đą Webinar: Review of Authorizations: Simple for IT, Seamless for Approvers â June 23 at 11 a.m. Register here â
Hello ïžâșïž,
I'll see you again for the May edition of RĂ©cap'IT.
ANSSI has published its annual report and, at the same time, has come under fire for conducting too few inspections. The CNIL has shifted half of its inspections to focus on cybersecurity. Meanwhile, CISA left its AWS keys exposed on GitHub for six months. On the ground, two reports point to the same conclusion:identity become the true perimeter of the IT system, and agent-based AI is expanding the attack surface faster than we can govern it.
Also on the agenda: digital sovereignty, which is moving from political discourse to procurement plans.
Enjoy the read!â
â
đ On the agenda today:
NIS 2 is on the way
đGo!!
â
Before we begin, I invite you to follow us ïž
â
â
1,366 confirmed incidents in 2025. 1,361 in 2024. The situation is completely stable. However, the ANSSI activity report shows 3,586 security incidents handled, a 22% decrease compared to 2024. The drop is artificial. It is explained by the spike during the Paris Olympics, which had inflated the number of reports the previous year. In terms of actual incidents, nothing has changed.
The 2025 Cyber Threat Landscape paints a complete picture.
Four sectors account for 76% of incidents: education and research lead the way with 34%, followed by local governments and ministries (24%), healthcare (10%), and telecommunications (9%). Three of these four sectors now fall under NIS 2.
Thatâs when the window closes. Pre-registration for future regulated entities has been open since November 24, 2025. The beta reference framework is available. The draft transposition bill passed the National Assemblyâs special committee on September 10. The question is no longer whether the regulations will apply. It is what will be ready when enforcement begins. ANSSIâs Inspection and Oversight Division, separate from the support teams, is preparing to initiate proceedings that could result in penalties.
For CIOs, two realities are converging. Cyber pressure shows no signs of letting up, despite the reported decline in overall incident counts. And NIS 2 is no longer a distant prospectâitâs a matter of time. The framework covers traditional areas of cybersecurity, including access governance. For critical and important entities in the sectors already most frequently targeted, falling behind on IAM is no longer a roadmap issue. It is a compliance issue.
â
Source: ANSSI
â
Receive the best IT news of the month.
Market trends, IT trends, cyberattacks in France... a summary of the news
80% of European spending on software and cloud services goes to U.S. companies. That amounts to more than 260 billion euros a year, according to Cigref. This figure is not new. What has changed is how it is being addressed. Sovereignty is moving from political discourse into risk assessments and procurement guidelines.
Three factors have shifted the balance. Geopolitical crises, which have exposed the fragility of supply chains. The Cloud Act and similar legislation, which are now affecting the European subsidiaries of U.S. companies. Trade tensions, which have shown that access to technology can be cut off overnight. Dependency is becoming a quantifiable risk.
The European framework follows. The Digital Europe program is allocating more than one billion euros between 2025 and 2027 to trusted infrastructure, cybersecurity, and AI. The Cloud Sovereignty Framework provides a legal, technical, and operational assessment framework. In France, the Digital Sovereignty Observatory, established in January 2026, produces indicators to help prioritize trade-offs.
For CIOs, the implication is clear: contractual reversibility, data processing location, and compliance with NIS 2 and GDPR now join performance and TCO as key factors in the bidding process. Data sovereignty is no longer a secondary consideration; it is a prerequisite for shortlisting.
In a sign that the topic has shifted from the political arena to the technical sphere, the very first edition of the Digital Sovereignty Expo will take place on June 30 and July 1. Youzer will be thereâcome see us!
â
Source: ITSocial
â
â
â
The massive data breach at ANTS on April 15 was the last straw: a direct object reference vulnerability dating back to 2007, exploited by a 15-year-old who was modifying identifiers in URLs. Millions of driverâs licenses, national ID cards, and passports were stolen.
