KnowBe4 vs French Solutions: What SMBs Need to Compare
An objective comparison between KnowBe4 and French alternatives for SMBs. Pricing, GDPR, French language quality, support, and features.
KnowBe4 is a behemoth. 70,000 clients worldwide, acquired for $4.6 billion by Vista Equity Partners in February 2023, more than 25,000 phishing templates, 1,300 training modules, 35 languages. On paper, the global leader in phishing awareness seems unbeatable. And for large American enterprises, it probably is.
But for a French SMB with 25 to 250 employees, the question deserves a different framing. Is the American giant actually suited to your context - regulatory, linguistic, budgetary, operational? Or do French and European alternatives better address your specific constraints?
This comparison is not a thinly veiled sales pitch. KnowBe4 does some things better than anyone. Its French competitors do other things better. The goal of this article is to give you hard data - pricing, features, hosting, French content quality, user feedback - so you can make an informed decision based on your situation. All figures cited come from public sources: official pricing pages, G2 and Gartner Peer Insights reviews, analyst reports, and regulatory data.
KnowBe4: A Close Look at the Global Leader
The Origin and Firepower
KnowBe4 was founded in 2010 by Stu Sjouwerman in Clearwater, Florida. The company established itself as the global leader in phishing awareness through a simple but effective strategy: offer the market's largest content library, an extensive partner network, and aggressive entry-level pricing.
In numbers: more than 25,000 phishing templates (the largest catalog on the market), 1,300+ training modules at the Diamond level, 35 languages covered, and approximately 2,400 employees as of February 2026. The Nasdaq IPO in 2021 ($152 million raised, $2.6 billion valuation) was followed by a delisting 18 months later, when Vista Equity Partners acquired the company for $4.6 billion in cash - a 44% premium over the unaffected share price.
In May 2025, Bryan Palma (former CEO of Trellix, 25 years at Cisco) replaced Sjouwerman as CEO. This leadership change, combined with the private equity buyout, signals a pivot toward margin optimization and monetization - a classic post-PE acquisition pattern that typically results in price increases at renewal.
What KnowBe4 Does Well
Catalog depth. With 25,000 phishing templates and 1,300+ training modules, KnowBe4 offers by far the most extensive content on the market. For a large multinational that needs scenarios in 35 languages covering dozens of industry verticals, this depth is a decisive argument.
PhishER and incident management. PhishER, the reported email triage module, uses PhishML (an AI classifier) and a community-based threat intelligence database. It is a solid product for SOC teams handling high volumes of employee reports. The 2024 Egress acquisition added a complementary email security layer.
Analyst and user ratings (admin side). On G2, KnowBe4 scores 4.6/5 with nearly 3,000 reviews - the only SAT vendor to exceed 90/100 on the G2 Grid. On Gartner Peer Insights, same score: 4.6/5 with 2,443 reviews. Named a Leader in the Gartner Magic Quadrant for Email Security Platforms in 2025, for the second consecutive year. These ratings reflect the satisfaction of IT administrators and CISOs - the solution's buyers.
The AI orchestration agent (AIDA). Launched in 2026, the AIDA system (Diamond level only) includes 8 AI agents that automate template generation, risk scoring (SmartRisk: 316 indicators, 37 factors, 7 domains), and full campaign orchestration without manual intervention. It is the most advanced automation system on the market.
Where It Falls Short for French SMBs
The Trustpilot rating: 1.8/5. This number deserves a closer look. While G2 (where IT admins rate) gives 4.6/5, Trustpilot (where employees - end users - speak) gives 1.8/5, rated "Poor," with 85% of reviews at one star. The complaints repeat in a loop: training described as "worse than terrible," test phishing emails indistinguishable from real spam, users scoring 90–100% on assessments without watching the videos. In other words: IT admins love it, but employees hate it. For an SMB where team adoption determines program effectiveness, this gap is a red flag.
Complexity for small organizations. On G2, 26 negative mentions point to an "overwhelming initial setup" ("The initial setup is overwhelming, leading to confusion"). 66% of KnowBe4 users on G2 are mid-market or enterprise companies. G2 explicitly recommends other solutions (SoSafe, Hacker Rangers, Arctic Wolf) for small teams. With a 25-seat minimum and four pricing tiers with very different feature sets, KnowBe4 was not designed for a 30-person SMB with a part-time IT manager.
French content: present but secondary. KnowBe4 offers 486 content items in French (France) and 475 in Canadian French. That is far from negligible, but relative to the 25,000 English templates in the catalog, French content accounts for less than 2% of the total library. Translations are handled by the agency Ulatus. Some modules are dubbed in French, others only subtitled. The result is uneven: legacy modules are properly translated, but recent content (deepfake, generative AI, vishing) arrives first in English and is translated with a delay of several months.
Pricing: transparent but misleading. KnowBe4's official pricing grid is public - a positive point. But the gap between tiers is massive. At the Silver level (the entry price of $1.90/seat/month for 25–50 users), you only get basic training modules (Level I: 45-minute and 15-minute sessions) and 35 posters. No micro-learning, no SmartRisk, no AIDA, no SIEM integration. To access micro-learning (5-minute modules), you need Gold ($2.23/seat/month). For SmartRisk and SIEM, Platinum ($2.60). For AIDA and the full library, Diamond ($3.25). Add the PhishER, SecurityCoach, and Compliance Plus add-ons ($0.17 to $1.50/user/month extra), and the actual bill can reach double the advertised entry price. Multiple sources document 20–40% increases at renewal, particularly through resellers.
