01
Who is attacking us right now?
Not who could attack us. Who is trying, now, on real systems.
Persona · Direction · Conseil d'administration · CEO
Le cyber n'est pas un coût IT.
C'est de la gouvernance.
Depuis 2024, NIS2 attribue une responsabilité personnelle aux dirigeants pour une posture cyber inadéquate. Les polices d'assurance exigent des preuves techniques pour payer. La question n'est plus si on s'en occupera — c'est comment et quand.
10 M€Sanction max NIS2
2%Chiffre d'affaires · entités essentielles
72hNotification CSIRT obligatoire
4×Rapports au CA par an
§ 01 · 10 questions to the CISO
The questions the Board should already be asking.
If the CISO has no concrete answers to these questions, the problem isn't the CISO: it's the information exposure of the Board. We support companies in building a technical-strategic dialogue in risk language.
02
How long would a ransomware shutdown last?
In production hours, in revenue, in lost customers. Numbers, not feelings.
03
Are we in NIS2 scope? Essential or important?
NIS2 attributes personal liability to directors. Do you know where you fall?
04
Would our backups really hold?
When was the last full restore tested? Not simulated — executed.
05
Do we have a cyber policy? What does it really cover?
Policies signed before 2024 often exclude ransomware or require minimum posture not guaranteed today.
06
Who answers if it happens at 3 a.m.?
Phone number, person, language, time zone. Specific.
07
How much do we invest in cyber compared to the sector?
Sector median: 2-4% of IT budget for banking/finance, 1-2% for manufacturing. You?
08
Are our critical suppliers defended?
Supply chain is the leading modern attack surface. NIS2 mandates supervising it.
09
What changed since the last cyber board meeting?
Threat landscape, regulation, internal posture. If the answer is 'nothing', monitoring is inactive.
10
What would we tell the press tomorrow?
Crisis communication prepared before, not improvised during the incident.
Want a printable worksheet? We'll send it via email →
§ 02 · Comparison
In-house SOC vs external MDR.
Qualitative comparison on a mid-market company (200-500 endpoints, 1-2 sites). An in-house SOC requires personnel, technology stack, intel, detection engineering, continuity, training. The Fortgale MDR model aggregates everything in a managed service, with a significantly lower relative investment.
| Component | In-house SOC | Fortgale MDR |
|---|---|---|
| Senior SOC personnel · 24/7 | Full-time dedicated resources | Included · No HR |
| EDR · SIEM · TIP stack | To buy and run | Included · multi-vendor |
| Threat intel feeds / subscriptions | Additional subscriptions | Included · proprietary CTI |
| Detection engineering | Internal team or consultancy | Included · peer-reviewed rules |
| Tabletops, training, certifications | Separate budget | Included (Silver+) |
| Continuity · holidays · turnover | 30% unforeseen | Mitigated · rotating team |
| Time-to-value | 12-18 months | 30 days |
| Relative investment | €€€€€ | €€ |
The €€€€€ : €€ ratio represents the average relative investment observed on the European mid-market. Want a comparison on your specific case? Talk to our analysts.
§ 03 · NIS2 accountability
Sanctions economic and personal.
NIS2 transposition across EU member states introduces significant sanctions for the company and for directors at individual level. The difference with GDPR: here there's also suspension of duties.
| Subject / violation | Amount | Note |
|---|---|---|
| Essential entities | up to €10M or 2% of global turnover | The greater of the two values applies |
| Important entities | up to €7M or 1.4% of global turnover | The greater of the two values applies |
| Directors | personal liability | Suspension of duties in case of serious repeated violations |
| Missed CSIRT notification | additional sanctions | Up to €1M extra for omission/delay in notification |
Personal exposure of directors.
NIS2 obliges management to know and approve cyber measures. The
"I didn't know" formula is no defence. Standard D&O coverage doesn't always
respond on omissions in cyber matters.
§ 04 · Insurability
The policy pays only if.
Cyber policies in 2025-2026 have technical posture conditions for underwriting and claim payment. If the posture is inadequate, the risk is double: suffering the attack and not being indemnified.
Pre-condition
Mandatory MFA
Without MFA on privileged access, most underwriters won't sign. Baseline 2026 posture.
Pre-condition
Immutable backup + DR test
Off-line/immutable backups tested within the year. Without them, ransomware exclusion in new policies.
Pre-condition
EDR/MDR on endpoints
Endpoints with modern detection · 24/7 monitoring. Vendors not whitelisted: the value is the coverage, not the logo.
Premium discount
Documented annual tabletop
Top-tier policies discount 5-15% if a documented annual IR exercise with report exists.
Premium discount
Vendor gestion des risques
Structured process for evaluating critical suppliers (NIS2 art. 23). Reduces the premium.
We work with your company's brokers to certify the posture and reduce the premium. Tell us about your policy.
For a Board briefing
A 45-minute briefing for your Board.
Risk language, not technology. Risk register, posture, sanctions, coverage. Ready to present.