Le Canard EnchaĂźnĂ© drives the point home in its May 13 edition: ANSSI conducts about twenty inspections and fewer than ten unannounced audits per year, and has never exercised its authority to impose financial penalties. The CNIL, on the other hand, does impose sanctions. ANSSI refrains from doing so. âItâs afraid of getting in trouble if it sanctions a ministry, especially if that ministry is responsible for its funding,â a lawmaker tells the newspaper.
The political retort comes. SĂ©bastien Lecornu announces the creation of a Digital and AI Authority overseen by the Prime Ministerâs Office, which will merge the governmentâs digital division with its public transformation division. And he adds: âItâs not ANSSIâs job to ensure that the ministriesâ digital architectures are up to standard.â Yet the 2009 decree says exactly the opposite.
Vincent Strubel, who testified on May 19, stands his ground. He does not question the scope of the audits ânearly 50 per year covering thousands of government information systems and 300 public institutions. However, he acknowledges a "fundamental problem": the lack of widespread MFA implementation, poor management of identity , and system obsolescence, all against a backdrop of massive complexity in public information systems.
When the national authority publicly acknowledges that MFA is not widely implemented across ministerial information systems, it becomes difficult to look at oneâs own system without wondering what else might be hidden there. An audit is coming. The question is, what will it find?
â
Source: Le Canard enchaßné, ZDNet, Le Monde Informatique
â
â
â
A GitHub repository named "Private-CISA." Public. Open since November 2025. Inside: the administrative credentials for three AWS GovCloud accounts and a file listing passwords in plain text. It remained exposed for six months before Guillaume Valadon, a researcher at the Paris-based startup GitGuardian, alerted the public through journalist Brian Krebs.
The stinging detail: the admin had deliberately disabled GitHubâs built-in secret detection. The passwords? For the most part, they were the platform name plus the current year. After being notified, the AWS keys remained valid for another 48 hours. Official response: âno indication that sensitive data was compromised.â Itâs worth noting that the agency lost nearly a third of its staff under Trump 2, dropping from 3,700 agents in early 2025 to about 2,200.
When the U.S. cybersecurity agency that sets the standard for cybersecurity best practices for the rest of the world turns to a Paris-based startup for guidance, the gap between rhetoric and reality becomes clear. Commit hygiene, secret management, MFA: the fundamentals canât be delegatedâthey must be verified.
â
Source: Clubic
â
Would you like to receive our white paper on identity and access management?
Two out of three ransomware attacks enter an organizationâs IT system through anidentity breach. Not through a misconfigured firewall, not through a system vulnerability: through a compromised account, a stolen password, or hijacked access. Sophosâs State of Identity Security 2026 report, based on a survey of 5,000 IT and cybersecurity decision-makers in 17 countries, confirms this shift. 71% of organizations have suffered at least oneidentity attackidentity the past twelve months, with an average of three attacks per affected organization.
When an attack succeeds, the bill comes due. On average, it costs $1.64 million to resolve anidentity breach, with a median cost of $750,000. France is no exception: 66% of organizations were affected, and 14.6% were unable to detect the attack in time.
The causes are well known, and thatâs what hurts. Human error: 43%; poor management of technical accounts: 41%; weak human management: 39%. And hereâs the stinging statistic: in Sophosâs investigations of real-world incidents, MFA was simply not enabled on the targeted system in 59.5% of cases. Not disabled. Not bypassed. Just missing.
identity replaced the network as the primary target for attacks. User accounts, service accounts, third-party access, AI agents: every identity a point of entry. And with agent-based AI rapidly creating new machine accounts on the fly, the attack surface is expanding faster than our ability to monitor it. Only 34% of organizations regularly audit their service accounts. The entry point to the IT system is no longer the firewall; itâs the list of forgotten accounts.