French and European Alternatives in 2026
The European phishing awareness market has matured rapidly between 2020 and 2026. Here is a factual overview of the most relevant players for a French SMB.
Riot: The Fast-Growing French Challenger
Riot is the most visible French startup in this segment. Founded in 2020 by Benjamin Netter (ex-October, Sopra Steria) and Louis Cibot, a Y Combinator graduate (W20), the company has raised $45 million in total - including $30 million in Series B in February 2025 (Left Lane Capital). Post-money valuation: over $170 million.
Positioning: all-in-one platform covering awareness (chatbot "Albert" via Slack/Teams), phishing simulation (400+ templates), access drift detection (Sonar), a cybersecurity hotline (Inbox), and data breach monitoring (Breaches). Deployment in 5 minutes, automatic directory synchronization 4 times per day.
Clients: 1,500+ organizations, targeting 10 million protected users by 2027. References: Le Monde, L'Occitane, Mistral AI, Deezer, Ledger, Deel, Intercom, Sorare, Etam.
Pricing: $6.89/user/month (billed annually). Free for companies with fewer than 10 users. Premium 24/7 support included.
G2: 4.7/5 with approximately 135 reviews. Ranked #1 "Easiest To Use" in Security Awareness Training.
Points to consider (from G2 reviews): phishing scenarios become recognizable after the first year; the reporting dashboard is described as "sometimes overwhelming"; gaps in industry-specific simulations (automotive, healthcare); content is primarily in English despite the company's French origins; at $6.89/month, the annual cost for a 50-person SMB reaches approximately $4,130 (around 3,800 euros). Riot does not offer real phishing detection - the platform is limited to simulation and training.
Trajectory: Riot is moving upmarket. The company is hiring enterprise Account Executives, expanding internationally, and targeting organizations with 200+ employees. The sub-50-employee SMB segment is no longer the strategic priority.
Mantra: Absorbed by Cyber Guru
Mantra, founded in 2020 in Paris by Gaspard Droz (HEC, ex-Bain) and Guillaume Charhon, was the only independent French competitor natively oriented toward SMBs and mid-market companies. Its differentiator: Smart Banners (AI-powered warning banners injected in real time into suspicious emails) and Browser Defender (a browser extension for detecting phishing sites).
In March 2025, Cyber Guru (Rome, Italy) acquired Mantra. The combined entity claims 1,000+ organizations and 1.5 million active users. Gaspard Droz became Country Managing Director France; Guillaume Charhon, Group Chief Architect. The entire Mantra team (approximately 15 people) joined Cyber Guru, which had opened an office at the Campus Cyber in Paris in November 2023.
Cyber Guru had raised $25 million in Series B in October 2024 (Riverside Acceleration Capital) and scores 4.7/5 on Gartner Peer Insights (60 reviews). The platform is built around three modules: gamified e-learning (Awareness), awareness web series (Channel), and adaptive phishing simulation powered by machine learning (Phishing).
What the acquisition means for the French market: the only independent French vendor specializing in awareness for mid-market companies has been absorbed by an Italian company. Technical integration, brand confusion, and merger-related uncertainties can create friction for existing clients and open a gap for new French alternatives.
SoSafe: The European Champion, Positioned for Enterprise
SoSafe, founded in 2018 in Cologne (Germany), converted to a Societas Europaea (SE) in early 2025, affirming its pan-European identity. The company claims 5,000+ client organizations in 37 countries, 4.5 to 5.4 million users, and an ARR of $53.7 million in 2024 (up 52% from 2023). Approximately 546 employees as of January 2026.
SoSafe opened a Paris office (SoSafe SAS, 23-25 avenue Mac-Mahon, 75017) in May 2022, with 10 to 19 employees. The company offers content in 32 languages including French, and highlights its Human Risk OS (launched June 2024) and its AI copilot Sofie (May 2024: a conversational assistant in Teams/Slack).
G2: 4.6/5 with 803 reviews. Category Leader on G2 for Summer 2024 and 2025. Recognized as a "Strong Performer" in the Forrester Wave Q3 2024.
Pricing: not published. Four tiers (Essential, Professional, Premium, Ultimate). Estimates put the price around $10/user/month or $58/user/year for enterprise contracts. Not suitable for SMBs with fewer than 100 employees - neither by price nor by onboarding complexity.
Points to consider (from G2 reviews): roughly 20% of simulated emails are intercepted by spam filters; course catalog described as "limited and dated" by some reviewers; restricted admin controls causing "confusion and misunderstandings"; no option to speed up video modules. The company is clearly targeting large, regulated organizations.
Mailinblack: 22,000 French Clients, But Awareness Is Not the Core Business
Mailinblack, founded in 2003 in Marseille, is first and foremost an email security specialist (anti-spam, anti-malware, anti-phishing). With 22,000 clients and over 2 million users, it is the French vendor with the largest installed base. Revenue of 12.7 million euros in 2023 (up 26%), with total funding of 64 million euros (including 50 million from Apax Partners in 2022).
The U-Cyber 360 platform includes a phishing simulation module (Cyber Coach: 1,000+ scenarios - phishing, spearphishing, ransomware, QR code, USB) and micro-learning (Cyber Academy). Content is developed in collaboration with neuroscience researchers.
Hosting: exclusively in France - full data sovereignty.
