Frequently asked questions

The ANSSI PASSI qualification covers four scopes: organisational and physical audit, architecture audit, configuration audit, and penetration testing. Brightway is qualified across all four scopes, covering the full audit spectrum required in public procurement, NIS2 compliance for Operators of Essential Services (OES), the SecNumCloud reference framework, and large-account tenders.

A vulnerability scan is automated and detects known weaknesses without exploiting them. A PASSI penetration test is led by qualified consultants who exploit flaws like a real attacker, chain attack vectors and measure tangible impact. The pentest answers the question: “How far can an attacker actually go?”.

After an incident, before a critical go-live, to validate CIS or ANSSI hardening, or at the request of a cyber insurer or large-account client. The audit measures the gap between a security baseline and the real state of your systems (Active Directory, servers, network equipment, applications).

NIS2 covers more than 10,000 entities in France. Applicability combines sector (energy, healthcare, finance, digital, public administration…), size (≥ 50 employees or ≥ €10M revenue) and criticality. Brightway runs a complimentary scoping assessment on request to qualify your status as an essential or important entity.

Allow 9 to 15 months between project kick-off and the initial certification audit. Critical path: scoping (1-2 months), risk analysis and ISMS policy (2-3 months), Annex A controls deployment (4-6 months), internal audit and management review (1 month), certification audit (2 months).

DORA has applied since January 2025 to all European financial entities: banks, insurers, asset managers, trading venues, crypto-asset service providers. It also covers their critical ICT third-party providers. Obligations span ICT risk management, resilience testing and major incident reporting to the ACPR (the French prudential authority).

The DPO oversees GDPR compliance, while the implementation of technical and organisational measures sits with the CISO or IT manager. In practice, DPO and CISO work hand in hand on data protection impact assessments (DPIAs), breach handling, retention periods and the documentation of sensitive processing activities.

A vCISO (virtual CISO) is a senior CISO shared across multiple organisations, typically 1 to 5 days per month. Relevant for SMEs and mid-caps that don’t justify a full-time CISO but need to drive a cyber roadmap, prepare an audit, or back a credible governance posture.

Insurers assess your posture through 40 to 80 questions covering access management (MFA, privileged accounts), backups (3-2-1 rule), detection (EDR/SOC), awareness and governance. A gap on critical items leads to refusal or a higher premium. Brightway frames the answers and closes deal-breaking gaps before submission.

Our SOC collects events from your systems (endpoints, Active Directory, firewalls, cloud) through standard connectors and correlates them with MITRE ATT&CK detection rules and CTI feeds. Qualified alerts are picked up by our analysts with client notification within 15 minutes for critical incidents.

Isolate compromised systems without powering them off (to preserve volatile memory), notify management and the DPO, then contact a CERT immediately. Our FIRST-accredited CERT can intervene within 2 to 4 hours. The first 48 hours are critical for containment, evidence collection, and CNIL notification (within 72 hours under GDPR).

Brightway Academy is Qualiopi-certified, a prerequisite for accessing pooled vocational training funds since January 2022. Our certifying training courses are eligible for France Travail’s AIF scheme.

Qualiopi is a quality certification (not a qualification) issued by a COFRAC-accredited body. It attests that the training organisation complies with the French National Quality Reference Framework across 7 criteria (information, pedagogy, follow-up, resources, supervision, continuous improvement, complaints handling). Mandatory since January 2022 for training organisations accessing public and pooled funding.

PECB exams last 2 to 3 hours depending on the certification (Lead Implementer, Lead Auditor, Risk Manager, AI). 50 to 80 written questions mixing multiple choice and open questions, with a 70% pass mark. Held at the end of the session in a supervised room. Results within 6 to 8 weeks; certificate valid for 3 years.

Brightwatch is our French-language vulnerability intelligence service, designed for IT teams that lack the time or a dedicated analyst to track English-language CVE feeds. Each alert is qualified, contextualised to your declared environment and prioritised by operational criticality, with actionable recommendations.

A raw CVE feed produces hundreds of alerts per week, most of them irrelevant to your stack. Brightwatch filters on your declared technology stack, factors in real exposure (environmental CVSS, observed exploitation) and delivers bulletins written by our analysts — not yet another machine-generated feed to triage.

A reasonable order of magnitude is 3 to 8% of the IT budget for an unregulated SME, more for NIS2 sectors or organisations handling sensitive data. The initial spend typically targets EDR, MFA, immutable backups, security awareness and a posture audit to prioritise the roadmap.

Brightway responds to formal procedures (tenders, simplified procurement) and negotiated contracts. We are listed on several framework agreements for PASSI services and Qualiopi training. Our references include municipalities, intermunicipal bodies, departmental councils and public institutions, with hands-on experience of the budget and timeline constraints of the public sector.