
Hello ️😊,
I'll see you again for the June edition of Récap'IT.
One in two CISO says they are willing to pay a ransom, but half of the companies that paid only recovered some of their data. The EU wants to reduce its dependence on American tech giants with a multibillion-euro investment, while France is being dragged before the CJEU for its delay in implementing NIS2. The FBI is building an entire city to test its investigators under real-world conditions; a French “serious game” lets players experience a ransomware crisis minute by minute; and even the word “sovereign” has become a marketing pitch that few software vendors can truly justify.
Between these lines lies a thread: the difference between what an organization claims to stand for and what it actually stands for when it really matters.
Enjoy your reading!
📅 On the agenda today:
👉 Go !!
Before we begin, I invite you to follow us 👉️

On June 3, Brussels unveiled its legislative package aimed at reducing the EU-27’s digital dependence on the United States. The European Commission itself puts the figure at 264 billion euros per year spent by member states on U.S. technologies, with Microsoft, Google, and Amazon dominating the cloud market that powers government agencies and businesses. The central piece of legislation, the Cloud and AI Development Act, establishes four levels of sovereignty. For Commissioner Henna Virkkunen, the goal is to ensure that no provider has a “kill switch” over services deemed critical. She herself acknowledges that the U.S. Cloud Act—which requires U.S. companies to hand over the data they host—makes it difficult for them to meet the strictest level of sovereignty. However, only 1% of European public services will be classified as sensitive enough to require the total exclusion of foreign technologies: Brussels’ goal is less to ban GAFAM than to foster the emergence of credible alternatives.
The market, for its part, has outpaced the legislature. According to Deloitte’s “State of AI in the Enterprise” study, 77% of companies now include country of origin in their supplier selection criteria, and 83% consider sovereignty to be strategic for their planning. The shift is therefore no longer political; it is already operational on the buyer side, even as governance struggles to keep up: only 21% of organizations have a mature model in place to oversee their AI agents.
For a CIO, the question is no longer whether sovereignty will become a purchasing criterion—it already is. The question remains whether their IAM and cloud stack would currently withstand a sovereignty risk assessment, with or without a legal requirement to implement it. We’ve been asleep for decades; now the bill is coming due.
Source: Politico, IT Social, Le Monde



Receive the best IT news of the month.
Market trends, IT trends, cyberattacks in France... a summary of the news
Rennes will host NATO’s new center of excellence dedicated to artificial intelligence, with about 50 employees and an operational launch scheduled for May 2027. France is the only country to have applied to host the center, a decision that is set to be finalized in June through a “silence” procedure: the center will be established unless the other 31 member countries object.
The choice of Rennes stems from an already established ecosystem: Comcyber, the DGA’s information management division, and AMIAD, led by Bertrand Rondepierre, are based there, alongside the cyberdefense divisions of Orange, Airbus, Thales, and Sopra Steria. The project, launched in the summer of 2025 by Sébastien Lecornu in the wake of the Paris AI Summit, was presented to the NATO Military Committee by Admiral Pierre Vandier. General Cyril Carcy is currently touring allied capitals to recruit financial contributors.
With this center, France will have three such facilities on its soil—alongside those in Toulouse (space) and Lyon (air operations)—tying it with Germany. At the same time, Washington has just closed the CJOS, its center of excellence for combined maritime operations, which was based in Norfolk. The trend is symmetrical: the United States is withdrawing from certain Alliance structures while Paris is stepping up its presence.
For a CIO, what matters most is not geography but what it signifies. A NATO center of excellence develops doctrines and standards that are then passed down to the defense industry and subsequently incorporated into civilian standards, including IAM and identity management for critical systems. Rennes is becoming a useful vantage point for anticipating upcoming regulatory requirements on the French side.
Source: 01net


58% of CISO respondents in the United States and the United Kingdom say they are willing to pay a ransom to quickly restore their operations. The figure comes from a survey by Absolute Security of 750 security executives, and it directly contradicts the position of the authorities: the UK’s NCSC reiterates that it does not encourage, approve, or tolerate payment, and the FBI takes the same stance across the Atlantic.
Paying does not guarantee anything. According to IDC, 37% of affected companies actually paid a ransom last year—a figure that is likely an underestimate. Of those, 5% received an incomplete decryption, and a Hiscox survey shows that only 60% of SMEs that paid recovered all or part of their data. Conversely, 29% of companies restored their files from backups. But 33% of those who did not pay were unable to recover anything at all: the difference does not lie in the decision to pay, but in what existed before the attack.
Marks & Spencer failed to pay following its April 2025 cyberattack. Its online store was shut down for several months, resulting in $400 million in operating losses. That was the price of a principled decision made without a robust recovery plan.
A disaster recovery plan that has never been tested under full-scale conditions is nothing more than a hypothesis. A backup that resides on the same network as the production environment isn’t a backup—it’s a copy that’s just waiting to be encrypted as well. Offsiting and regular testing aren’t just nice-to-have options; they’re the only two things that make “I won’t pay” a credible statement.
Source: Le Monde Informatique