Pricing: by quote. Public estimates put the cost between 33 and 66 euros per user per year, plus 90 euros in setup fees the first year.
Limitations for an SMB looking for an awareness solution: Mailinblack is primarily an email filter. Awareness is an add-on module, not the core product. International recognition is low (0.3% mindshare on PeerSpot in the anti-malware category), and there is no meaningful presence on G2 in the Security Awareness Training category.
Emerging Players
Avant de Cliquer (Rouen, 2017) claims 600,000 users with a "learning by doing" approach: automated programs that adapt to each user's vigilance level (41 behavioral characteristics tested). Click rate reduction to 1–4% after 12 months. Pricing by quote.
Arsen (Paris, ~2022) stands out with conversational simulation: an AI generates and adapts phishing conversations in real time, simulating attacks by email, phone (vishing), and SMS (smishing). Funding of 2.5 million euros. Featured on the Wavestone 2025 Radar.
Stoik (Paris, 2021) offers an original model: cyber insurance + free prevention tools (phishing simulation included). 10,000+ insured companies, 70 million euros raised. Phishing simulation is bundled with the insurance product and not sold separately.
Guardey (Netherlands) offers transparent pricing starting at $1.53/employee/month for phishing simulation, with no user minimum. Gamified micro-learning in 6 languages including French. The only European vendor with a public price point comparable to KnowBe4's entry level.
Detailed Comparison: 10 Criteria That Matter for a French SMB
Here is a criterion-by-criterion analysis, based on publicly available data as of March 2026. The scores are indicative and reflect suitability for a French SMB with 25 to 250 employees.
1. Pricing Transparency
| Solution | Public Price | Model | Estimated Annual Cost (50 users) |
|---|---|---|---|
| KnowBe4 Silver | $1.90/seat/month | Per user, tiered | ~$1,140 (~1,050 euros) |
| KnowBe4 Diamond | $3.25/seat/month | Per user, tiered | ~$1,950 (~1,800 euros) |
| Riot | $6.89/user/month | Per user, flat rate | ~$4,134 (~3,810 euros) |
| SoSafe | Not published | By quote | Estimated $2,900 (~2,670 euros) |
| Mailinblack | Not published | By quote | Estimated 1,650–3,300 euros |
| Cyber Guru | Not published | By quote | Not estimable |
| Guardey | $1.53–3.33/user/month | Per user, flat rate | ~$918–1,998 (846–1,840 euros) |
| nophi.sh | Public | Flat-rate | See pricing |
Commentary: KnowBe4 publishes its prices - a positive point - but the gap between Silver (basic features) and Diamond (full features) is so large that the entry price is misleading. Riot also publishes its prices, but at $6.89/month it is the most expensive in the table. SoSafe, Cyber Guru, and Mailinblack require a sales call before providing a quote, which complicates comparison.
2. French Content Quality
| Solution | Native French Content | French Phishing Templates | Localized Scenarios |
|---|---|---|---|
| KnowBe4 | Translated (Ulatus) | 486 items FR | Limited (US brands dominant) |
| Riot | Mixed (FR + EN) | 400+ templates | Adapted to French context |
| SoSafe | 32 languages incl. FR | 600+ templates | Adapted to EU context |
| Mailinblack | Native French | 1,000+ scenarios | Fully localized |
| Cyber Guru | Native IT + FR (via Mantra) | Not disclosed | Adapted (EU context) |
| nophi.sh | Native French | FR scenarios | French brands (Ameli, Impots, La Poste) |
Commentary: French content quality is the criterion where the gap between KnowBe4 and French solutions is most pronounced. 486 translated items out of 25,000 - French is not the priority. For believable simulations using French brands (Ameli, Impots, Chronopost, EDF), native solutions are far ahead.
3. Data Hosting and GDPR Compliance
| Solution | Headquarters | EU Data Hosting | US Subprocessors | DPA Available |
|---|---|---|---|---|
| KnowBe4 | USA (Clearwater, FL) | AWS Dublin + Frankfurt | Yes (some) | Yes |
| Riot | France (Paris) / USA (SF) | To be verified | To be verified | Yes |
| SoSafe | Germany (Cologne) | EU exclusively | No | Yes |
| Mailinblack | France (Marseille) | France exclusively | No | Yes |
| Cyber Guru | Italy (Rome) | EU | No | Yes |
| nophi.sh | France | France exclusively | No | Yes |
Commentary: KnowBe4 hosts its European clients' data on AWS Dublin (primary) and AWS Frankfurt (backup). This is GDPR-compliant, but some subprocessors still process a portion of data in the United States. As an American company owned by a US private equity firm (Vista Equity Partners), KnowBe4 is subject to the Cloud Act and potentially FISA. We will return to this point in detail in the section dedicated to data sovereignty.
4. Simulation Realism
Phishing simulations are only effective if employees perceive them as real emails - not as exercises. Realism depends on content localization, scenario personalization, and adaptation to the company's industry context. For a complete guide on setting up effective simulations, see our guide to phishing simulation for businesses.
KnowBe4 excels in volume (25,000 templates) and variety (callback phishing, attachments, spear phishing). Community templates allow users to share their creations. The AIDA agent automatically generates personalized templates. However, scenarios are predominantly designed for the US market - the brands, phrasing, and cultural references are American. An email impersonating "IRS" or "FedEx" will not fool an accountant in Lyon.
Riot offers 400+ templates with good adaptation to the French context, but G2 reviews note that scenarios become recognizable after 12 months of use - a catalog renewal problem.
