Cybersecurity 2022 Comparisons

The major laws and regulations pertaining to cybersecurity are as follows:

• Regulation 2019/881 of 17 April 2019 (ENISA Regulation);
• Directive 2016/1148 of 6 July 2016 (NIS Directive);
• Regulation 2016/679 of 27 April 2016 (GDPR);
• Regulation 910/2014 of 23 July 2014 (eIDAS Regulation);
• Law No 78-17 of 6 January 1978 (French Data Protection Act);
• Law No 2018-133, transposing NIS Directive;
• Law No 2004-575 on confidence in the digital economy (LCEN);       
• Military Programming Act for 2014 to 2019;
• Military Programming Act for 2019 to 2025;
• Law No 2013-1168 of 18 December 2013;
• Law No 1988-19 of 5 January 1988 on computer fraud;
• Order No 2021-650 of 26 May 2021;
• Decree No 2015-350 of 27 March 2015;
• Decree No 2015-351 of 27 March 2015;
• Decree No 2018-384 of 23 May 2018;
• Decree No 2021-1281 of 30 September 2021
• Homeland Security Code;
• Defence Code;
• Public Health Code;
• Criminal Code;
• Criminal Procedure Code;
• Monetary and Financial Code.

Basic Concepts or Principles

Article L 111-1 of the Homeland Security Code provides that security is a fundamental right and that the state has the duty to ensure safety throughout the national territory, which extends to cyberspace.

Brief Overview of Relevant Enforcement and Penalty Environment (Major Sanctions)

Fraudulent access to or fraudulent remaining in all or part of an automated data processing system is punishable by two years' imprisonment and a fine of EUR60,000 (Article 323-1 of the Criminal Code). Where this results in the deletion or modification of data contained in the system or in the alteration of the functioning of the system, the penalty is three years' imprisonment and a fine of EUR100,000, increased to five years' imprisonment and a fine of EUR150,000 when it involved the national public system.

Obstructing or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a fine of EUR150,000 (Article 323-2 Criminal Code). Where this offence was committed against a state-operated automated processing system of personal data, the penalty is increased to seven years' imprisonment and a fine of EUR300,000.

The fraudulent introduction of data into an automated processing system, the fraudulent extraction, possession, reproduction, transmission, deletion or modification of the data contained therein is punishable under the same conditions.

The act, without legitimate reason of importing, possessing, offering, transferring or making available equipment, an instrument, a computer program or any data designed or specially adapted to commit one or more of the offences mentioned above is punishable by the penalties laid down for the offence itself or for the most severely punished offence respectively.

Electronic communications operators or their agents or operators of vital importance (OVI) can be sanctioned by a fine of EUR150,000 for obstructing the implementation, by ANSSI, of the technical markers used to detect events likely to affect the security of information systems.

Executives of operators of essential services (OES) can be sanctioned by a fine of EUR100,000 for failing to comply with the security measures specific to them. Executives of OES can be sanctioned by a fine of EUR75,000 for failing to comply with the obligation to report an incident and EUR125,000 for obstructing the inspection operations.

Executives of digital service providers (DSP) can be sanctioned by a fine of EUR75,000 for failing to comply with the security measures specific to them. Executives of DSPs can be sanctioned by a fine of EUR50,000 for failing to comply with the obligations to report incidents or inform the public, and of EUR100,000 for obstructing the inspection operations.

Infringements of the provisions set out in the French Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In accordance with Decree No 2009-834, the National Agency for Information Systems Security (ANSSI) is responsible for the following tasks:

• to ensure the function of national authority for the defence of information systems;
• to conduct inspections of the information systems of state services and public or private operators including OVI, OES and DSP;
• to lead and co-ordinate interdepartmental work on information systems security;
• to issue approvals for security devices and mechanisms designed to protect information systems from information covered by national defence secrecy.

ANSSI assists in listing the "points of vital importance" (PVI) which, because of the potential critical status of their information systems, need to be monitored. Representatives of ANSSI are then part of the teams in charge of the control of these PVI and carry out the control of their information system (Interministerial General Instruction No 6600/SGDSN/PSE/PSN).

When personal data is involved, CNIL is also responsible for enforcing cybersecurity rules. It can sanction any legal or natural person with administrative fines but does not have the power to criminally prosecute.

The ARCEP controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, in particular network security and integrity.

The Public Interest Group Action against Malicious Cyber ("Actions Contre la Cybermalveillance") is particularly active through its website, and was created with the aim of fighting against acts of cyber-maliciousness with an action articulated around three key axes :

• assisting the victims of malicious cyber acts;
• preventing risks and raising awareness about cybersecurity;
• observing and anticipating digital risk.

ANSSI has no power of sanction but can audit information systems as a trust provider, investigate information systems of OVIs and bring the violations of applicable cybersecurity requirements to the attention of the judicial authorities.

The CNIL can carry out controls, which may have different origins:

• annual control programme;
• claims and reports by third parties/data subjects;
• initiative of the commission to tackle specific issues;
• control of video surveillance systems;
• further control after the closure of a control procedure (to check compliance actions implemented by the controlled entity).

The decision to carry out a control is made by the President of the CNIL. During the control, CNIL agents may be assisted by experts, and are entitled to take a copy of any technical and legal information to assess the conditions under which the personal data processing is carried out. CNIL agents are also entitled to talk to any staff that may hold useful information, and have access to database, software and contractual documents. After the control, the CNIL shall draft a report in which the CNIL agents record, in a factual manner, findings they have made. This may lead to:

• closure of the procedure;
• closure of the procedure with observations addressed to the controlled entity (in case of minor breaches);
• formal notice to comply with the French Data Protection Act; or
• information transmission to the CNIL’s restricted committee, which may impose sanctions and/or notify the public prosecutor.

The state is in charge of regulating and enforcing cybersecurity rules. The following national regulators are involved in the regulation of cybersecurity aspects falling under their respective field:

• ANSSI for information systems and cybersecurity matters;
• CNIL for cybersecurity implications of data protection issues; and
• ARCEP for monitoring compliance of the telecommunications operators.

