A PSSI is only as strong as the daily behaviors of the employees it governs. Most French companies have one gathering dust in a shared drive — the gap between what the policy says and what employees actually do is where breaches happen.
There is a document sitting in a shared drive somewhere in your organization. It is probably called “PSSI” or “Politique de Sécurité des Systèmes d’Information.”
It was written — or more likely adapted from a template — when your company last went through a compliance audit, or when a new IT manager decided to formalize things. It covers password policies, access controls, acceptable use of company resources, incident response procedures, and a dozen other topics.
It is probably 40 to 80 pages long. It was last updated 18 months ago. And almost nobody in your organization has read it.
If this sounds familiar, you are not alone. This is the reality at the vast majority of French companies, from PMEs to mid-market enterprises.
They have a PSSI because they are supposed to have one. But having a policy and having employees who follow it are two entirely different things.
What a PSSI Actually Requires
The PSSI is France’s foundational framework for information system security, promoted by ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information). It is not just a recommendation — for many organizations, particularly those handling sensitive data, working with public-sector clients, or subject to NIS2 directives, a PSSI is effectively mandatory.
But a PSSI is more than a document. When you read the ANSSI guidelines carefully, the intent is clear: the policy must be operationalized. It must be communicated to all employees, understood by them, and reflected in their daily behavior.
A well-implemented PSSI should cover:
- Access control policies: Who can access what, and under which conditions
- Authentication requirements: Password complexity, MFA adoption, session management
- Data handling rules: Classification, storage, sharing, and retention
- Acceptable use policies: Rules for email, cloud tools, personal devices, and third-party applications
- Incident reporting procedures: What constitutes an incident and how to escalate
- Awareness and training obligations: Ongoing education for all personnel
That last point is critical. ANSSI does not say “train your employees once a year and move on.” The guidance calls for continuous awareness, adapted to roles and risks.
Most organizations interpret this as “deploy an e-learning platform and track completions.” That interpretation satisfies auditors but completely misses the point — a pattern we unpack in why security training doesn’t work.
The Gap Between Policy and Practice
Let me describe a scenario I see regularly when working with French companies.
The PSSI states: “Employees must not share documents containing sensitive information via public links. All file sharing must be restricted to specific, authorized recipients.”
Meanwhile, in practice:
- 40% of shared Google Drive links across the organization are set to “Anyone with the link”
- Marketing has a public Notion workspace containing competitive intelligence
- Three employees are forwarding internal documents to their personal Gmail accounts to “work from home more easily”
- A team lead has granted a third-party Chrome extension full access to their Google Workspace data
None of these employees are malicious. Most of them would pass a quiz about data sharing best practices. They simply do not connect the abstract policy they skimmed during onboarding with their daily workflow decisions.
This is the PSSI gap: the distance between what the policy says and what employees actually do. For a deeper analysis of the knowledge-behavior gap, see our whitepaper on why knowledge alone does not change behavior.
Why Traditional Approaches Fail
Most organizations try to close this gap in one of three ways, and all three are insufficient.
| Approach | Method | Why It Fails |
|---|---|---|
| Annual Training | Module at onboarding + once a year | 90% of learned information forgotten within a week (Ebbinghaus) |
| Email Reminders | IT sends periodic policy emails | Buried in inbox noise, generic, disconnected from action |
| Audit-Driven Corrections | Compliance push only before audits | Temporary spike that evaporates within weeks |
None of these create lasting behavior change because none of them operate at the point where behavior actually happens: in the daily flow of work. This is the same root cause behind why compliance needs behavior proof, not paperwork.
Making Your PSSI a Living System
A PSSI becomes real when three conditions are met simultaneously: the organization observes whether employees are following it, informs them when they are not, and reinforces the right behaviors over time.
Here is what that looks like in practice.
Step 1: Observe Real Behavior Continuously
You cannot enforce a policy you cannot see. The first step is to continuously audit the SaaS tools your employees use every day — Google Workspace, Microsoft 365, Slack, Notion — to identify behaviors that violate your PSSI. This is exactly what Engarde’s SaaS monitoring is designed to surface.
This is not about surveillance. It is about visibility. Just as a financial audit reviews transactions against accounting policies, a behavioral audit reviews digital actions against security policies.
The output is a clear, factual picture: here is what your PSSI says, and here is what is actually happening.
For example:
- PSSI says: “MFA must be enabled on all accounts.” Reality: 23% of employees have not activated MFA.
- PSSI says: “External sharing of internal documents requires manager approval.” Reality: 156 documents are shared externally with no approval trail.
- PSSI says: “Only approved third-party applications may be connected to company accounts.” Reality: 12 unapproved OAuth applications have access to company data.
Each of these is a specific, measurable deviation from your own stated policy.
Step 2: Deliver Targeted Nudges Where Work Happens
When a deviation is detected, the employee receives a nudge — not a punitive warning, but an informative, contextual message delivered through Slack or Teams, the tools they already use every day. This is the real-time guidance layer most awareness programs are missing.