Mailinblack (Cyber Coach) claims 1,000+ scenarios including classic phishing, spearphishing, ransomware, QR codes, and USB key attacks - the broadest attack spectrum among French solutions.
nophi.sh uses custom domains and scenarios calibrated to each client's industry context - French brands, government agencies, and the company's actual suppliers. The approach is qualitative (tailored scenarios) rather than quantitative (a massive library).
5. Reporting Quality
This is the criterion that generates the most post-purchase frustration, across all vendors.
KnowBe4 offers 60+ built-in reports, Executive Reports for leadership, and Phish-prone Percentage tracking. The reporting is the most thorough on the market - provided you are on the Platinum or Diamond tier. At Silver and Gold, reports are limited. On G2, PhishER reporting is specifically criticized: "PhishER is lacking in key areas including features, reporting, and support."
Riot measures a global security posture "Karma Score." CSV exports are available for compliance. G2 reviews note a dashboard that is "sometimes overwhelming" - a paradox for a product positioned on simplicity.
SoSafe offers a Human Risk Index via its Human Risk OS. Reporting is considered less detailed than KnowBe4's by comparative G2 reviews.
Mailinblack integrates reporting into the U-Cyber 360 platform, with cross-referenced data between email filtering and simulation.
For an SMB, the need is not 60 reports - it is an exportable PDF with the click rate, reporting rate, and 6-month trend, presentable to leadership and auditors. If your tool cannot produce that document in two clicks, reporting is insufficient regardless of the number of dashboards.
6. Integrations (Microsoft 365, Google Workspace, Slack, Teams)
| Solution | Microsoft 365 | Google Workspace | Slack | Teams | SSO |
|---|---|---|---|---|---|
| KnowBe4 | Native | Native | Add-on | Add-on | Included (Platinum+) |
| Riot | Native | Native | Native | Native | Included |
| SoSafe | Native | Native | Via Sofie | Via Sofie | Included |
| Mailinblack | Native | Native | No | No | By quote |
| nophi.sh | Native | Native | Native | Native | Included |
Commentary: Slack and Teams integrations are critical for reporting suspicious emails and real-time notifications. At KnowBe4, they are offered as paid add-ons (SecurityCoach: $0.17–1.50/user/month). At Riot and nophi.sh, they are included. This detail can represent a 10–30% surcharge on the annual bill at KnowBe4.
7. Ease of Deployment
| Solution | Announced Deployment Time | Minimum Users | Admin Complexity |
|---|---|---|---|
| KnowBe4 | Several days to weeks | 25 seats | High (dense interface) |
| Riot | 5 minutes | None (free < 10) | Low |
| SoSafe | 2 days | Not disclosed | Medium to high |
| Mailinblack | By quote | 10 email addresses | Medium |
| nophi.sh | A few hours | Flexible | Low |
Commentary: For an SMB without a dedicated cybersecurity team, deployment time is a make-or-break criterion. KnowBe4 requires a 25-seat minimum and a steep learning curve - 26 negative mentions on G2 concern the complexity of initial setup. Riot stands out with 5-minute deployment and automatic directory synchronization.
8. Automated Post-Failure Training
Simulation without remediation is a diagnosis without treatment.
KnowBe4 offers automatic remediation on click: a learning page and assignment of targeted modules. At the Diamond level, the AIDA "Automated Training" agent personalizes learning paths. The depth is real - but only at Diamond ($3.25/seat/month).
Riot uses the Albert chatbot to deliver micro-training via Slack or Teams, with a reported completion rate of 91%. The conversational approach is well-suited to SMBs where employees do not log into a dedicated training platform.
SoSafe highlights its AI copilot Sofie (24/7 in Teams/Slack) and adaptive learning paths grounded in behavioral science.
nophi.sh combines simulation and automated adaptive training, with differentiated paths based on the type of error and the employee's profile.
9. Reported Email Analysis and Detection
This is the criterion that separates 2020 solutions from 2026 solutions. Most platforms are limited to simulation: they send fake emails but do not protect against real ones.
KnowBe4 offers PhishER (reported email triage, AI classifier) and, since the Egress acquisition, an email security layer. PhishER is an incident management product, not proactive detection - it analyzes what users report; it does not block threats upstream.
Riot does not offer real phishing detection. The platform focuses on simulation and training.
SoSafe does not offer real phishing detection. Sofie answers employee questions but does not triage reported emails.
Mailinblack is the best-positioned on this criterion among French solutions: the Protect platform filters incoming emails upstream, and Cyber Coach trains employees. The two layers work together.
nophi.sh combines simulation and AI analysis of emails reported by employees: each forwarded email is automatically analyzed, and a risk assessment is returned to the employee.
10. French-Language Support and Guidance
| Solution | French Support | Hours | SLA | Dedicated CSM |
|---|---|---|---|---|
| KnowBe4 | Limited (English dominant) | US business hours | Not disclosed | Enterprise only |
| Riot | Yes | 24/7 included | Not disclosed | From paid plan |
| SoSafe | Yes (Paris office) | CET | Not disclosed | Enterprise |
| Mailinblack | Yes (native) | CET | Not disclosed | By quote |
| nophi.sh | Yes (native) | CET | Guaranteed | Included |
Commentary: For a French SMB without a CISO, French-language support in the CET time zone is a concrete differentiator. KnowBe4 offers primarily English-language support, calibrated to US business hours. French solutions (Riot, Mailinblack, nophi.sh) have a structural advantage on this point.
