There is a document sitting in a shared drive somewhere in your organization. It is probably called “PSSI” or “Politique de Securite des Systemes d’Information.”
It was written - or more likely adapted from a template - when your company last went through a compliance audit or when a new IT manager decided to formalize things. It covers password policies, access controls, acceptable use of company resources, incident response procedures, and a dozen other topics.
It is probably 40 to 80 pages long. It was last updated 18 months ago. And almost nobody in your organization has read it.
If this sounds familiar, you are not alone. This is the reality at the vast majority of French companies, from PMEs to mid-market enterprises.
They have a PSSI because they are supposed to have one. But having a policy and having employees who follow it are two entirely different things.
What a PSSI Actually Requires
The PSSI is France’s foundational framework for information system security, promoted by ANSSI (Agence Nationale de la Securite des Systemes d’Information). It is not just a recommendation - for many organizations, particularly those handling sensitive data, working with public-sector clients, or subject to NIS2 directives, a PSSI is effectively mandatory.
But a PSSI is more than a document. When you read the ANSSI guidelines carefully, the intent is clear: the policy must be operationalized. It must be communicated to all employees, understood by them, and reflected in their daily behavior.
Specifically, a well-implemented PSSI should cover:
- Access control policies: Who can access what, and under which conditions
- Authentication requirements: Password complexity, MFA adoption, session management
- Data handling rules: Classification, storage, sharing, and retention
- Acceptable use policies: Rules for email, cloud tools, personal devices, and third-party applications
- Incident reporting procedures: What constitutes an incident and how to escalate
- Awareness and training obligations: Ongoing education for all personnel
That last point is critical. ANSSI does not say “train your employees once a year and move on.” The guidance calls for continuous awareness, adapted to roles and risks.
Most organizations interpret this as “deploy an e-learning platform and track completions.” That interpretation satisfies auditors but completely misses the point.
The Gap Between Policy and Practice
Let me describe a scenario I see regularly when working with French companies.
The PSSI states: “Employees must not share documents containing sensitive information via public links. All file sharing must be restricted to specific, authorized recipients.”
Meanwhile, in practice:
- 40% of shared Google Drive links across the organization are set to “Anyone with the link”
- Marketing has a public Notion workspace containing competitive intelligence
- Three employees are forwarding internal documents to their personal Gmail accounts to “work from home more easily”
- A team lead has granted a third-party Chrome extension full access to their Google Workspace data
None of these employees are malicious. Most of them would pass a quiz about data sharing best practices. They simply do not connect the abstract policy they skimmed during onboarding with their daily workflow decisions.
This is the PSSI gap: the distance between what the policy says and what employees actually do.
Why Traditional Approaches Fail to Close the Gap
Most organizations try to close this gap in one of three ways, and all three are insufficient.
| Approach | Method | Why It Fails |
|---|---|---|
| Annual Training | Employees complete a module about the PSSI during onboarding and once a year | People forget 90% of learned information within a week (Ebbinghaus forgetting curve) |
| Email Reminders | IT sends periodic emails about security policies | Land between dozens of other emails, routinely ignored, generic and disconnected |
| Audit-Driven Corrections | Address compliance only during audit preparation | Creates a temporary spike that evaporates within weeks of the audit completing |
None of these approaches create lasting behavior change because none of them operate at the point where behavior actually happens: in the daily flow of work.
Making Your PSSI a Living System
A PSSI becomes real when three conditions are met simultaneously: the organization observes whether employees are following it, informs them when they are not, and reinforces the right behaviors over time.
Here is what that looks like in practice.
Step 1: Observe Real Behavior Continuously
You cannot enforce a policy you cannot see. The first step is to continuously audit the SaaS tools your employees use every day - Google Workspace, Microsoft 365, Slack, Notion, and others - to identify behaviors that violate your PSSI.
This is not about surveillance. It is about visibility. Just as a financial audit reviews transactions against accounting policies, a behavioral audit reviews digital actions against security policies.
The output is a clear, factual picture: here is what your PSSI says, and here is what is actually happening.
For example:
- PSSI says: “MFA must be enabled on all accounts.” Reality: 23% of employees have not activated MFA.
- PSSI says: “External sharing of internal documents requires manager approval.” Reality: 156 documents are shared externally with no approval trail.
- PSSI says: “Only approved third-party applications may be connected to company accounts.” Reality: 12 unapproved OAuth applications have access to company data.
Each of these is a specific, measurable deviation from your own stated policy.
Step 2: Deliver Targeted Nudges Where Work Happens
When a deviation is detected, the employee receives a nudge - not a punitive warning, but an informative, contextual message delivered through Slack or Teams, the tools they already use every day.
