“Together, let’s strengthen cyber maturity!” at the Senate, a symposium to put cybersecurity back at the level of organizations

On Monday January 26, 2026, at the Palais du Luxembourg, a symposium organized by Numeum,AFNOR and CLUSIF brought together institutions, experts and companies with a single objective: to advance cyber maturity.

The day reminded us of a simple idea. The risk targets the business: production halted, invoicing blocked, services paralyzed.

From the outset, Senator Corinne Narassiguin emphasized one point: to strengthen cyber maturity, it is necessary to involve far more than just IT teams. Vulnerabilities often stem from usage. The challenge becomes a collective one. Cybersecurity must be managed as a corporate issue. It is decided at management level, rolled out across teams, embedded in processes and verified by evidence.

The risk scale: one company in two will be affected by 2024

The conference is based on a shared observation: obligations are piling up, and clarity is deteriorating. The figures give the scale of the risk: one company in two claims to have suffered at least one cyber attack with a significant impact in 2024 ( CESIN 2024 barometer). A third of cyber managers believe that their company is unprepared to deal with cyber attacks(Hiscox 2024). In the room, a benchmark is circulating among SMEs: 57% say they have suffered a cyber attack.

To provide an answer, Europe is getting into fighting order

Indeed, as Mathieu Couturier(ANSSI) reminds us, the right level for action is the European level: NIS2 and the CRA (Cyber Resilience Act) are part of this drive to strengthen the cybersecurity of European entities and make the market more transparent in this area.

In addition to regulations that oblige companies to step up their security, and certification that provides a common framework that can be understood at European level, we mustn’t forget that cybersecurity research is also an essential lever for preparing defenses against tomorrow’s attacks. France and Europe are in a strong position thanks to their cutting-edge laboratories in this field.

“143 days of invisible presence”: the typical attack scenario as told by companies

Feedback from companies gives a clear picture of an attack scenario: a silent phase, followed by rapid dissemination. Emmanuel Barrier(Kyndryl) cites a striking figure: an average of 143 days of invisible presence in the information system before the switchover. Laurent Gelu insists on the difficulty of detecting weak signals: a prepared decision chain makes all the difference.

Behind these stories lies a recurring economic risk: 60% of SMEs that fall victim to a cyber attack will go bankrupt within 18 months ( Senate information report , 2021). Cyber maturity is therefore also about ensuring continuity.

Assistance and crisis management: accessing help becomes a reflex, and preparation begins before the big day.

In France, a number of structures play a decisive role in supporting companies in the face of a cyber crisis. Éric Freyssinet(ComCyberMI) and Jérôme Notin(Cybermalveillance.gouv.fr) recall the existence of the 17Cyberan online point of entry for any individual or business victim of a cyber security incident. Operated by Cybermalveillance.gouv.fr, 17Cyber complements other schemes, including the ExpertCyber label, which identifies service providers capable of helping companies, especially SMEs, deal with cybersecurity incidents.

To limit the effects of an attack, the panelists remind us that a crisis needs to be prepared, and that the ability to act depends on roles and reflexes defined upstream. To this end, the government provides exercises to help you prepare: REMPAR by ANSSI and the SenCy-Crise MOOC by Cybermalveillance.gouv.fr for SMEs.

Our experts remind you of 6 reflexes to adopt before the crisis hits

1) Backup and test: test backups, restore, measure recovery time, check isolation.

2) Map out what you need to protect: know what matters and where the entry points are (assets, access, dependencies, service providers).

3) Identify the vital minimum: identify priority activities (invoicing, production, customer service, logistics, etc.) then improve their resilience step by step.

4) Training: exercises (SenCy-Crise, sector kits), with scenarios involving the whole company, including the COMEX.

5) Know where to ask for help: 17Cyber, Cybermalveillance.gouv.fr, territorial CSIRTs, ExpertCyber accredited service providers.

6) Transform regulatory texts into action plans: prioritize, track indicators, document evidence that can be reused from one framework to the next.

“Cybersecurity is a collective affair”.

In conclusion, the organizers reiterate that cybersecurity is a cross-functional issue that needs to be addressed collectively. Regulatory and standards frameworks provide a structure; the challenge is to turn them into a maturity gas pedal.

Florence Puybareau(CLUSIF) sums up cyber maturity as a triptych: security to reduce exposure, resilience to absorb the shock and recover, and influence to inspire confidence in customers, partners and ecosystems.

Valérie Dagand (Numeum) reminds us that the regulatory environment, though dense, is a lever to be seized in order to bring the European economic fabric to greater maturity and strengthen the resilience of our economies in the face of cyber risk.

To meet this challenge, Nolwenn Le Ster (Numeum) concludes with a reminder of the importance of teamwork. The cyber ecosystem is rich in expertise. The joint organization of this event by Numeum, Afnor Normalisation and Clusif is a perfect example of the power of ” working together “. This dynamic will make all the difference, and is set to continue, notably as part of a “Tour des Régions de la Résilience” launched by MEDEF and Numeum, starting in September 2026 to support French companies in their cybersecurity challenges, as close to the ground as possible.

We would like to thank Clusif and Afnor Normalisation for their partnership in organizing this symposium, and all the speakers for their invaluable contributions.