GDPR and Data Sovereignty: The Real Stakes for 2026
This is not an academic topic. It is the question that can invalidate your platform choice overnight.
The State of the Law in March 2026
The Data Privacy Framework (DPF), adopted on July 10, 2023, currently authorizes data transfers to certified US companies. On September 3, 2025, the EU Tribunal rejected the appeal by Philippe Latombe (a French MP and member of the CNIL, France's data protection authority) against the adequacy decision. The DPF is therefore legally valid.
But the tribunal explicitly limited its analysis to the conditions of July 10, 2023. Subsequent events - notably the dismantling of the Privacy and Civil Liberties Oversight Board (PCLOB) - were not examined.
The PCLOB: The Crumbling Pillar
On January 27, 2025, President Trump dismissed all Democratic members of the PCLOB, leaving only one Republican member - below the three-member quorum required to conduct investigations or issue reports. The PCLOB was a central pillar of the European Commission's adequacy decision. Without a functioning PCLOB, the independent oversight framework that justifies the DPF no longer exists in practice.
On May 21, 2025, a federal court ruled these dismissals illegal and ordered the members reinstated. The government appealed. The case awaits the Supreme Court's decision in Trump v. Slaughter.
The European Parliament adopted a resolution calling on the Commission to renegotiate the framework, stating that it "fails to create essential equivalence." The Norwegian Data Protection Authority warned in February 2025 that if the DPF is revoked, restrictions could be imposed immediately, with no transition period.
Cloud Act and FISA: The Named Threat
ANSSI (France's National Cybersecurity Agency) and CNIL explicitly identify the Cloud Act (2018) and FISA as threats to data hosted by American companies - including when data is stored on European soil. Microsoft France acknowledged this before the French Senate: the company cannot oppose a US court order targeting data hosted in France.
This is a fundamental point for choosing a phishing awareness platform. The data processed includes your employees' email addresses, their individual simulation results (personal data under the GDPR), and potentially reported emails (which may contain sensitive data). Entrusting this data to a company subject to the Cloud Act exposes the organization to a concrete legal risk.
The French Doctrine: Cloud au Centre and SecNumCloud
The Castex circular of July 2021, reinforced by the Borne circular of May 2023, requires government agencies to host "particularly sensitive" data on SecNumCloud-qualified offerings - immune to extraterritorial legislation. The SREN law of 2024 codified this requirement in statute.
SecNumCloud 3.2 (ANSSI, March 2022) includes more than 350 requirements, including equity ownership caps to exclude companies controlled by non-European entities (25% by individual non-EU shareholder, 39% collectively).
These requirements do not directly apply to private-sector SMBs. But they signal the regulatory direction of travel. And for SMBs that supply public-sector clients, they can become contractually binding.
The Concrete Impact on Your Platform Choice
The convergence of GDPR, NIS2 (15,000 affected French entities, transposition expected Q1 2026, penalties up to 10 million euros or 2% of global revenue), the weakened DPF, and the Cloud au Centre doctrine creates strong regulatory pressure favoring solutions hosted in Europe.
The AITD guide published by CNIL (France's data protection authority) on January 31, 2025, requires any organization transferring data outside the EEA via SCCs to conduct a 6-step transfer impact assessment - before the transfer. If the assessment concludes that protection cannot be ensured, the transfer must not take place.
Choosing KnowBe4 is legally possible in March 2026. But it is a choice that imposes an additional compliance burden (AITD, monitoring US subprocessors, tracking the DPF) and exposes the organization to the risk of a regulatory disruption if the DPF is invalidated - a scenario that several legal scholars refer to as "Schrems III."
French Language Quality: Why It Changes Everything
A simulated phishing email is only effective if it is believable. And believability, in phishing, comes down to linguistic and cultural details.
The Problem with Automated Translations
Take a KnowBe4 template designed for the US market: an email imitating a FedEx delivery notice with the phrase "Your package is being held at a facility." The French translation will produce something like "Votre colis est retenu dans un centre de tri." That is grammatically correct. But no French person receives this type of email from Chronopost or Colissimo. The format, tone, layout, logo - everything betrays the American origin of the template.
Employees spot the exercise in seconds. And a simulation that is spotted measures nothing useful.
The most common errors in translated templates:
Inconsistent formal address. French administrative emails systematically use the formal "vous" ("Madame, Monsieur, nous vous informons que..."). Templates translated from English sometimes slip into the informal "tu" or use neutral phrasings that do not exist in the French administrative register. An email from "les Impots" (French tax authority) that begins with "Cher contribuable" instead of "Madame, Monsieur" is immediately suspect to a native French speaker.
American brands and institutions. A template impersonating "Bank of America" or "Wells Fargo" has zero credibility with a French employee. Believable scenarios for the French market involve Ameli (French national health insurance), les Impots (impots.gouv.fr), La Poste/Colissimo, EDF, la CAF, France Travail (formerly Pole Emploi), la CPAM, and French banks (BNP, Societe Generale, Credit Agricole). KnowBe4 offers a few localized scenarios, but the bulk of the catalog remains American.
Legal notices and formatting. French professional emails include specific legal mentions (CNIL, GDPR, registered office address). Translated templates either omit these elements or add them inconsistently, creating a visible red flag for employees accustomed to the French format.
