Cybersecurity in France

Law No. 2013-1168 of 18 December 2013 stipulates that "the Prime Minister shall set policy and coordinate government action in the field of cybersecurity and cyberdefence. For this purpose, he/she shall have at his/her disposal the French National Cybersecurity Agency", ANSSI, reporting to the Secretary General for Defence and National Security.

The French national digital security strategy

The French national digital security strategy, announced October 16th, 2015 by French Prime Minister Manuel Valls, is designed to support the digital transition of French society. It is also an unprecedented impulse that places France as a leader in promoting a road map for European digital strategic autonomy.



Cybersecurity and the 2008 White Paper on Defence and National Security

In 2008, then President Sarkozy decided that France needed a White Paper on Defense and National Security that would state the threat facing the nation and help define the capabilities needed to face this threat. The 2008 White Paper, mindful that the risk of a cyber-attack on national infrastructures is one of the most likely major threats of the next fifteen years, highlighted the potentially enormous impact of such attacks on the life of the nation. Our dependence on IT processes is continually increasing with the development of the information society and the ever more extensive use of IT in the essential processes of the State and society.

As a result, the 2008 White Paper called upon the State to develop the capacity to prevent and respond to cyber-attacks, and to make this a major priority of its national security organisation. Specifically, in the field of cyberdefence, it stressed the need for an early detection capability for cyber-attacks, and for an organisation to counter attacks ranging from the most subtle to the most far-reaching. In the field of prevention, it advocated greater use of high-security products and networks, and the establishment of a pool of skills serving government departments and operators of vital importance.

ANSSI was created in line with the proposals of this White Paper on Defence and National Security. A strategic committee for cybersecurity was set up by ANSSI’s founding decree in order to propose a national cybersecurity strategy.
Alongside the creation of ANSSI, the White Paper set in place a zonal cybersecurity observatory (OzSSI) for each area of defence and security on the national territory. The purpose of these observatories is the nationwide roll-out of measures adopted to improve cybersecurity.


2013 White Paper on Defence and National Security & Military Programming Law

In 2013, a new White Paper was published in response to the assessment that cyber-attacks against the network and information systems of numerous French businesses and public sector enterprises were increasing in number and sophistication. This marked a turning point: no longer would the State merely provide for its own cybersecurity requirements; rather, from now on, it would also provide for those of operators of vital importance (a notion defined by law as : “An operator whose unavailability could strongly threaten the economical or military potential, the security or the resilience of the Nation”).
This stepping up of cybersecurity was translated in the law, which stated as a result that the most critical networks and information systems of these operators of vital importance would have to:

  • comply with the security standards defined by ANSSI in liaison with the operators;
  • have strong detection mechanisms in place, operated by ANSSI or buy trusted service providers;
  • report major incidents to ANSSI;

Finally, the lawempowered ANSSI to conduct or request audits on these systems to verify security levels and, in the event of a major crisis, to request implementation of the necessary measures as defined by the government.

The Military Programming Law (Law No. 2013-1168) adopted on 19 December 2013 followed the guidelines set by the 2013 White Paper on Defence and National Security. This legislative mechanism enabled national public and private sector operators of vital importance to better protect themselves and ANSSI – and other State bodies – to better support them in the event of a cyber-attack. Article 22 of the Law provided for the adoption of measures to step-up the security of operators of vital importance and granted new prerogatives to the Prime Minister.