In addition, the European ENISA Regulation (2019/881), adopted on 17 April 2019, grants permanent mandate to the European Union Agency for Cybersecurity (ENISA) and broadens its competence, providing a unique European cybersecurity certification framework.

In addition, on 16 December 2020, the European Commission published a "cybersecurity package", based on the EU Cybersecurity Strategy, which is a new milestone in strengthening European sovereignty. This package includes a proposal for a revision of the NIS Directive and a report on the implementation of the recommendations in the 5G toolkit. The incoming evolutions and developments of the European cybersecurity legal framework will reform the current French applicable regulation. In particular, the future ePrivacy Regulation, Digital Services Act and Digital Market Act will impact and reform the French and EU cybersecurity regulatory framework.

In the event of a computer attack targeting information systems affecting the nation's war potential (ie, ability to wage/sustain war) or economic potential, security or survival capacity, ANSSI may carry out the technical operations necessary to characterise the attack and neutralise its effects by accessing the information systems that are at the origin of the attack.

ANSSI can also implement technical markers on the networks of electronic communications operators and hosting providers in order to detect events likely to affect the security of the information systems of public authorities, OVI and OES. OVI and OES shall also notify ANSSI in case of certain cyberthreats and attacks targeting their information systems.

After notifying ANSSI, electronic communications operators can also implement technical markers for the sole purpose of detecting events that may affect the security of the information systems of their subscribers.

The ARCEP controls the compliance of the three last procedures mentioned, as an independent administrative authority.

Personal data disclosure can also be required from electronic communications operators in order to alert persons concerned by the cyber-attacks or technical data necessary to analyse them (Article L 2321-3, Defence Code).

With regard to personal data breach and information systems security incidents reporting and notification, please refer to Section 5. Data Breach Reporting and Notification.

The USA has always been at the forefront of cybersecurity issues compared to the EU, which has always favoured a state-oriented approach to the issue. However, the EU has been a leader in data privacy and security of personal data.

France has been proactive in the cybersecurity domain by following a sector-based approach such as OVI and OES or public administration. Sectorial practical standards, certifications and recommendations are also included in the regulatory requirements (eg, PCI DSS for the credit card industry, SecNumCloud for hosting providers, ASIP Santé for hosting certain health data).

The key developments are as follows.

• Adoption by the French National Assembly of a bill for the implementation of a cybersecurity certification of digital platforms with its entry into force planned for 1 October 2023. This bill intends to require digital platforms to provide consumers with a cybersecurity “diagnosis” in order to better inform them about the security and location of their data.
• On 17 May 2021, the French Minister of the Economy, Bruno Le Maire, announced the creation of a new "Trusted Cloud" certification that will be provided to companies abiding by the security standard established by ANSSI.
• On 26 May 2021, the Order No 2021-650 was passed in order to transpose into French law EU Directive 2018/1972 establishing the European Electronic Communications Code (EECC). A decree specifying the aforementioned Order was later published on 2 October 2021; it stated the obligations of electronic communications operators, especially regarding cybersecurity, now applicable to new undertakings such as providers of number-independent interpersonal communications services (eg, providers of online messaging services).
• Following the adoption of the Report on NIS2 by the European Parliament’s Committee on Industry, Research and Energy on 28 October 2021, the Council agreed regarding its position on the proposal for a Directive on measures for a high common level of cybersecurity across the Union on 3 December 2021.
• With France holding the presidency of the Council of the EU in 2022, ANSSI plans to seize this opportunity and promote a sovereign EU in the digital space for cybersecurity purposes. ANSSI will work in conjunction with the European Commission and ENISA to strengthen national and collective cyber capacities within the EU.
• The CNIL has publicly announced that the use of cloud computing is one of three priority themes that have been chosen for 2022. Usually, the three themes selected as priorities for a given year represent about a third of the controls carried out.

Significant pending changes are as follows:

• the adoption of the Order on access to vehicle data taken in accordance with Article 32 of the Mobility Law No 2019-1428, which notably requires car manufacturers to implement on vehicles they manufacture the means to detect electronic attacks and to notify such attack to ANSSI without undue delay;
• the security of 5G equipment following the 5G Security Act with the task handed to ENISA to prepare the EU cybersecurity certification scheme for 5G networks;
• the implementation of the ENISA Regulation and the different certification schemes provided by ANSSI in France (eg, SecNumCloud);
• the transposition of the European Code of Electronic Communications Code that imposes security obligations on electronic communications services providers, including OTT actors has been delayed and is still pending in France.

Following the adoption of a new proposal for a NIS Directive by the European Commission at the end of December 2020, it will then be subject to negotiation with the Council of the EU and the European Parliament. Once the proposal is agreed and consequently adopted, member states will have to transpose the NIS2 Directive within 18 months.

In addition, on 16 December 2020, the European Commission published a "cybersecurity package", based on an EU Cybersecurity Strategy, a new milestone in strengthening European sovereignty. This package includes a proposal for a revision of the NIS Directive and a report on the implementation of the recommendations in the 5G toolkit. The French ANSSI will work alongside its EU counterparts to implement the guidelines set out in this document, particularly in the context of the French presidency of the Council of the European Union.

Please refer to the firm's adjacent Cybersecurity 2022 – France (Trends & Developments) article for more details.

The ANSSI published an analysis report to alert of a cyberthreat whose modus operandi specifically targets service providers and design offices for spying purposes. Information provided in this report is based on ANSSI’s investigations following incident response activities. This document is widely shared by ANSSI in order to enable interested parties to protect themselves from this type of security incident and to benefit the "cyberthreat intelligence" community.

The technical report presents the entire chain of attack under investigation, focusing on elements related to initial compromise, privilege escalation, lateral movement and operational objectives.

It also presents tools used by the attackers and the recommendations and best practices for service providers, design offices and their clients, in order to prevent these incidents as much as possible.