The European Commission is preparing to refer France and Spain to the Court of Justice of the EU for failing to transpose the NIS2 Directive. The deadline of October 17, 2024, has been exceeded by nearly twenty months. Following a letter of formal notice in November 2024 and a reasoned opinion sent to 19 countries that were behind schedule in May 2025, Brussels is now taking legal action, with a referral to the court expected before the end of the year and a possible financial penalty of tens of millions of euros. France had already been referred to the CJEU in April regarding the CER Directive on the resilience of critical infrastructure: the NIS2 case now joins it on the same list of violations.
The delay stems from a decision made by France to merge the transposition of NIS2 and the CER Directive into a single bill—the Resilience Bill—which was adopted by the Senate in March 2025 but has still not been voted on by the National Assembly. The extraordinary session in July 2026 is now the announced deadline. Meanwhile, more than 15,000 French entities remain in a state of legal uncertainty: Representative Philippe Latombe highlighted the paradox of a government that already requires certain companies that have been victims of cyberattacks to comply with NIS2, even though the law mandating this compliance has not yet been enacted.
For a CIO, waiting for the vote would be a mistake. In March 2026, ANSSI published a working draft of its ReCyF framework, which already details the expected physical security requirements: access control to server rooms, visitor tracking, and access rights limited to what is strictly necessary. These measures are not contingent on the law’s enactment. While the political timeline is stalling, the compliance timeline is not waiting for it.
Source: Usine Digitale, IT Social, Journal du Net


Would you like to receive our white paper on identity and access management?

An affiliate of the Nova ransomware gang encrypted the servers of Eriell, an oil drilling company based in Uzbekistan. A rookie mistake: Uzbekistan is part of the CIS, and in this world, you never mess with the CIS. This rule protects Russian-speaking operators from a sudden crackdown by local authorities, who turn a blind eye as long as the targets remain Western.
Some ransomware programs detect a Cyrillic keyboard and self-destruct before encryption to avoid a blunder. That safeguard failed this time. It was the victim himself who reported the blunder to Nova. The gang’s response: an official apology, free restoration of the system, a promise that no data would be leaked, and the expulsion of the affiliate at fault.
The anecdote is amusing, but it highlights a serious point: even criminals strictly segment their targets to limit risk.
Source: Korben


The AI executive order signed by Donald Trump on June 2 introduces a new concept: the “covered frontier model.” Washington must set a performance threshold above which a model falls into this high-risk category, with the government granted access up to 30 days before its release. The measure formalizes a practice already in place with Google, Microsoft, xAI, OpenAI, and Anthropic, and extends it to the NSA, CISA, the Treasury, and the Department of Defense. There are no legal obligations and no penalties for noncompliance.
For European companies that deploy these models, their robustness will depend on the goodwill of the software vendor, not on a regulatory framework equivalent to the AI Act.
Source: L'Usine Digitale

The FBI has opened a 2,040-square-meter training center in Huntsville, Alabama, that recreates an entire city within a single building. Furnished homes, a hospital, a gas station—each structure runs on real networks and real servers. More than 1,400 agents have already trained there since February 2025, including cyber investigators who, unlike computer forensic analysts, almost never gain access to their targets’ machines and work exclusively with logs and network traffic. On-site, Active Directory, email systems, and firewalls operate just as they would in a real organization, and making mistakes is explicitly encouraged as a learning method.
An incident response plan that has only been tested on paper reveals its blind spots only when an actual incident occurs.

In June 2026, BlueSecure launched BlackOut, an awareness-raising video game that immerses players in a ransomware attack, giving them twenty minutes to make decisions, mobilize resources, and regain control. A classic phishing attack triggers the incident; the cybercriminal group demands 500 bitcoins; and the player takes on the roles of the CISO, DPO, HR Director, and CEO in a crisis response team, navigating between carefully managed communication and legal obligations—such as the 72-hour deadline to notify the CNIL. Paying the ransom results in an immediate “game over.”
The game has a telling blind spot: the CIO never appears in it, even though in most small and medium-sized businesses, in the absence of a dedicated CISO, it is the CIO who manages the crisis.
Source: Journal du Net

“Sovereignty” has become a selling point. Everyone claims it, but few can prove it. That’s the observation made by François Poulet, CEO of Youzer, in an op-ed published in late June. Youzer also participated in the Digital Sovereignty Expo on June 30 and July 1.
Three questions are all it takes to separate fact from marketing hype.
At its booth, Youzer gave a straightforward answer: French R&D, French hosting, French teams. Not a subsidiary. Not an American cloud service with a French interface.
Sovereignty isn't just a flag on a plaque. It's a response that can be verified.
Thank you to Cyberexpert for publishing this.


Thank you for reading me this far!
Any feedback, want to discuss a project?
I'm here for that 👋.
Every month I send you my discoveries, my analysis on IT news.
I do a lot of monitoring and I share it all!
I'm Mélanie and I'm Youzer's marketing manager.
About me? I have an unquenchable thirst for learning! I'd rather read a book 100 times than watch a movie. I'm a fan of HP 🧙🏼.
I do running and collective sport roller (don't look for it, it's dangerous).