What "Native French" Means
A native French phishing scenario is:
An email impersonating Ameli with the correct logo, the correct format, the correct URL (ameli.fr), and a believable pretext in the French context (healthcare reimbursement, Carte Vitale update). It is an email impersonating the tax authority during filing season, with the administrative nuances that only a native French speaker masters - the systematic formal address, the administrative sentence structure, the legal mentions.
It is also an email impersonating one of the company's actual suppliers - with the correct domain name, the correct contact person, and a pretext that fits the industry's current events. This level of personalization is impossible with a catalog translated from English.
The Data Confirming the Importance of Native Content
The click rate on phishing simulations increases by 23 to 35% when templates are written in the target's native language (SANS Institute 2025), compared to translated templates. The reason is simple: a translated email triggers vigilance ("something is off"), while a native email flies under the cognitive radar.
For a French SMB, this concretely means that simulations in English or translated French underestimate the actual vulnerability of your teams. You get an artificially low click rate and a false sense of security. For benchmark data on click rates by industry, see our phishing click rate benchmarks.
Pricing: The Total Cost of Ownership
The listed price is never the price paid. Here is how to compare the true cost of each solution.
KnowBe4: Anatomy of the Pricing
KnowBe4's official pricing grid for 25 to 50 users:
| Tier | Price/Seat/Month | What's Included | What's Missing |
|---|---|---|---|
| Silver | $1.90 | Level I Training (45-min and 15-min modules), 35 posters | Micro-learning, SmartRisk, SIEM, AIDA |
| Gold | $2.23 | Level I + 150 modules incl. 5-min micro-learning | SmartRisk, SIEM, AIDA |
| Platinum | $2.60 | Level II + SmartRisk + SIEM integration | AIDA, full library |
| Diamond | $3.25 | Full library (1,300+ items) + AIDA | : |
Paid add-ons:
- PhishER: $0.50–1.50/user/month (estimate)
- SecurityCoach (Slack/Teams integrations, real-time alerts): $0.17–0.50/user/month
- Compliance Plus: variable
Commitments: 12-month minimum, annual upfront billing. No monthly option. 15–25% discounts on multi-year contracts (2–3 years), but documented increases of 20–40% at renewal.
Concrete example for a 50-person SMB:
- KnowBe4 Silver: 50 x $1.90 x 12 = $1,140/year (~1,050 euros). But at Silver, no micro-learning, no SmartRisk, no detection. It is a stripped-down version.
- KnowBe4 Diamond + PhishER + SecurityCoach: 50 x ($3.25 + $1.00 + $0.30) x 12 = $2,730/year (~2,510 euros). This is the version comparable to competitors' all-inclusive offerings.
Riot: All-Inclusive, But Expensive
At $6.89/user/month, Riot is the most expensive in this comparison for a 50-person SMB: $4,134/year (~3,810 euros). But the price includes all features: simulation, training, Sonar (drift detection), Inbox (hotline), Breaches (monitoring), 24/7 support. No hidden add-ons.
SoSafe: The Opacity of Enterprise Pricing
Without a public price, it is impossible to objectively compare SoSafe. Estimates put the cost around $58/user/year for a 500+ person company. For 50 users, the price will likely be higher (reverse tier effect) and will require a sales call. Add to that an onboarding complexity that represents a hidden cost in internal time.
Mailinblack: The Email + Awareness Bundle
If you already need an email filter, Mailinblack can represent good value: email protection + simulation + training in a single subscription. Estimated between 1,650 and 3,300 euros per year for 50 users. But if you already have Microsoft Defender or Proofpoint for filtering, the bundle loses its appeal.
The Renewal Trap
Multiple sources document 20–40% increases at renewal with KnowBe4, particularly through resellers. This pattern is classic post-private-equity acquisition: margins are optimized through renewal price hikes, when the switching cost (historical data, trained admins) creates a lock-in effect.
For an SMB committing to 3 years, the gap between the initial contract price and the actual cost over the term can be substantial. Always request a renewal price increase cap in your contract terms.
Total Cost of Ownership Summary (50 users, 3 years)
| Solution | Year 1 | Year 2 | Year 3 | 3-Year Total (estimated) |
|---|---|---|---|---|
| KnowBe4 Diamond all-in | ~2,510 euros | ~2,760 euros (+10%) | ~3,040 euros (+10%) | ~8,310 euros |
| KnowBe4 Silver | ~1,050 euros | ~1,155 euros | ~1,270 euros | ~3,475 euros |
| Riot | ~3,810 euros | ~3,810 euros | ~3,810 euros | ~11,430 euros |
| Mailinblack (bundle) | ~2,560 euros | ~2,560 euros | ~2,560 euros | ~7,680 euros |
| Guardey Advanced | ~1,840 euros | ~1,840 euros | ~1,840 euros | ~5,520 euros |
Notes: KnowBe4 renewal increase estimates are conservative (10%/year vs. the documented 20–40%). Riot and Guardey prices are based on current public rates with no assumed increase. Mailinblack prices are based on average public estimates.
Compare for yourself. nophi.sh offers flat-rate pricing with no hidden add-ons and no renewal surprises. See pricing or create an account to test with your teams.
User Feedback: What People Actually Say
KnowBe4 on G2: 4.6/5 - The Details Matter
The 2,992 G2 reviews lean heavily positive (98% rated 4 or 5 stars). The most frequently praised points: depth of automated training (144 mentions), user-friendly interface (139 mentions), flexibility in topic selection (59 mentions), and customer support (58 mentions).