The key laws are as follows:

• the French Data Protection Act provides cybersecurity requirements and sanctions when personal data is involved;
• Law No 88-19 on computer fraud establishes the offences relating to any automated data processing system;
• the Military Programming Act No 2013-1168 for 2014-19 and No 2018-607 for 2019-25 provide requirements for operators of vital importance;
• EU Directive 2016/1148 and Law No 2018-133 provide specific requirements for networks and information systems for operators of essential services and digital service providers;
• EU Regulation 2019/881 lays down the main requirements for European cybersecurity certification schemes with respect to ICT products and services in the EU;
• EU Directive 2015/2366 on Payment Services (PSD2), transposed in the French Monetary and Financial Code, sets out provisions for payment service providers (PSP) information systems;
• the Decree of 22 November 2019 provides several cybersecurity requirements for digital assets services providers information systems;
• the General Regulation of the Financial Markets Authority (AMF) applies for financial establishments information systems;
• the French Public Health Code applies to health data-hosting service providers;
• EU Regulation 2017/745 applies to medical device that include software components.

ANSSI assists the General Secretary for Defence and National Security in the exercise of its powers in the field of security of information systems. For more details on ANSSI tasks and powers, see 1.2 Regulators.

The ARCEP also controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, in particular network security and integrity.

The Information Technology Fraud Investigation Brigade (BEFTI) is a police department of the Paris Regional Directorate of the Criminal Investigation Department. Its fields of action are intrusions into information systems, fighting against counterfeiting on digital media, fraudulent capture of encrypted television media and traditional offences using new technologies as a means of commission.

The French Digital Health Agency (ASIP Santé) is a public interest group that has been created in order to develop shared healthcare information systems. It is in charge of developing and carrying out national projects, elaborating certification referential for health data hosting, promoting interoperability and guaranteeing security, and assisting public authorities to implement the guidelines dedicated to the digitalisation of the health and medico-social sector. ASIP Santé does not hold any sanctioning power but develops guidelines and reference documents.

The ENISA provides practical advice and solutions to the public and private sectors of member states and EU institutions. Its activity consists of:

• anticipating and supporting the EU in facing emerging network and information security challenges by collating, analysing and making available information and expertise on key NIS issues, taking into account the evolutions of the digital environment;
• promoting network and information security as an EU policy priority, by assisting the European Union institutions and member states in developing and implementing EU policies and law related to NIS;
• maintaining state-of-the-art network and information security capacities, by assisting member states and European Union bodies in reinforcing their NIS capacities;
• reinforcing co-operation at EU level among member states, European Union bodies and relevant NIS stakeholders, including the private sector.

The European ENISA Regulation 2019/881 grants permanent mandate to ENISA and broadens its powers, with more resources and additional missions, in particular drawing up the European cybersecurity certification framework by preparing the technical ground for specific certification schemes.

ANSSI is the national authority for defence and information systems security. It assists the Secretary General for Defence and National Security in the exercise of its powers in the field of information systems security, together with specialised law enforcement departments. ANSSI is responsible for the following tasks, among others:

• to ensure the function of national authority for the defence of information systems;
• to conduct inspections of the information systems of state services and public or private operators, especially OVI, OES and DSP;
• to lead and co-ordinate interdepartmental work on information systems security;
• to issue approvals for security devices and mechanisms designed to protect information systems from information covered by national defence secrecy.

When personal data is involved, the CNIL is responsible for enforcing cybersecurity rules as the GDPR requires any controller and/or processor to ensure the security of processing (Article 32 GDPR). Failure to comply with these requirements can be sanctioned with an administrative fine for any legal or natural person. However, the CNIL cannot instigate criminal prosecution. In 2018, the CNIL has sanctioned two companies with fines of EUR400,000 and EUR180,000 for violation of personal data processing security obligations with respect to their web users and customers.

The CNIL enforcement strategy highly scrutinises cyberthreats for data subjects resulting from data breaches suffered by private organisations (eg, phishing, credential stuffing, e-identity theft).

At an EU level, the EDPB can provide guidelines on cybersecurity. On 13 November 2019, the Board adopted Guidelines 4/2019 regarding data protection by design and by default, which contain cybersecurity measures.

The Financial and Monetary Code sets out a general principle of co-operation between AMF and ANSSI to provide each other with information relevant to the performance of their respective missions in the area of information systems security.

Approved digital assets services providers are subject to cybersecurity requirements pursuant to Decree No 2019-1213, dated 21 November 2019. The AMF conducts audits for information systems of financial establishments and participates in discussions on cybersecurity risks through several working groups, such as the G7 Cyber Expert Group, the Financial Stability Board and the European Systemic Cyber Group.

Articles 321-24 and 321-69 of AMF General Regulation requires asset management companies to ensure security, integrity and confidentiality of information when processing electronic data as well as the implementation and maintenance of a business continuity plan to ensure that, in the event of an interruption of systems and procedures, essential data is safeguarded and management activities are continued. In 2019, AMF conducted cybersecurity audits of five major asset management companies pursuant to its 2019 action plan.

PSD2 also introduced incident reporting requirements. Where a major operational or security incident has occurred, a PSP must, without undue delay, notify ANSSI and the payment service users, of the potential impact of the incident on the financial interests of PSU.

In April 2019, the European Supervisory Authorities, composed of the EBA, ESMA and EIOPA, issued a joint advice on cybersecurity, mentioning the need for greater harmonisation of rules on local governance of cybersecurity and on the identification, collection and reporting of cyber incidents to regulators.

ARCEP controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, including network security and integrity.

There are also cybersecurity requirements in the medical field. Health data can only be hosted by a service provider having been certified on the basis of a certification referential established by ASIP Santé, by a certifying body authorised by the French Accreditation Committee (COFRAC) or any other equivalent European Accreditation Committee.

Pursuant to EU Regulation 2017/745, medical devices are also subject to cybersecurity requirements, particularly as to their software components.

