On 25 May 2018, yet another step is taken toward the complete transposition of the NIS directive into France’s national law with the publication of the decree n°2018-384 executing the legislative proposal voted by the French Parliament on 15 February 2018.
As the French coordinator for the transposition, ANSSI worked alongside all relevant stakeholders to prepare this executive act that defines the cybersecurity framework for “operators of essential services” and “digital service providers”.
By choosing an ambitious transposition, France has established a list of sectors for essential services, following consultations by ANSSI with public and private stakeholders and its European partners. This list refers to many sectors including banking, logistics or catering.
Operators will be appointed soon based on this list of sectors, and will be subject to the following obligations:
Also concerned, Digital Service Providers are subject to obligations for risk analysis, the application of technical and organizational measures and the reporting of incidents. DSP will also be subject to security checks.
The national transposition is furthermore drawing on France’s counterparts experience, especially from the reference documents issued by the NIS Cooperation group established in 2017 at the EU level. France also contributed to this exchange of best practices, sharing its national expertise to collaborate to the “Reference document on security measures for Operators of Essential Services”.
This risk management approach is based on four main themes:
The large-scale attacks that all countries face in 2017 confirmed the need for an overall threat evaluation and enhanced coordination in handling incidents. Created by the NIS directive, the “CSIRTs network” is essential to collectively address these issues. It provides enhanced operational cooperation between between EU Member States, through the existing cyber security incident response teams (CSIRTs).