EBIOS Risk Manager
French cybersecurity risk-analysis method published and maintained by ANSSI. Its latest version, EBIOS Risk Manager (2018), structures analysis into five workshops — framing, risk sources, strategic scenarios, operational scenarios, risk treatment.
What EBIOS Risk Manager is
EBIOS Risk Manager is the French reference method for conducting a cyber risk analysis. Maintained by ANSSI (the French national cybersecurity agency), it is compatible with ISO 27005 and recognised by French ISO 27001 certification bodies.
It is particularly well suited to contexts where the risk has to be discussed between business, leadership and technical teams — that is, most real-world contexts.
The five workshops
- Framing and security baseline — perimeter, business assets, feared events, existing baseline.
- Risk sources — who can attack, with what motivation and what resources (cybercriminals, hacktivists, nation-states, malicious insiders…).
- Strategic scenarios — plausible attack chains at the business level.
- Operational scenarios — technical detail of each scenario (steps, vulnerabilities exploited, data targeted).
- Risk treatment — choice between acceptance, reduction, transfer or avoidance, and action plan.
Why EBIOS rather than another method
EBIOS separates the strategic from the operational, which allows a CODIR-level conversation without immediately diving into technical detail. It tends to be better accepted than more American methods (NIST RMF) in French and European contexts, particularly for public organisations and NIS2-essential entities.
EBIOS at Hexceos
Our consultants run EBIOS Risk Manager analyses as part of ISO 27001 and NIS2 compliance missions. See audit & compliance services.
Related terms
Last updated: 19 May 2026