The nudge explains three things:
- What they did: “You shared a document via a public link.”
- Why it matters: “Your company’s PSSI (Section 4.2) requires that shared documents be restricted to specific recipients to prevent unauthorized access.”
- How to fix it: “You can update the sharing settings by clicking here. It takes about 15 seconds.”
This is fundamentally different from generic training. The nudge is specific (about their action), contextual (referencing their company’s actual policy), and actionable (telling them exactly how to fix it).
It arrives at the moment the behavior occurs, when the employee’s memory and motivation to act are highest.
Step 3: Reinforce Through Spaced Quizzes
Nudges address immediate deviations. But lasting behavior change requires reinforcement over time. This is where spaced repetition comes in.
Based on the employee’s observed behaviors and the areas of the PSSI most relevant to their role, they receive short quizzes through Slack or Teams at calculated intervals. These are not generic compliance questions. They are tailored:
- An employee who recently shared a public link gets a quiz about data sharing policies
- A team that just onboarded a new SaaS tool gets a quiz about third-party application policies
- An employee who handles client data gets periodic quizzes about data classification
The spacing follows principles derived from the Ebbinghaus forgetting curve: initial reinforcement comes quickly, then intervals gradually increase as the behavior becomes habitual.
Step 4: Pair Phishing Drills with Behavioral Evidence
Email-based attacks remain the most documented attack vector in ANSSI’s annual threat panorama, and your PSSI almost certainly mandates phishing awareness. Targeted phishing simulations still belong in your program — but on their own, they only test one vector at one moment in time. Pair them with continuous behavioral audits to cover the rest, as we argue in why phishing simulations aren’t enough.
Step 5: Measure Policy Adherence, Not Completion
The metrics change entirely. Instead of reporting “95% training completion” to your board or auditors, you report:
- Public link sharing decreased from 40% to 8% over three months
- MFA adoption increased from 77% to 99%
- Unapproved OAuth applications reduced from 12 to 1
- Average time to remediate a flagged behavior: 4 hours
These are metrics that directly map to PSSI compliance and directly correlate with reduced risk. They tell auditors, leadership, and regulators not just that you have a policy, but that your employees actually follow it.
What This Means for NIS2, DORA and Upcoming Regulations
The NIS2 directive, which France is transposing into national law, raises the bar significantly. It requires organizations to demonstrate not just that they have security policies, but that they have effective measures to ensure those policies are implemented and maintained.
The emphasis is on proportionate, risk-based, and continuous security management.
For French companies subject to NIS2 — and the scope is considerably broader than NIS1 — “we did annual training” is unlikely to satisfy regulators. They will want evidence that policies are being followed in practice, that deviations are detected and corrected, and that the organization maintains continuous awareness among its personnel.
The same logic applies to DORA for financial-sector entities, where operational resilience must be demonstrated, not declared. Behavioral evidence — observed deviations, time-to-remediate, adherence trend lines — is exactly the format regulators want.
A behavioral approach to PSSI compliance is not just more effective — it is increasingly what regulators expect.
A Practical Starting Point
If you are a CISO or IT manager at a French company looking to make your PSSI operational, here are concrete first steps:
-
Audit your current state. Before changing anything, measure where you actually stand. What percentage of your employees follow each key PSSI requirement in practice? You may be surprised by the gap.
-
Identify your highest-risk deviations. Not all policy violations carry equal risk. Prioritize the behaviors that expose your organization to the most damage — typically external data sharing, authentication weaknesses, and shadow IT.
-
Bring feedback to where employees work. If your employees live in Slack or Teams, that is where security communication belongs. Not in an LMS they visit once a year.
-
Measure behavior, not knowledge. Stop tracking training completion and start tracking behavioral metrics that map directly to your PSSI requirements.
-
Iterate continuously. A PSSI is not a project with a completion date. It is an ongoing operating system for security behavior. Treat it accordingly — the same continuous posture underpins zero-trust done right.
The Bottom Line
Your PSSI is only as strong as your employees’ daily behaviors. A beautifully written 60-page policy document is worthless if the people it governs do not follow it — and most of them do not, because nobody has given them the tools, context, and reinforcement to do so.
Closing the gap between policy and practice does not require more training hours, bigger budgets, or stricter enforcement. It requires a different approach — one based on observation, timely feedback, and continuous reinforcement grounded in behavioral science.
Your PSSI deserves to be more than a document in a drawer. It deserves to be a living system that your employees follow every day — because they understand it, because they are reminded of it in context, and because doing the right thing has been made the easy thing.
Engarde (engarde.cc) — the behavior-centered cybersecurity platform — helps French companies turn their PSSI into a living system: continuous SaaS behavioral audits mapped to your specific policy, tailored nudges and spaced-repetition quizzes through Slack and Teams, and the behavior-proof evidence NIS2 and DORA supervisors are starting to ask for. The result: measurable PSSI compliance, not just a checked box.
Sources: ANSSI - Guide PSSI · Gartner Design Report · JISEM - Decision Fatigue and Cybersecurity · RAND - Beyond Technicality