The nudge explains three things:
- What they did: “You shared a document via a public link.”
- Why it matters: “Your company’s PSSI (Section 4.2) requires that shared documents be restricted to specific recipients to prevent unauthorized access.”
- How to fix it: “You can update the sharing settings by clicking here. It takes about 15 seconds.”
This is fundamentally different from generic training. The nudge is specific (about their action), contextual (referencing their company’s actual policy), and actionable (telling them exactly how to fix it).
It arrives at the moment the behavior occurs, when the employee’s memory and motivation to act are highest.
Step 3: Reinforce Through Spaced Quizzes
Nudges address immediate deviations. But lasting behavior change requires reinforcement over time. This is where spaced repetition comes in.
Based on the employee’s observed behaviors and the areas of the PSSI most relevant to their role, they receive short quizzes through Slack or Teams at calculated intervals. These are not generic compliance questions. They are tailored:
- An employee who recently shared a public link gets a quiz about data sharing policies
- A team that just onboarded a new SaaS tool gets a quiz about third-party application policies
- An employee who handles client data gets periodic quizzes about data classification
The spacing follows principles derived from the Ebbinghaus forgetting curve: initial reinforcement comes quickly, then intervals gradually increase as the behavior becomes habitual.
Step 4: Measure Policy Adherence, Not Completion
The metrics change entirely. Instead of reporting “95% training completion” to your board or auditors, you report:
- Public link sharing decreased from 40% to 8% over three months
- MFA adoption increased from 77% to 99%
- Unapproved OAuth applications reduced from 12 to 1
- Average time to remediate a flagged behavior: 4 hours
These are metrics that directly map to PSSI compliance and directly correlate with reduced risk. They tell auditors, leadership, and regulators not just that you have a policy, but that your employees actually follow it.
What This Means for NIS2 and Upcoming Regulations
The NIS2 directive, which France is transposing into national law, raises the bar significantly. It requires organizations to demonstrate not just that they have security policies, but that they have effective measures to ensure those policies are implemented and maintained.
The emphasis is on proportionate, risk-based, and continuous security management.
For French companies subject to NIS2 - and the scope is considerably broader than NIS1 - “we did annual training” is unlikely to satisfy regulators. They will want evidence that policies are being followed in practice, that deviations are detected and corrected, and that the organization maintains continuous awareness among its personnel.
A behavioral approach to PSSI compliance is not just more effective - it is increasingly what regulators expect.
A Practical Starting Point
If you are a CISO or IT manager at a French company looking to make your PSSI operational, here are concrete first steps:
-
Audit your current state. Before changing anything, measure where you actually stand. What percentage of your employees follow each key PSSI requirement in practice? You may be surprised by the gap.
-
Identify your highest-risk deviations. Not all policy violations carry equal risk. Prioritize the behaviors that expose your organization to the most damage - typically external data sharing, authentication weaknesses, and shadow IT.
-
Bring feedback to where employees work. If your employees live in Slack or Teams, that is where security communication belongs. Not in an LMS they visit once a year.
-
Measure behavior, not knowledge. Stop tracking training completion and start tracking behavioral metrics that map directly to your PSSI requirements.
-
Iterate continuously. A PSSI is not a project with a completion date. It is an ongoing operating system for security behavior. Treat it accordingly.
The Bottom Line
Your PSSI is only as strong as your employees’ daily behaviors. A beautifully written 60-page policy document is worthless if the people it governs do not follow it - and most of them do not, because nobody has given them the tools, context, and reinforcement to do so.
The good news: closing the gap between policy and practice does not require more training hours, bigger budgets, or stricter enforcement. It requires a different approach - one based on observation, timely feedback, and continuous reinforcement grounded in behavioral science.
Your PSSI deserves to be more than a document in a drawer. It deserves to be a living system that your employees follow every day, because they understand it, because they are reminded of it in context, and because doing the right thing has been made the easy thing.
Sources
- Gartner Design Report - https://zinad.net/assets/pdf/Design_Gartner_report.pdf
- JISEM - Decision Fatigue and Cybersecurity - https://jisem-journal.com/index.php/journal/article/download/12613/5861/21211
- RAND - Beyond Technicality - https://www.rand.org/content/dam/rand/pubs/research_reports/RRA3800/RRA3841-1/RAND_RRA3841-1.pdf
EnGarde helps French companies turn their PSSI into a living system. We audit real SaaS behaviors, map deviations to your specific policy, and deliver tailored nudges and quizzes through Slack and Teams. The result: measurable PSSI compliance, not just a checked box.