In 2013, years of experience and cooperation with critical operators led ANSSI to propose the adoption of a regulatory framework the « CIIP Law », promulgated on December 18, 2013. The law was proposed with a view of establishing a common minimum level of cybersecurity for all critical operators and reinforcing ANSSI to support them in the event of a cyberattack.
The law is destined to apply to more than 200 public and private operators from 12 sectors already identified as critical in France.
Security requirements will apply only to the operators’ most “critical information systems” that they are responsible to identify.
ANSSI shall be notified directly by operators of incidents occurring on their critical information systems, while protecting the confidentiality of the operators. To know more
ANSSI will set technical and organisational rules, mostly basic cyber hygiene measures and common to all sectors. To know more
ANSSI can trigger security inspections done by its services, another State authority or a Trust Service Provider on a regular basis or following an incident. To know more
ANSSI can impose measures in case of a major crisis, declared by the Prime Minister. It lays down legal basis for action in the framework of crisis management plans.
Starting in late November 2014, working groups (WG) were set up by ANSSI with all voluntary public and private operators as well as Ministries and Regulators, thus establishing an ambitious Public and Private Partnership (PPP) on CIIP.
These working groups aimed at working on a multistakeholder basis with the objective of:
The work of the WG was a huge investment in time and resources for ANSSI and the operators.
First meetings with volunteer operators to work on critical information, incident notification and security rules definition
Approval of the sectoral orders
Other sectoral orders followed on October 1st, 2016. The next ones will come into effect in 2017
After 2 years, 18 WG, 200 meetings and more than 300 experts involved, the WG managed to develop:
While these deliverables will translate into new requirements for them, operators will also benefit from strengthened attention and support from ANSSI. In case of an incident, ANSSI may for instance provide direct assistance, thus constituting a strong incentive for the operators.
Taking into account the fact that ANSSI can’t alone support the operators facing all challenges related to CIIP and in view of supporting them implement the CIIP law, ANSSI established a challenging and rigorous evaluation process allowing it to qualify private cybersecurity “Trust Service Providers” and products.
As of today, providers can be qualified for services in the fields of:
The qualification process guarantees, skilled and trustworthy services
Know more about Trust Service Providers here
On July 6, 2016, the Council of the European Union and the European Parliament adopted the European network and information system security Directive (“NIS Directive”, first European legislation dedicated to cybersecurity, including measures aimed at reinforcing the cybersecurity of “Operators of Essential Services”.
ANSSI was since designated national coordinator for the transposition of the NIS Directive in France. Levering from ANSSI’s and operators’ experience, the transposition of the NIS Directive in France will benefit from the work already accomplished within the framework of the implementation of the CIIP law.
For instance, security measures for Operators of Essential Services (NIS Directive) will be drawn from the existing list of measures provided in the 2013 CIIP law and co-drafted with public and private operators (see list of security measures here).