ASIP Santé is a public interest group that has been created in order to develop shared healthcare information systems. More details on ASIP Santé are provided in 2.2 Regulators.

In 2013, ANSSI published a computer hygiene handbook which provides 42 measures to protect data and IT systems from cyberthreats. The guidelines were updated in 2017. ANSSI also elaborated a guide for the implementation of an information system security policy (PSSI Guide). The objective of the PSSI Guide is to provide support to information systems security managers in developing an information systems security policy within their organisation. It focuses on 16 domains of cybersecurity, especially information systems security risks management, insurance and certification, incident management or business continuity planning. The General Security Repository (RGS) provided by ANSSI is specifically required for information systems implemented by administrative authorities in their relations with users. EBIOS Risk Manager is the method for assessing and processing digital risks published by ANSSI.

In 2021, ANSSI also updated its 2013 guidelines on multi-factor authentication and passwords. This guidance deals with authentication for any type of access – ie, unlocking a terminal (Windows, Linux, etc), access to privileged accounts (by administrators, for example), access to web applications (private or public), etc.

The CNIL has published guidelines on personal data security which provide useful advice on security compliance with the GDPR.

Other cybersecurity standards may apply when they demonstrate compliance with applicable cybersecurity requirements. In particular, the following standards may apply.

• ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) and assessing and treating information security risks of the organisation. It mainly consists in determining the context of the organisation (business needs, scope of the ISMS), ensuring a strong security leadership and providing strong security support through resources and competence, awareness, communication and document management.
• ISO 27002 constitutes a code of practice for information security controls by providing guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls, taking into consideration the organisation's information security risk environment.
• ISO/IEC 27018 establishes a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors by augmenting the above-mentioned ISO 27002 controls, with specific items for cloud privacy, and provides completely new security controls for personal data.
• SSAE 16 is an attestation standard established by the American Institute of Certified Public Accountants (AICPA) to report on the controls and services provided to customers by service organisations. SSAE 16 is widely applied and required for data centres hosting financial data.

The two CNIL guidelines concerning security of personal data are widely applied, especially since the GDPR came into force.

The PSSI Guide elaborated by the ANSSI constitutes one of the main frameworks for the implementation of an information system security policy.

ISO 27001 and 27002 norms are also commonly applied to ensure a standard of networks and information systems security.

Written Information Security Plans or Programmes

The objective of the PSSI Guide is to provide support to information systems security managers in developing an information systems security policy within their organisation. It focuses on 16 domains of cybersecurity, in particular information systems security risks management, insurance and certification, incident management or business continuity planning.

Incident Response Plans

ANSSI and the Association for Management of Risks and Insurance of Companies provide a framework to offer executives and risk managers a step-by-step approach to build a digital risk management policy within their organisation. The 15 steps are organised in three main categories, which are:

• to understand the digital risk and organise consequently;
• to build a security base and to operate the digital risk; and
• to enhance its cybersecurity policy.

In addition, ANSSI recently released several recommendations and practical guides for anticipating, handling and responding to cyber incidents and, in particular:

• a guide to anticipate and respond to ransomware attacks (September 2020);
• a guide for organisations wishing to train for and respond to a large-scale cyber-attack (October 2020), recalling different characteristics of a cybercrisis such as its evolution, propagation and impact, and allowing organisations to put themselves in a situation through practical exercises;
• a guide on the detection of security incident on industrial systems (December 2020);
• recommendations on securing essentials information systems together with a checklist of logical and technical requirements, control and segregation mechanism to be implemented (December 2020).

Appointment of Chief Information Security Officer (or Equivalent)

The ANSSI provides guidelines concerning the chief information security officer (RSSI) in its Information Hygiene Guide and several sets of recommendations tailored to a CISO audience. This RSSI must be known to all users and will be the first contact for all matters relating to the security of information systems, especially the definition and enforcement of the rules to be applied according to the context and the centralisation and processing of security incidents observed or reported by users.

Involvement of Board of Directors (or Equivalent)

The PSSI Guide provides guidelines on the entities responsible for the application of the PSSI. A senior security officer can receive a delegation from the board of directors to take all necessary steps to design and implement a security adapted to the needs and objectives of the company and to ensure compliance. They are assisted in their mission by a security committee. It ensures co-ordination of the implementation of the PSSI: it specifically verifies the consistency of the security rules and arbitrates conflicts and report to the board of directors.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, etc

ANSSI and AMRAE provide a framework to offer executives and risk managers a step-by-step approach to build a digital risk management policy within their organisation. The key elements are to identify critical cyber-attacks scenarios, to quantify the impact of these scenarios (financial, legal or reputational), to define a strong digital security strategy and contract strong and adapted insurance policies.

Multi-factor authentication

ANSSI issued guidance on the secured administration of information systems. For administrative actions, ANSSI recommends using an authentication with at least two factors. In any case, the use of multi-factor authentication is considered as a priority by ANSSI. The use of electronic certificates as a mean of authentication is also recommended and should be obtained from a digital certificate service operator qualified by ANSSI or complying with the RGS.

In addition, the second Payment Service Directive 2015/2366, which entered into force in September 2018, has implemented strong customer authentication (SCA) requirements. SCA involves verifying the identity of the bank account holder by requiring the validation of two authentication factors from distinct categories:

• knowledge factor – known information (code or password);
• possession factor – something owned (cell phone or card);
• inherent factor – inherent characteristics (facial recognition, digital footprint).

Since May 2021, France has transposed the strong two-factor authentication standard as provided by the PSD2.

Anti-phishing measures

In 2016, the ANSSI issued a few recommendations to counter phishing, including the following advice: 

• never click on a suspicious link or attachment;
• never respond to a suspicious email – if in doubt, contact the sender through another channel;
• have a unique password for each application;
• check the security settings of the email account; and
• enable two-factor authentication. 

