Blog
Compliance & cybersecurity
Practical guides for founders, CISOs and consultants.
- 10 min
Cyber Resilience Act: reporting starts 11 September 2026 — who is concerned and what to do
The EU Cyber Resilience Act (Regulation 2024/2847) explained: which products with digital elements are in scope, the verified timeline (reporting from 11 September 2026, full application 11 December 2027), the 24h/72h/14-day notification ladder, essential requirements and sanctions.
- 9 min
ISO 27001 certification in France: 2022 transition, COFRAC bodies and the ANSSI ecosystem
Getting ISO 27001-certified in France in 2026: why every certificate is now ISO 27001:2022 (the 2013 edition expired on 31 October 2025), how COFRAC-accredited certification works, and how the standard connects to ANSSI’s ReCyF, HDS and SecNumCloud.
- 10 min
DORA in France: ACPR, AMF, the register of information and TLPT
How DORA is supervised in France: ACPR and AMF roles, the register of information (instruction 2025-I-12), TIBER-FR threat-led penetration testing, the 2026 shift to in-depth audits — and the documents a financial entity must have ready.
- 9 min
CNIL sanctions 2025: what the record €487M actually means for SMEs
Analysis of the CNIL’s official 2025 enforcement report: 259 decisions, 83 sanctions, €486.8M in fines — 97.6% of it from just two decisions. What the simplified procedure and the recurring grounds (cookies, employee monitoring, data security) mean for smaller companies.
- 11 min
NIS2 in France: where the transposition law stands in 2026
The state of NIS2 transposition in France — the “resilience” bill timeline, who is in scope (15,000+ entities), essential vs important entities, sanctions, and what ANSSI’s ReCyF framework and MonEspaceNIS2 portal mean for your compliance plan.
- 10 min
NIS2 compliance for SMEs: a 10-step guide for 2026
A practical, step-by-step path to NIS2 compliance for small and mid-sized companies — scope, risk analysis, the documents you need and how to prove it before enforcement begins.
- 5 min
How to write a physical and environmental security policy
A physical security policy protects the places and equipment that hold your data. Here is what to include — access, visitors, environmental controls — with a free template.
- 5 min
How to write a data retention policy
A data retention policy defines how long you keep data and when you delete it. Here is what to include — retention periods, deletion, GDPR — with a free template.
- 5 min
How to write a security awareness and training policy
A security awareness policy defines how you train staff to recognise and resist threats. Here is what to include — onboarding, phishing tests, cadence — with a free template.
- 5 min
How to write an asset management policy
An asset management policy keeps an accurate inventory of what you own and protect. Here is what to include — inventory, ownership, lifecycle — with a free template.
- 6 min
How to write an AI acceptable use policy
An AI usage policy defines how staff may use generative AI with company data. Here is what to include — approved tools, data rules, oversight — with a free template.
- 5 min
How to write a network security policy
A network security policy defines how you segment, protect and monitor your networks. Here is what to include — segmentation, firewalls, remote access — with a free template.
- 5 min
How to write a logging and monitoring policy
A logging and monitoring policy defines what you log, how long you keep it, and how you detect threats. Here is what to include — with a free template.
- 5 min
How to write a change management policy
A change management policy ensures changes ship safely and traceably. Here is what to include — request, review, approval, rollback — with a free template.
- 6 min
How to write a vulnerability management policy
A vulnerability management policy defines how you find, prioritise and fix weaknesses. Here is what to include — scanning, SLAs, patching — with a free template.
- 5 min
How to write a remote work policy
A remote work policy sets the security conditions for working outside the office. Here is what to include — devices, networks, home environment — with a free template.
- 5 min
How to write a data classification policy
A data classification policy labels information by sensitivity so handling rules apply consistently. Here is what to include — levels, handling, labelling — with a free template.
- 5 min
How to write a vendor (third-party) security policy
A vendor security policy governs how you assess and monitor suppliers who touch your data. Here is what to include — due diligence, DPAs, monitoring — with a free template.
- 6 min
How to write a business continuity policy
A business continuity policy keeps critical functions running through disruption. Here is what to include — RPO/RTO, BIA, testing — with a free template.
- 5 min
How to write a backup and recovery policy
A backup policy defines what you back up, how often, where, and how you test restores. Here is what to include — and a free template aligned with ISO 27001.
- 6 min
How to write an encryption policy
An encryption policy defines what you encrypt, with which algorithms, and how you manage keys. Here are the sections auditors expect — with a free template.
- 5 min
How to write an acceptable use policy
An acceptable use policy (AUP) tells employees what they can and cannot do with company systems. Here is what to include — and a template you can generate free.
- 6 min
How to write an incident response policy
An incident response policy defines how you detect, contain and recover from security incidents. Here are the sections auditors expect — and a free template.
- 5 min
How to create a BYOD policy
A BYOD policy lets employees use personal devices safely. Here is what to include — enrolment, encryption, separation of data, remote wipe — plus a free template.
- 6 min
How to write an access control policy
What an access control policy must cover to pass an ISO 27001 or SOC 2 audit — least privilege, joiner-mover-leaver, access reviews — with a ready-to-use template.
- 6 min
How to write a password policy (with a free template)
A practical guide to writing a password policy that satisfies ISO 27001, SOC 2 and NIST — what to include, what to avoid, and a template you can generate in minutes.
- 11 min
SOC 2 vs ISO 27001 — which one should your SaaS get first?
A clear comparison of SOC 2 Type II and ISO 27001:2022 for SaaS founders: cost, timeline, audience and how to reuse work across both.
- 12 min
The 14 mandatory ISO 27001 policies — full checklist for 2026
A practical, exhaustive checklist of every policy and procedure required by ISO 27001:2022, with templates you can adopt today.