI's own estimates of €100–200K for Important Entities. ECP packages CyFun compliance into a guided platform with policy templates, evidence collection workflows, and audit bundles — the MSP delivers this as a monthly service rather than a one-time project. The platform absorbs the complexity; the cost per client drops dramatically.
What is the difference between ReCyF's "Important Entity" and CyFun's "Basic" tier?
Broadly similar scope, different structure. Both target mid-size organizations that are important but not the most critical national infrastructure. ReCyF's Important Entity level covers 15 objectives and applies to organizations with 250+ employees or €50M+ revenue in 18 regulated sectors. CyFun's Basic tier is a CCB-defined set of controls applicable to Belgian organizations that fall under NIS2's Important Entity definition. The CyFun Small tier adds a lightweight track for smaller organizations not covered by NIS2 but wanting to demonstrate baseline cyber hygiene. Neither framework's tiers map cleanly onto the other — cross-border entities need a professional gap analysis.
Deliver CyFun audit-readiness to your Belgian clients
If you are a Belgian MSP, CyFun — not ReCyF — is the compliance path your clients need. ECP packages it as a monthly MSP service: guided workflows, evidence collection, white-label reports, and a signed audit bundle your CAB auditor accepts.
Related
Fact check
| Claim | Source | Accessed |
|---|---|---|
| ReCyF v2.5 published March 17, 2026 by ANSSI | ANSSI / messervicescyber.fr — ReCyF v2.5 PDF | 2026-05-11 |
| 15 objectives for Important Entities, 20 for Essential Entities | ANSSI ReCyF v2.5 structure (multiple secondary sources confirm the split) | 2026-05-11 |
| ~10,000–15,000 French enterprises affected by NIS2 | ANSSI / SPAC Alliance NIS2 France briefings | 2026-05-11 |
| EI compliance cost: €100–200K initial + ~10%/year; EE: €450–880K + ~10%/year | ANSSI official estimates published in NIS2 briefings | 2026-05-11 |
| Loi Résilience transposition expected H2 2026 (France missed October 2024 NIS2 deadline) | Copla / SPAC Alliance NIS2 France transposition timeline reporting | 2026-05-11 |
| Fines up to €7M / 2% turnover for EI; €10M / 2% for EE | NIS2 Directive Article 34 as transposed in French draft | 2026-05-11 |
| ECP MSP tiers: Starter €399 flat, Practice €499 + per-client, Studio €999 + per-client, Firm €1,999 + per-client | ECP ADR-0009 MSP 4-tier pricing + Week 19 newsletter update | 2026-05-11 |
| CyFun is Belgium's official NIS2 compliance path, CCB-issued | CCB Centre pour la Cybersécurité Belgique | 2026-05-11 |