Protection against business email compromise

Due to the increase of business email compromise fraud – also known as “CEO fraud” – during the pandemic period, the French "taskforce to combat fraud and swindles in the context of COVID-19", which gathers several administration including the CNIL and ANSSI, has issued a guide delivering some advices to prevent this type of fraud, such as:

• beware of any supposedly "urgent" business proposal;
• do not communicate any information likely to facilitate the work of the swindlers (names of the various managers, heads of division, means of payment, supplier listings, etc);
• take the time to check transfer requests – even in a hurry and under pressure by counter-calling – with the usual number known internally and not the one provided by the fraudster, also by checking with the company's website if it reports having been the victim of a scam.

Threat intelligence

The OpenCTI (Open Cyber Threat Intelligence) project, developed by ANSSI in partnership with the EU Computer Emergency Response Team (CERT-EU), is a tool for managing and sharing knowledge in the field of cyberthreat analysis. Initially designed to structure ANSSI's information on computer threats, the platform also facilitates interactions between ANSSI and its partners. The tool, which is entirely free, is available for use by the "threat intelligence" stakeholders. The application will enable them to store, organise, visualise and share their own knowledge in this field. On January 2021, ANSSI joined (as a founding member) the Luatix association administering the OpenCTI project.

Insider Threat Programmes

ANSSI recommends that any user of the information system, whatever their hierarchical position and attributions, should not have administrative privileges on their workstation. This measure is intended to limit the consequences of the unfortunate execution of malicious code. 

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The French Data Protection Act and GDPR provides that the data controller, or its selected third-party auditor, can conduct audits and inspections of its data processors.

ANSSI provides guidelines concerning control of the risk of outsourcing which contain “security clauses” allowing the subcontractor to be subject to security audits

For more details on vendor due diligence, please see 9.1 Processes and Issues.

Use of Cloud, Outsourcing, Offshoring

ANSSI published a baseline named SecNumCloud on cloud computing service providers. (These guidelines, updated on 8 March 2022, are necessary to be granted the qualification of trusted provider for cloud services.)

A public consultation is running on the draft of the candidate European Cybersecurity Certification Scheme for Cloud Services. It intends to harmonise the security of cloud services with EU regulations, international standards, industry best practices, along with existing certifications in EU member states.

In light of the CJEU Schrems II ruling and its impact on international data transfers, cross-border transfers of personal data carried out in the context of cloud computing and outsourcing are subject to some legal uncertainty. For an example of its impact on the French Health Data Hub, the French public health data cloud-based platform, please refer to the relevant section of our contribution to Chambers Global Practice Guides: Data Protection & Privacy 2022 – France (Trends & Developments).

Payment of Ransomware

In the Information Hygiene Guide, the ANSSI recommends regular back-up of the data vital to the proper functioning of the entity held by the users' workstations and servers. This data should be hosted on disconnected equipment, and its restoration must be checked periodically. Further, the ANSSI published a guide to anticipate and respond to ransomware attacks, based on the experience of dealing with 104 similar attacks in 2020.

Secure software development

The ANSSI has published two guides on secure software development, for both C and Rust languages. These aim at :

• increasing the security, quality and reliability of the source code produced, by identifying bad or dangerous programming practices;
• facilitating the analysis of the source code in relation with peer reviews or the use of static analysis tools;
• establishing a level of confidence in the security, reliability and robustness of a development;
• promoting the maintainability of the software but also the addition of functionalities.

Responsible disclosure of software vulnerabilities

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

Training

ANSSI provides guidelines concerning the RSSI in its IT Hygiene Guide. In order to be up to date on state-of-the-art in information systems security, operational teams shall follow training courses – on taking up their position and then at regular intervals – in particular on the legislation in force, cyberthreats, authentication and access control, and network partitioning and logging.

Further, on 4 September 2020, ANSSI published a training guide for organisations on ransomware attacks in order to anticipate and respond to them.

Lastly, on 9 March 2022, ANSSI issued a report on IT threats. In this overview, ANSSI underlines the major trends that have marked the cyber landscape in 2020–21 and their likely evolution in the short term.

The ENISA provides practical advice and solutions to the public and private sectors of member states and EU institutions. For more details, please refer to 2.3 Over-Arching Cybersecurity Agency.

Concerning personal data, the EDPB can provide guidelines on cybersecurity. On 13 November 2019, the EDPB adopted guidelines on data protection by design and default, which contain cybersecurity measures, notably the implementation of an information security management system and access management or risk assessments.

GDPR requirements with respect to the security of the processing of personal data directly apply in France. GDPR requires that controllers and/or processors implement appropriate technical and organisational measures when processing personal data, including pseudonymisation, encryption, ongoing confidentiality, integrity, availability, resilience and ability to restore mechanisms.

Under the French Data Protection Act, a personal data breach must be notified to the CNIL, when it can result in a risk to the rights and freedoms of natural persons, within 72 hours after having become aware. The data controller must notify the data breach to data subjects without undue delay if the data breach is likely to result in high risks to the rights and freedoms of natural persons.

In addition, more details on data protection requirements are provided in our contribution to Chambers Global Practice Guide: Data Protection & Privacy 2022 – France (Law & Practice).

Please refer to 3.1 De Jure or De Facto Standards.

Pursuant to Article R 1332-41 and seq of the Defence Code, each OVI is required to:

• compile, keep up to date and communicate to ANSSI the list of the information systems of vital importance (covered by national defence secrecy);
• implement systems to detect events that may affect the security of their vital information systems;
• communicate to ANSSI information relating to incidents affecting the security or functioning of their vital information systems and respond to potential follow-up requests;
• co-operate with ANSSI for audits and provide all necessary information.

Operators of essential services (OES) are defined as public or private operators offering services which are essential to the functioning of society or the economy and whose continuity could be seriously impacted by incidents affecting the networks and information systems necessary for the provision of those services. The OES are subject to specific security requirements, regarding governance of network and information system security, protection of networks and information systems, defence of networks and information systems and resilience of activities.