But recurring criticisms reveal patterns: repetitive and dated content (33 mentions of "repetitive," 22 of "dated"), limited customization (31 mentions, "I dislike that we cannot create custom training programs"), Microsoft integration issues (37 mentions, "KnowBe4 has not adapted well to Microsoft security updates"), and campaign rigidity (inability to assign training individually).
The most telling point may be the PhishER rating: "PhishER is lacking in key areas including features, reporting, and support... Automation capabilities are minimal." For a product billed as an add-on, that is a harsh assessment.
The Trustpilot Paradox: 1.8/5
The gap between G2 (4.6/5, IT admin reviews) and Trustpilot (1.8/5, employee reviews) is the most revealing number in this analysis. It exposes a product that satisfies buyers but frustrates end users.
The recurring complaints on Trustpilot illustrate the problem: training described as "worse than terrible" and "garbage," test phishing emails that look so much like real spam that users report them as real phishing (and are still counted as "failed"), and employees scoring 90–100% on assessments without watching the training videos. That last point warrants reflection: if knowledge tests can be passed without viewing the content, the questions are too predictable - and training loses its educational function.
For an SMB where leadership and the team work on the same floor, this frustration carries an internal reputation cost that should not be underestimated. An awareness program perceived as an administrative chore imposed by "an incomprehensible American tool" produces the opposite of the intended effect: employees associate cybersecurity with constraint rather than protection.
Riot on G2: 4.7/5 - Simplicity Gets the Vote
Riot's 135 G2 reviews highlight ease of use (ranked #1 "Easiest To Use"), support quality (9.5/10), and the conversational approach of the Albert chatbot. Some users report having prevented CEO fraud attempts thanks to Riot's training.
The criticisms focus on limited scenario renewal after 12 months and the absence of specialized industry simulations.
SoSafe on G2: 4.6/5 - The European Champion
SoSafe's 803 reviews reflect a mature product with well-regarded gamified training and a European anchor (EU data residency). Criticisms target false positives in simulations (20% intercepted by filters) and a course catalog considered dated by some users.
When KnowBe4 Remains the Best Choice
Despite its limitations for French SMBs, KnowBe4 remains the best option in specific cases.
You are a multinational with offices in 15+ countries. The 35-language coverage, 25,000 templates, and ability to manage multi-entity campaigns are advantages that French competitors cannot match. SoSafe comes close (32 languages, 5,000+ clients), but KnowBe4's catalog remains deeper.
You have a structured SOC team that needs PhishER. For large-scale incident triage, PhishER remains a solid product (despite the criticisms on specifics). Native SIEM integration (Platinum+) and community threat intelligence are real arguments for organizations with a Security Operations Center.
You are already a KnowBe4 client and migration costs more than renewal. The lock-in effect is real: historical data, established processes, trained admins. If the renewal bill remains acceptable and the limitations identified in this article are not blockers for your context, switching is not always justified.
You need the most advanced AI automation on the market. AIDA (Diamond only) is objectively the most sophisticated SAT automation system available. If your organization is large enough to justify the Diamond cost and mature enough to exploit 316 risk indicators, KnowBe4 is ahead.
You operate in a US-regulated sector. If your company has FedRAMP obligations (KnowBe4 obtained FedRAMP Moderate ATO in November 2023), the choice is simple: no European competitor has it.
When a French Solution Is Preferable
You are an SMB with 10 to 250 employees and no dedicated CISO. KnowBe4's complexity is sized for structured IT teams. For an IT manager juggling network, support, and security, a solution deployable in minutes (Riot, nophi.sh) with French-language support is better suited than a platform with 60 reports and 25,000 templates.
GDPR compliance is a priority and you want to minimize your documentation burden. Hosting simulation data in France or Europe eliminates the need to conduct an AITD (transfer impact assessment), monitor US subprocessors, and track the evolution of the DPF. That is less compliance work - concretely, hours of labor saved each year.
Your employees work primarily in French. Native simulations (Ameli, Impots, EDF, Chronopost) test the actual vigilance of your teams. Simulations translated from English test their ability to spot an exercise - that is not the same thing.
You are a supplier to public-sector agencies or critical infrastructure operators (OIV). The Cloud au Centre doctrine and SecNumCloud requirements apply through contractual trickle-down. If your public-sector clients impose data sovereignty clauses, a solution hosted in France is not an advantage - it is an obligation.
You want predictable pricing with no renewal surprises. French solutions with public pricing (Riot, nophi.sh) and transparent European solutions (Guardey) offer budget visibility that the KnowBe4 model (4 tiers + add-ons + renewal increases) cannot guarantee.
You are looking for a solution that combines simulation and real phishing detection. If responding to actual suspicious emails is part of your need (and in 2026, it should be), solutions that include a suspicious email analysis layer (nophi.sh analyzes emails reported by employees, Mailinblack filters incoming emails) have a functional advantage over pure simulation platforms (Riot, SoSafe, KnowBe4 without PhishER).
Simulation + AI analysis of reported emails, hosted in France. Create a nophi.sh account - up and running in 15 minutes, flat-rate pricing.
Frequently Asked Questions
Is KnowBe4 GDPR-compliant for a French company?
