In 2013, years of experience and cooperation with critical operators led ANSSI to propose the adoption of a regulatory framework the « CIIP Law », promulgated on December 18, 2013. The law was proposed with a view of establishing a common minimum level of cybersecurity for all critical operators and reinforcing ANSSI to support them in the event of a cyberattack.
The law is destined to apply to more than 200 public and private operators from 12 sectors already identified as critical in France.
Security requirements will apply only to the operators’ most “critical information systems” that they are responsible to identify.
ANSSI shall be notified directly by operators of incidents occurring on their critical information systems, while protecting the confidentiality of the operators. To know more
ANSSI will set technical and organisational rules, mostly basic cyber hygiene measures and common to all sectors. To know more
ANSSI can trigger security inspections done by its services, another State authority or a Trust Service Provider on a regular basis or following an incident. To know more
ANSSI can impose measures in case of a major crisis, declared by the Prime Minister. It lays down legal basis for action in the framework of crisis management plans.
Starting in late November 2014, working groups (WG) were set up by ANSSI with all voluntary public and private operators as well as Ministries and Regulators, thus establishing an ambitious Public and Private Partnership (PPP) on CIIP.
These working groups aimed at working on a multistakeholder basis with the objective of:
The work of the WG was a huge investment in time and resources for ANSSI and the operators.
First meetings with volunteer operators to work on critical information, incident notification and security rules definition
Approval of the sectoral orders
Other sectoral orders followed on October 1st, 2016. The next ones will come into effect in 2017
After 2 years, 18 WG, 200 meetings and more than 300 experts involved, the WG managed to develop:
While these deliverables will translate into new requirements for them, operators will also benefit from strengthened attention and support from ANSSI. In case of an incident, ANSSI may for instance provide direct assistance, thus constituting a strong incentive for the operators.
Taking into account the fact that ANSSI can’t alone support the operators facing all challenges related to CIIP and in view of supporting them implement the CIIP law, ANSSI established a challenging and rigorous evaluation process allowing it to qualify private cybersecurity “Trust Service Providers” and products.
As of today, providers can be qualified for services in the fields of:
The qualification process guarantees, skilled and trustworthy services
Know more about Trust Service Providers here
On July 6, 2016, the Council of the European Union and the European Parliament adopted the European network and information system security Directive (“NIS Directive”, first European legislation dedicated to cybersecurity, aiming at:
ANSSI is particularly supportive of the operational cooperation established between EU Member States, through the existing cyber security incident response teams (CSIRTs) network which was created by the NIS directive. The large-scale attacks that all countries face in 2017 confirmed the need for an overall threat evaluation and enhanced coordination in handling incidents.
ANSSI was since designated national coordinator for the transposition of the NIS Directive in France. Levering from ANSSI’s and operators’ experience, the transposition of the NIS Directive in France will benefit from the work already accomplished within the framework of the implementation of the CIIP law.
The national transposition is furthermore drawing on France’s counterparts experience, especially from the reference documents issued by the NIS Cooperation group established in 2017 at the EU level. France also contributed to this exchange of best practices, sharing its national expertise to collaborate to the “Reference document on security measures for Operators of Essential Services”.
On 15 February 2018, the French Parliament voted in favour of the legislative proposal, thus making an important step towards the full transposition into France’s national law. On 22nd May 2018, another step is taken with the publication of the decree to pursue the implementation of the French law.