The OES must declare to ANSSI, without delay, incidents affecting the networks and information systems necessary for the provision of essential services, when any incidents have or are likely to have a significant impact on the continuity of these services, taking into account the number of users and the geographical area affected as well as the incident duration. Security audits can also be carried out by ANSSI or a qualified external auditor.

There is no specific requirement on denial of service (DoS) attacks. However, ANSSI has provided guidelines on dealing with DoS attacks in 2015, which provide advice for victims of cyber-attacks to implement content delivery networks (CDN) and to have appropriate contacts with transit operators to react effectively.

Digital service providers (DSPs) with more than 50 employees and an annual turnover of more than EUR10 million are subject to specific cybersecurity requirements. They must designate a representative on the national territory, who fulfils the security obligations on behalf of DSPs and constitutes a point of contact with ANSSI. DSPs must comply with specific information systems security requirements in accordance with Commission Implementing Regulation 2018/151. DSPs must declare to ANSSI any incident having a significant impact on the provision of their services.

Under the French Public Health Code, health data processed in the context of healthcare service can only be hosted by service providers that have been certified on the basis of ASIP Santé certification referential, by a certifying body authorised by COFRAC or any other equivalent European Accreditation Committee. Pursuant to EU Regulation 2017/745, medical devices are also subject to cybersecurity requirements when software components are included.

The Cyber stress-test framework issued by the European Central Bank (ECB) on 2 May 2018 provides key guidelines and regulatory tools used by supervisory authorities to assess protection, detection and response capabilities against potential cyber-attacks.

The NIS Directive revision proposal adopted on 22 December 2020 by the European Commission addresses the security of supply chains and supplier relationships. This proposal is not yet enforceable.

Regarding the internet of things (IoT) and supply chain security, more details are provided in 5.6 Security Requirements for IoT.

OVI must report any data security incident or breach to ANSSI. Security incident or breach is defined, under Article L 1332-6-2 of the Defence Code as “any incident affecting the operation or security of the information systems”.

OES and DSP have incident reporting or notification obligations and must declare to ANSSI, without delay, as further detailed in 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards.

Electronic communications services providers must notify personal data breach to the CNIL without undue delay. When the personal data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the electronic communications services providers must notify the concerned subscriber or natural person without delay.

Under the French Data Protection Act, personal data breaches must be notified within 72 hours after becoming aware of the incident. More details on personal data breach notification are provided in 4.1 Personal Data and in Chambers Global Practice Guides: Data Protection & Privacy 2022 – France (Law & Practice).

Healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities shall report serious information systems security incidents to the regional health agency without undue delay. Decree No 2016-1214 of 12 September 2016 lists serious information systems security incidents as those:

• with potential or proven consequences for the safety of care;
• with consequences for the confidentiality or integrity of health data; and
• affecting the normal functioning of the institution, organisation or service.

PSPs must notify the APCR and the Bank of France of major operational and security incidents related to the payment services they provide that meet the criteria set out in the European Banking Authority's guidelines. Payment service users may also be notified where the incident has or could have an impact on their financial interests.

Assets management companies must notify the AMF without delay of any incident the occurrence of which is likely to result in the asset management company incurring a loss or gain of a gross amount exceeding 5% of its regulatory capital. More information on threshold and triggers are provided in 5.8 Reporting Triggers and 5.9 “Risk of Harm” Thresholds or Standards.

Data protection requirements only applies where personal data is involved. Cybersecurity obligations have a wider scope and also apply to non-personal data, whether sensitive or not.

Further requirements apply to certain categories of data elements, such as for health data, in particular where processing in the context of healthcare services or to classify information governed by the Ministerial Order of 30 November 2011.

As a rule of thumb, the more sensitive the data affected, the more important the notification and remediation obligations are.

For OVI, requirements cover any information system operated by public or private entities for which an attack on security or functioning could significantly reduce the war potential (ie, ability to wage/sustain war) or economic potential, security or survival capacity of the nation or could present a serious danger to the population.

For OES, requirements cover the networks and information systems necessary for the provision of services essential to the functioning of society or economy.

For DSPs, requirements cover any network and information system necessary for the provision of their services in the European Union.

For certified hosting providers of health data, requirements cover the hosting information systems.

For electronic communications services providers, requirements cover the networks and information systems necessary for the provision of electronic communications services.

For PSP and other financial actors, the requirements cover information systems necessary for the provision of services.

Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. The National Authority for Medicine and Health Products Safety provides guidelines concerning cybersecurity on medical devices, which complies with the ISO 14971 norm and focuses on patients' data, encryption keys, medical devices’ firmware and events loggers.

Personal data breach is detailed in Chambers Global Practice Guide: Data Protection & Privacy 2022 – France (Law & Practice).

There is no legal requirement concerning industrial control systems. However, ANSSI has published multiple guidelines with respect to the cybersecurity of industrial systems, security of SCADA application server software and cybersecurity requirements applicable to providers of industrial systems integration and maintenance services. See the following ANSSI guides on:

• cybersecurity of industrial information systems;
• a protection profile of a SCADA application server software published in 2015; 
• cybersecurity requirements for industrial systems integration and maintenance providers; and
• the detection of security incident on industrial systems.

There is no legal requirement dedicated to security for IoT. In 2019, ENISA published a good practice guide with respect to security of IoT in the context of smart manufacturing. Building on this publication, in November 2020 the agency unveiled Guidelines on Securing the IoT Supply Chain. The study addresses the entire lifespan of IoT product development by analysing threats and key players at different stages and by offering security measures for each step. However, some specific requirements apply where personal data is involved.

ANSSI evaluates trusted products and services and awards labels which administrations and companies trust and refer to when choosing their equipment in compliance with the security rules in force.

Qualified software and hardware products are categorised via the security services offered on the Qualified safety products and services catalogue available on the website of ANSSI (the French agency for the security of information systems). They cover products related to the following categories of needs:

• workstation protection;
• electronic signature and evidence management;
• firewalls;
• IP encryption;
• cryptographic resources;
• security administration.

