Back to blogCybersecurity

ANSSI recommendations: the essential cyber hygiene guide for SMEs

NRNicolas Renard·July 21, 2026· 7 min read

ANSSI, the French national cybersecurity agency, is the reference authority for cybersecurity in France. Its cyber hygiene guide lists a set of simple, non exhaustive measures that rule out most of the common incident scenarios observed in companies.

Why rely on ANSSI recommendations

These recommendations are not obtained like a certification: they are implemented, and nothing formally attests that they are. That is both their strength and their limit. They are free, public and designed for organizations of any size, including the smallest structures without internal technical expertise, but they carry no label that can be shown to a client, an insurer or a partner, unlike an ISO 27001 certification.

Cybersecurity Diagnostic·See a diagnostic preview

The priority measures to put in place

ThemeRecommended measure
AuthenticationStrong passwords and multi factor authentication on sensitive accounts
UpdatesSystematic application of security patches, on both workstations and servers
BackupsRegular, tested backups, isolated from the main network
Accounts and accessSeparation of administrator accounts from standard user accounts
NetworkNetwork segmentation and filtering of inbound and outbound traffic
AwarenessEmployee training on phishing and social engineering risks

A progressive rather than exhaustive rollout

  1. Identify the measures already in place, without judgment.
  2. Prioritize the measures whose absence exposes the organization to the highest risk (authentication, backups).
  3. Plan the rollout of missing measures over several months rather than aiming for immediate completeness.
  4. Document the measures applied, so they can be demonstrated when needed (cyber insurance, tenders, audits).

Common mistakes

  • Assuming cybersecurity is reserved for large companies.
  • Deploying tools without reviewing practices: an antivirus does not replace a backup policy.
  • Training teams only once, with no regular refresher.

Checking, measure by measure, which of these recommendations are already applied and which ones remain to be prioritized produces a far more useful roadmap than a list of good intentions nobody has verified.

Ready to assess your organization?

Try for free