France decided to adopt a progressive and qualitative approach to designate OES in order to focus on support and long-term follow up.
For some stakeholders, these requirements are new. It is therefore essential to advise and guide them to ensure a consistent and efficient implementation of security measures and other obligations defined by the transposition law. Lessons learnt from the implementation of the cybersecurity framework introduced in 2013 for critical operators, France identified 122 OES as of November 9, 2018, according to the schedule defined by the NIS Directive. This number, which is not definitive, will increase in the future.
« The French approach, largely based on the positive experience of cooperation with the critical operators since 2013, aims at raising to an appropriate level the security of networks and information systems, both at the national and European level » ensures Guillaume Poupard, ANSSI’s director general. He adds: « It is not our intention to systematically imposing penalties. Our goal is to raise awareness among the OES regarding the crucial importance of digital security, and propose concrete and efficient solutions ».
With a view to collectively establish the necessary security conditions for European Union’s digital transformation, the European Parliament and the Council of the European Union adopted the Network and Information Security (NIS) Directive in July 2016. The Directive aims at raising the level of cybersecurity preparedness and response in the European Union. France completed the transposition of the NIS Directive into national law with the publication of the last implementing decree concerning security measures applying to OES on September 29, 2018.
One part of the new framework provides for the definition and identification of new stakeholders, which play an essential role in the daily life of the French citizens: the so called operators of essential services (OES). OES provide an essential service whose interruption would have a significant impact on the functioning of the economy or the society. OES must guarantee a minimum set of cybersecurity to protect themselves against a cyberattack with major consequences on the functioning of the economy or the society.
ANSSI supports OES in the implementation of the cybersecurity framework designed to ensure their protection (including security rules, incident reports, etc.). The protection of these operators, private or public, completes the cybersecurity framework applying to critical operators introduced by the Critical Infrastructures Information Protection (CIIP) law of 2013, as a response to the increase in quantity and in sophistication of cyberattacks.
As a first step, OES will have to designate a representative and determine their essential information systems. They will then have to apply security rules to their essential information systems (EIS) and report any security incidents affecting their EIS to ANSSI.