In addition to this qualification campaign, the ANSSI has set up a first level security certification process (CSPN) with access to information on the security level of products independently of their final use (administration, company or private individuals). The products thus certified are part of a list available on ANSSI’s website.

The ANSSI has also published a guide regarding programming rules to develop secure applications with Rust, a multi-paradigm language.

Lastly, thanks to Law No 2016-1321 of 7 October 2016 for a Digital Republic, the ANSSI may receive reporting from individuals regarding vulnerabilities they have discovered, keeping confidential their identity and the conditions of the notification.

In accordance with the GDPR, the controller must notify the data breach to the CNIL, when it can result in a risk to the rights and freedoms of natural persons, within 72 hours after having become aware of it. If the data breach is likely to result in high risks to the rights and freedoms of natural persons, it also triggers notifying them.

DSPs must report to ANSSI any incident having a significant impact on the provision of their services as soon as possible. To determine this threshold, DSPs must take into account the number of affected natural and legal persons with whom a contract for the provision of services has been concluded, the number of affected users who have used the service based on previous traffic data, the duration of the incident or the severity of service disruption.

Reporting requirements for OVIs concern any incident affecting the security or functioning of their vital information systems, which thereby triggers the obligation to report the incident to ANSSI. The latter can transmit to the co-ordinating ministers of the vital activity sectors concerned, when its analysis of the incident justifies it, a summary of the information collected relating to the incident.

Electronic communications services providers must notify any personal data breach to the CNIL without undue delay. When the personal data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the provider must notify the concerned subscriber or natural person without delay. Electronic communications operators can also be required by ANSSI to alert the users or owners of vulnerable, threatened or attacked information systems. ANSSI may also request the communication of users' personal data in order to alert them directly.

Electronic communications operators must notify (i) the Minister of the Interior of any security incident of significant impact on the operation of its networks or services, and (ii) the ANSSI when the security incident is a cybersecurity incident. They must also notify their subscribers in the event of a particular and significant threat of a security incident and indicate what measures they can take to protect themselves.

Healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities shall report serious information systems security incidents to the regional health agency without delay. The regional health agency transmits information of significant security incidents to ASIP Santé without undue delay.

Car manufacturers' adoption of the Order on access to vehicle data, taken in accordance with Article 32 of the Mobility Law No 2019-1428, notably requires car manufacturers to implement, on the vehicles with connected devices they manufacture, the means to detect electronic attacks and to notify such attack to ANSSI without undue delay.

Criteria triggering a report to the ACPR and the Bank of France for PSP are set out in 2017 EBA guidelines. The assessment is based on transactions affected, PSUs affected, service downtime, economic impact, high level of internal escalation, other PSP or relevant infrastructures potentially affected and reputational impact.

Assets management companies must notify the AMF without delay of any incident the occurrence of which is likely to result in the assets management company incurring a loss or gain, a cost related to its civil or criminal liability, an administrative penalty or damage to reputation of a gross amount exceeding 5% of its regulatory capital. Under the same conditions, they shall inform the AMF of any event that prevents an asset management company from meeting the conditions for its authorisation (Article 318-6 AMF regulation).

Notification requirements apply based on different thresholds, depending on the applicable regulation, with the exception of OVI.

Requirement for personal data breach notification to the CNIL applies when the breach is likely to result in a risk to the rights and freedoms of data subjects and must be notified to data subjects when the breach is likely to result in a high risk to their rights and freedoms.

OES must report to ANSSI any incident having a significant impact on the continuity of their services. To determine this threshold, OES must take into account the number of affected users, the geographical area affected and the duration of the incident. After consultation with the concerned OES, ANSSI can inform the public of the security incident when this information is necessary to prevent or treat the incident. If the incident has a significant impact on the continuity of essential services provided by the OES in other EU member states, ANSSI informs the local competent authorities. 

DSP must report to ANSSI any incident having a significant impact on the provision of their services. To determine this threshold, DSPs must take into account the number of affected users, the duration of the incident, its geographical spread, the severity of service disruption and the magnitude of the incident impact on the functioning of society and economy. After consultation with the concerned DSP, ANSSI can inform the public of the security incident when this information is necessary to prevent or treat the incident or when it is justified by a general interest motive. If the incident has a significant impact on services provided in other EU member states, ANSSI informs the local competent authorities, which can make the incident public.

With respect to electronic communications services providers, when the data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the electronic communications services providers must notify the concerned subscriber or natural person without delay.

With respect to healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities notification requirements, Decree No 2016-1214 lists serious information systems security incidents as incidents:

• with potential or proven consequences for the safety of care;
• with consequences for the confidentiality or integrity of health data; and
• affecting the normal functioning of the institution, organisation or service.

Significant information systems security incidents are incidents having potential or proven impact on the departmental, regional or national organisation of the healthcare system and incidents likely to affect other institutions, organisations or services.

In the financial sector, the EBA guidelines provide two levels of risk regarding the criteria triggering notification to the ACPR and the Bank of France – a “lower impact level” and a “higher impact level”. Risk of harm is acknowledged when either one or more criteria of the higher impact level or three or more criteria of the lower impact level are met.

Any person having knowledge of the secret convention for the deciphering of a means of cryptology likely to have been used to prepare, facilitate or commit a crime or offence and who refuses to hand it over to the judicial authorities can be sanctioned to three years' imprisonment and a fine of EUR270,000 (Article 434-15-2, Criminal Code).

The LCEN provides for a general obligation of prior declaration to ANSSI for the supply, transfer from an EU member state or importation of a means of cryptology not performing exclusively authentication or integrity control functions.

In the event of a computer attack targeting critical and strategic information systems, ANSSI can carry out the technical operations necessary to characterise the attack and neutralise its effects by accessing the origination information systems. ANSSI can also implement technical markers on electronic communications operators’ networks and on hosting providers’ networks to detect events likely to affect the security of the information systems of public authorities, OVI and OES. Personal data disclosure can also be required from telecommunications operators for forensics purposes. ARCEP controls the compliance of the last two procedures.

