In the current landscape of 2026, Operational Technology (OT) is no longer a "hidden" layer of infrastructure that functions in isolation and is never targeted. With the full transposition of the NIS2 Directive into French law and the ongoing mandates of the Loi de Programmation Militaire (LPM), securing Industrial Control Systems (ICS) has shifted from a best practice to a strict legal imperative. Further, with targeted attacks on OT infrastructure, it becomes essential for enterprises to scale their OT security efforts to ensure the defense measures are aligned with the prevailing threat landscape.

For French enterprises, especially those that are designated as Essential (EE) or Important (IE) entities, the National Cybersecurity Agency of France (ANSSI) has set a gold standard for risk assessment.

Today blog post outlines how to navigate this rigorous process to ensure resilience and compliance in a sustainable manner that ensures all short-term and long term goals are met.

Before we move forward, don’t forget to check out our previous blog post titled “A report on the 200GB ESA data breach” This one presents an RCA on the recent breach at the European Space Agency.  

Major recommendations and compliance imperatives

ANSSI’s approach to OT security is harbored on the principle of "defense in depth." As of 2026, the main pillars include:

• EBIOS risk manager (EBIOS RM): This is the mandatory risk assessment methodology. It moves away from static Q&A checklists toward dynamic, scenario-based threat modeling.

• The 42 Measures: ANSSI’s "Mastering ICS Security" guide remains the technical bible. This document details 42 specific security measures ranging from organizational governance to physical hardware protection.

• NIS2 and LPM synergy: While NIS2 broadens the scope to more sectors (food, waste management, etc.), the LPM continues to impose stricter requirements on "Operators of Vital Importance" (OIVs), including mandatory use of qualified security products.

How to comply through a comprehensive risk assessment

Compliance is not a "one-and-done" audit. Instead, it is an iterative process driven by the EBIOS RM methodology and informed by ANSSI’s "Mastering ICS Security" guide. An effective assessment should follow five distinct workshops in the following order:

• Scope and governance: Define the industrial perimeter (such as a specific production line or power grid) and identify "feared events" (a total blackout or chemical spill).

• Risk Origins: Identify who might target you. Is it state-sponsored espionage, a ransomware gang, a vendor, or a disgruntled insider?

• Strategic scenarios and attack paths: Map the attack paths through your ecosystem. How does an attacker move from your corporate IT email to your PLC (Programmable Logic Controller)?

• Operational scenarios: Get technical. Identify specific vulnerabilities in your OT protocols (Modbus, OPC-UA) that allow the strategic scenarios to happen.

• Risk treatment: Decide which risks to mitigate, transfer, or accept, resulting in a Risk Treatment Plan (RTP).

Selecting a vendor for assessment Help

In France, not all cybersecurity firms are equal. To ensure your assessment is recognized by ANSSI, you must prioritize PASSI (Prestataires d’Audit de la Sécurité des Systèmes d’Information) qualified vendors.

• The "Security Visa": Look for the ANSSI Security Visa. A PASSI-qualified vendor has had its auditors, methodology, and data protection measures vetted by the state.

• Specialization: Ensure the vendor has specific PASSI-LPM qualification if you are an OIV.

• OT Experience: Ask for "shop floor" experience. An auditor who understands a data center but doesn't understand the safety constraints of a blast furnace can cause operational downtime during a scan.

Reporting obligations for enterprises

Transparency is a cornerstone of the 2026 regulatory environment. Entities have strict timelines for notifying CERT-FR (ANSSI's operational arm):

• Significant incidents: Must be reported within 24 hours (initial warning) and 72 hours (detailed report).

• Vulnerability notification: Under LPM 2024-2030, software and hardware providers must notify ANSSI of significant vulnerabilities in their products "without delay."

• Board accountability: Under NIS2, management bodies are personally liable for the entity's failure to comply with risk management obligations.

The assessment must assess the capability of the enterprise to meet these reporting obligations.

Pitfalls to watch out for

• The "air-gap" Myth: Assuming your OT is safe because it isn't "connected to the internet." USB drives, vendor maintenance laptops, and IIoT sensors have effectively eliminated the air gap.

• Use of IT Tools in OT: Using aggressive IT vulnerability scanners can crash legacy PLCs. Ensure your assessment uses passive monitoring or OT-safe active scanning.

• Documentation only: A "paper-based" compliance approach will fail. ANSSI increasingly requires "live evidence"—actual logs and system configurations—rather than just signed policies.

Actionable checklist for ANSSI compliant OT risk assessment and responsibility matrix

Actioning recommendations and the roadmap

Once the assessment is complete, you will likely have a long list of vulnerabilities. Do not try to fix everything at once. That will strain your organisational resources and time.

The 12-Month Compliance Roadmap:

• Months 1-3: Focus on Hygiene. Implement MFA for remote access and restrict USB usage.

• Months 4-6: Network Segmentation. Isolate the Industrial LAN from the Office LAN using industrial firewalls.

• Months 7-9: Monitoring. Deploy an Industrial Intrusion Detection System (IIDS) to gain real-time visibility.

• Months 10-12: Incident Response. Run a "tabletop exercise" simulating a cyber-physical attack on your specific OT environment.

Lastly, Shieldworkz recommends that you prioritize recommendations that address "Strategic Scenarios" identified in Workshop 3 of your EBIOS RM. These represent the most likely paths an attacker would take to cause physical harm or operational shutdown.

Need help with your ANSSI compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Talk to a vacation security expert (yes we have a dedicated security pro who knows more about fine tuning your security measures during lean times).

Test drive our OT security platform here.