â
Source: Sophos
â
â
29% of organizations already have AI agents handling security tickets in their help desk âsuch as password resets and granting VPN access. 64% plan to take the plunge within the next twelve months. By the end of 2026, 93% of organizations will have integrated autonomous agents into theiridentity infrastructure. The Semperis study, conducted by Censuswide among 1,100 IT and security professionals in eight countries, including France, then asks the uncomfortable question. Only 32% say they are very confident in their ability to regain control if a compromised agent were to expose administrator credentials.
The scenario unfolds in a matter of seconds. An attacker compromises a workstation running a local AI agentâa scenario that applies to 92% of the organizations surveyed. The attacker instructs the agent to list all the secrets available in the environment. The agent, at lightning speed, compiles a list of credentials, SSH keys, and active sessions. What used to take hours is now done in an instant.
The underlying problem isnât that agents access sensitive systems. Itâs that they themselves are poorly tracked identities. Thirty-five percent of organizations do not record themâor only partially record themâin a dedicated system, and 6% do not track them at all. Microsoft estimated the ratio of non-human to human identities to be 10 to 1 in 2018. The trend is heading toward 100 to 1. And 80% of workload identities are reportedly already abandoned while retaining their access rights.
For European CIOs, the challenge is compounded by regulatory requirements. NIS 2 and DORA impose operational resilience obligations that include the ability to detect, contain, and recover from incidents. Deploying AI agents onidentity systemsidentity first testing their recoverability exposes organizations to both operational crises and non-compliance. The question is no longer âshould we govern AI identities?â It is: before or after the first incident?
â
Source: IT Social
â
â
â
6,167 data breaches were reported to the CNIL in 2025, a 9.5% increase from 2024. The annual report, published on May 18, confirms a record that had already been broken the previous year. Hacking accounted for 50% of incidents, and the public sector accounted for 19% of reported breaches. About 40 of these breaches affected more than one million people, compared to about 30 in 2024.
The CNIL is stepping up its efforts. By 2026, 50% of its inspections and enforcement actions will focus on cybersecurity breaches, compared to one-quarter to one-third in 2025. Marie-Laure Denis put it bluntly in *Le Monde*: "The government has a special responsibility toward the data of French citizens."
For CIOs, the message is clear: when it comes to cybersecurity, the CNIL/GDPR route is becoming the primary avenue for enforcement. While ANSSI has the authority but has not exercised it, the CNIL is moving forward with âŹ487 million in fines imposed in 2025 under its belt.
â
Source: 01.net, SiĂšcle Digital, Next
â
â
Creating an account, modifying access permissions, suspending, or deleting: these routine actions leave a trail that an attacker could exploit if the system is compromised. Youzer allows you to designate an administrator for each connector, who receives a notification that must be approved before the action is executed. Provisioning is triggered only after approval is received.
In practice, each connector has a primary recipient. If that recipient does not respond within 24 hours, the notification is forwarded to a secondary recipient. After 48 hours, both recipients are sent a reminder. Creating a Salesforce account requires approval from the Salesforce manager; opening an AD account requires approval from the AD manager, and so on. And on each userâs profile, the Roles tab clearly indicates who administers what.
There are two uses depending on the organizationâs maturity: security (the approval workflow blocks unapproved actions) or tracking (documented visibility into who makes decisions). In both cases, you gain what the reports mentioned above identify as missing: a record, an identified responsible party, and auditable evidence as defined by NIS 2.
â
â
Thank you for reading me this far!
Any feedback, want to discuss a project?
I'm here for that đ.
đReply to this newsletter
We've sent you the newsletter and you think it's great? Sign up here đ
Sharing this newsletter is what keeps it alive!
Every month I send you my discoveries, my analysis on IT news.
I do a lot of monitoring and I share it all!
I'm MĂ©lanie and I'm Youzer's marketing manager.
About me? I have an unquenchable thirst for learning! I'd rather read a book 100 times than watch a movie. I'm a fan of HP đ§đŒ.
I do running and collective sport roller (don't look for it, it's dangerous).