KnowBe4 hosts its European clients' data on AWS Dublin (primary) and AWS Frankfurt (backup), which is GDPR-compliant. The company offers a DPA (Data Processing Agreement) and uses Standard Contractual Clauses (SCCs) for transfers to its American subprocessors. This is legally compliant in March 2026. The caveat: as an American company, KnowBe4 is subject to the Cloud Act and FISA. If the Data Privacy Framework (DPF) is invalidated - a scenario that several legal scholars call "Schrems III" - organizations using KnowBe4 will need to immediately reassess the legal basis for their transfers. Solutions hosted exclusively in France or Europe do not carry this risk.
What is the real price of KnowBe4 for 50 users?
The entry price is $1,140/year (Silver, 50 users). But at the Silver level, you don't get access to micro-learning, SmartRisk, SIEM integration, or AIDA. For a version comparable to competitors' all-inclusive offerings, expect Diamond ($1,950/year) plus the PhishER and SecurityCoach add-ons - approximately $2,730/year (~2,510 euros). Add the documented 20–40% renewal increases, and the 3-year cost can exceed 8,000 euros - not counting the configuration and administration time, which is higher than at SMB-oriented competitors.
Can you migrate from KnowBe4 to a French solution?
Technically, yes. Campaign data (click rates, simulation history) can be exported from KnowBe4. The sticking point is the loss of comparative history: progression metrics will no longer be calculable on a consistent baseline. Migration is easier at the beginning of a contract cycle than mid-way through a multi-year contract. Recommendation: export your data before the contract ends, negotiate a 1–2 month overlap to ensure continuity, and take advantage of the migration to start with a fresh baseline.
Riot or nophi.sh: how to choose between the two French solutions?
Both solutions are French and well-rated. The key differences: Riot ($6.89/user/month) offers a wide scope with data breach monitoring, access drift detection, and a cybersecurity hotline, but no real phishing detection. nophi.sh combines simulation and AI analysis of suspicious emails reported by employees, with flat-rate pricing and hosting exclusively in France. For a more detailed analysis, see our comparison of phishing awareness solutions.
Do SMBs really need 25,000 phishing templates?
No. An SMB of 50 people running one simulation campaign per month will use about 12 templates per year. Even varying scenarios over 3 years, you won't use more than 50. KnowBe4's catalog depth is a selling point for multinationals operating in 35 languages and 20 sectors - not for an SMB that needs 10 to 15 believable French-language scenarios, adapted to its industry context. Template quality and local relevance matter more than quantity.
Does NIS2 require data hosting in Europe?
The NIS2 directive does not explicitly require data to be hosted in Europe. However, Article 21 (supply chain security) requires covered entities to assess where their third-party providers process and store data. If hosting is outside the EEA, the organization must demonstrate equivalent protections - a compliance burden that is substantially heavier than European hosting. In France, the transposition of NIS2 ("Loi Resilience," adopted by the Senate on March 12, 2025, promulgation expected Q1 2026) covers approximately 15,000 entities, with penalties up to 10 million euros or 2% of global revenue. For these organizations, European hosting is the path of least resistance for compliance.
The NIS2 Factor: 15,000 French Entities Affected
The transposition of NIS2 into French law ("Loi relative a la resilience des infrastructures critiques et au renforcement de la cybersecurite") was adopted by the Senate in first reading on March 12, 2025. Promulgation is expected in Q1 2026, with technical decrees from ANSSI (France's National Cybersecurity Agency) planned for Q2.
The impact is massive: the scope expands from approximately 500 critical infrastructure operators (OIV) to 15,000 "essential" and "important" entities, including approximately 1,500 local government bodies. ANSSI and SGDSN estimate the compliance cost between 100,000 and 200,000 euros for important entities, and between 450,000 and 880,000 euros for essential entities - plus approximately 10% per year for ongoing maintenance.
For affected SMBs (and their suppliers, through contractual cascade), NIS2 mandates "cyber risk management measures including staff awareness and training." Auditors will ask for proof that simulations are conducted regularly and that results are improving. Without a dedicated platform, producing this proof is impossible.
The penalties are dissuasive: up to 10 million euros or 2% of global revenue for essential entities; 7 million or 1.4% for important entities. ISO 27001 certification does not equal NIS2 compliance - France has explicitly clarified this point.
This regulatory context reinforces the case for solutions hosted in Europe: NIS2 Article 21 (supply chain security) requires organizations to assess where their providers process data. Non-EEA hosting adds an extra compliance layer - assessable, documentable, auditable - that European hosting avoids. For more on compliance obligations, see our NIS2 guide for SMBs.
Conclusion: A Decision Framework, Not a Verdict
The choice between KnowBe4 and a French solution is not a match between a good and a bad product. It is a trade-off between different priorities.
If your priority is catalog depth and AI automation, KnowBe4 Diamond is objectively ahead - provided you accept the price, the complexity, and the GDPR implications.
If your priority is deployment simplicity, French language quality, and budget predictability, French solutions (Riot, nophi.sh) are better calibrated for your context.
If your priority is data sovereignty and minimizing regulatory risk, a solution hosted in France eliminates an entire category of legal risk - and that risk is only growing.
If your priority is value for money for an SMB with fewer than 100 employees, compare the total cost of ownership (TCO) over 3 years - not the entry price. And include in the calculation the time spent on administration, configuration, and compliance documentation. For a step-by-step guide on setting up simulations: Phishing simulation for businesses: 2026 guide.
The scoring grid in our guide How to Choose a Phishing Awareness Solution in 2026 remains the best tool for structuring your evaluation. Fill it in during your demos, criterion by criterion, and let the facts decide.