Intelligence authorities have broad power in terms of cybersecurity measures subject to appropriate procedural safeguards. After prior authorisation issued by the Prime Minister after the non-binding opinion of the National Commission for the Control of Intelligence Techniques, intelligence agencies can:

• request connection data to telecommunications operators, internet service providers and hosting providers, including in some instances real-time collection;
• order telecommunications operators, internet service providers and hosting providers to implement automated processing on their network in order to detect terrorist threats (ie, "deep packet inspection");
• use a technical device in order to obtain technical connection data of a terminal equipment;
• intercept correspondence transmitted via electronic means;
• access computer data stored on a computer system or displayed on a computer screen; and
• intercept communications transmitted through electronic communications networks and received or sent from abroad.

General recommendations concerning cybersecurity are issued by ANSSI. However, whenever personal data is involved, it will trigger the intervention of the CNIL and the application of the provisions set out in the French Data Protection Act and the GDPR.

For the purposes of information systems security, a person acting in good faith can transmit to ANSSI alone information on the existence of a vulnerability concerning the security of an automated data processing system. The authority must preserve the confidentiality of the identity of the person making the transmission and of the conditions under which it was made.

ANSSI and CNIL can require sharing of cybersecurity information as described above.

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

As previously mentioned, the CNIL pronounced penalties against two doctors for not having protected their patients’ personal data which was openly accessible online and not encrypted. The CNIL has also pronounced sanctions in January 2021 of EUR150,000 and EUR75,000 against a data controller and its data processor for failing to take satisfactory measure to prevent attacks by credential stuffing on the data controller’s website.

Additionally, on 28 December 2021, the CNIL pronounced a sanction of EUR180,000 against a payment institution for not having protected its clients personal data which was stored on a server not subject to any particular security measure and that was freely accessible from the internet. The data breach affected 12 million individuals.

On the same day, the CNIL pronounced a sanction of EUR300,000 against a major French cell phone operator for failing to ensure its users' data security with the transmission of their passwords by email.

The CNIL has an active enforcement strategy and highly scrutinises the impact of data breaches for data subjects such as risk of phishing, credential stuffing and e-identity theft. For more details about recent sanctions issued by the CNIL for data protection infringements including security requirements, please refer to our contribution to the Chambers Global Practice Guide: Data Protection & Privacy 2022 – France (Law and Practice).

See 1.7 Key Developments and 8.1 Regulatory Enforcement or Litigation.

The first layer of legal standards is set out in the GDPR and the French Data Protection Act by requiring that appropriate technical and organisational measures are implemented when processing personal data, including pseudonymisation, encryption, ongoing confidentiality, integrity, availability, resilience, ability to restore and process for testing processing security.

Specific security standards are applicable for information systems operated by OVI, OES and DSP and for information systems in specific sectors (eg, health, finance).

ANSSI elaborated a guide for the elaboration of an information system security policy ("PSSI Guide"). The objective of the PSSI Guide is to provide support to information systems security managers in developing an IT security policy within their organisation. It focuses on 16 domains of cybersecurity, particularly information systems security risks management, insurance and certification, incident management and business continuity planning.

The General Security Repository (RGS) provided by ANSSI is specifically required for information systems implemented by administrative authorities in their relations with users (ie, teleservices such as the payment of fines to the administration). Indirectly, the RGS is intended for all service providers who assist administrative authorities in securing the electronic exchanges they implement, as well as for manufacturers whose business is to offer security products.

All the information systems of the state’s administrations are subject to the provisions set out in the state’s Security of Information Systems Policy, especially the need to use products and services qualified by ANSSI as well as hosting their most sensitive data on the national territory.

In the health sector, the French Digital Health Agency has developed, along with the Delegation for the Health Information Systems Strategy, a general policy for the security of health information systems (PGSSI-S), which proposes guidelines and a common framework for the level of security of the information systems.

Before the GDPR came into force, the French Data Protection Act provided for a controller-oriented liability. Thus, the controller was sanctioned and had to bring a recourse action against the data processor that was at fault.

Since GDPR entered into force, direct liability of processors can be sought. For instance, a data processor has been sanctioned along with the data controller in January 2021 for failing to take satisfactory measures to prevent attacks by credential stuffing on the data controller’s website. The decision stresses that the controller must decide on the implementation of measures and provide documented instructions to its processor. Nevertheless, the data processor must also seek the most appropriate technical and organisational solutions to ensure the security of personal data and recommend them to the data controller.

A class action may be brought if at least two consumers consider that they have suffered loss or damage as a result of the same failure by a professional. The action must be brought by an approved association and the suit can only be filed to compensate for material damage, exclusively for consumer or competition disputes.

Specific class action and representative action are also permitted under the provisions of the French Data Protection Act when personal data is involved in accordance with Law No 2016-1547.

For more details about data protection class actions, please refer to the 'Private Litigation' section of our contribution to Chambers Global Practice Guide: Data Protection & Privacy 2022 – France (Law and Practice).

Due to the amount of potential administrative fines, reputational and business risks, cybersecurity has become a key element of due diligence in corporate transactions. Conducting due diligence requires analysis of applicable regulatory requirements with respect to cybersecurity, analysis of cybersecurity practices and questions to management, if applicable. Share purchase agreements may include warranties on cybersecurity policies and practice.

There is no regulation requiring disclosure for cybersecurity risk profile or experience. However, this issue is usually asked by M&A practitioners in the context of audits.

The topic of cyber insurance is now taking a higher profile in France. Indeed, the Ministry of the Economy and Finance, aware of the key role of cyber insurance in the management of cyber-risks, set up a working group on the topic of cyber insurance on 30 June 2021. The objective of this working group is to build a cyber insurance offer adapted to the needs of the economy and the challenges of resilience. A public consultation was also opened to gather contributions from the public. The group’s action plan is expected in the first quarter of 2022.