1. GOVERNING TEXTS

While the digital transition of society is a great economic opportunity, digital spaces are also vulnerable spaces as cyber-attacks progress rapidly. Indeed, the increase in cyberattacks is no longer a secret to anyone. While the number of cyberattacks increases year after year, 2020 was simply explosive. In 2020, the National Cybersecurity Agency of France ('ANSSI') reported that 192 ransomware attacks were handled, compared to 54 in 2019.

Also, it is no secret that many cyberattacks lead to data breaches (examples include personal data altered, no longer available, erased data, or data shared publicly). It turns out that according to the French Government website, between January and November 2020, 2,570 data breaches were notified to the French data protection authority ('CNIL').

Therefore, while cybersecurity regulation ensures that organisations provide for strong cybersecurity practices, data protection laws ensure that organisations also provide strong organisational and technical measures to ensure the security of personal data in a digital environment. According to data protection laws, organisations must notify data protection authorities and data subjects when a high-risk threat is caused to the rights and liberties of data subjects due to a data breach. Therefore, when cybersecurity is no longer ensured and personal data is seriously affected, data subjects must be warned that their data has been exposed.

In France, Act No. 2018-133 of 26 February 2018 laying down Various Provisions for Adaptation of European Union Law in the field of Security (only available in French here) ('the Cybersecurity Act') implements the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive').

The following texts further implement the NIS Directive:

• Decree 2018-384 of 23 May 2018 on the Security of Network and Information Systems of Operators of Essential Services and Digital Service Providers (only available in French here) ('the Decree'), which sets out the terms of application of the legislative obligations and lists the sectors, types of operators and essential services concerned;
• Order of June 13, 2018 setting the terms of the declarations provided for in Articles 8, 11 and 20 of Decree No. 2018-384 of May 23, 2018 relating to the security of networks and information systems of operators of essential services and service providers digital (only available in French here) ('the Reporting Order'); and
• Order of September 14, 2018 setting the security rules and deadlines mentioned in Article 10 of Decree No. 2018-384 of May 23, 2018 relating to the security of networks and information systems of operators of essential services and providers of digital service (only available in French here) ('the Security Rules Order').

Following those implementations texts, two new legal categories were created: the operators of essential services ('OES') and digital services providers ('DSP').

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

1.1. Legislation

There is not one specific legislation addressing cybersecurity but several acts promoting it.

General Legislation

General Legislation is provided by:

• the Defense Code (only available in French here);
• the Post and Electronic Communications Code (last amended in 2016) (only available in French here) ('the Communications Code'); and 
• the Cybersecurity Act, as well as the Decree, the Reporting Order, and the Security Rules Order.

Sectoral Legislation

• The Military Programming Act No. 2013-1168 of 18 December 2013 (2014-2019) (only available in French here) ('the Military Programming Act') which sets out obligations for critical operators, as well as Decree No. 2015-350 of March 27, 2015 relating to the qualification of security products and trusted service providers for the needs of information systems security (only available in French here) and Decree No. 2015-351 of March 27, 2015 relating to the security of information systems of operators of vital importance and taken for the application of section 2 of chapter II of title III of book III of the first part of the legislative part of the defense code (only available in French here), which enact the Military Programming Act.
• The Military Programming Act No. 2018-607 of 13 July 2018 (Military Programming Act 2019-2025) (only available in French here), which sets out obligations for OES and DSPs.

Local authorities

Local authorities must follow a general security reference framework taken in application of the following texts:

• Ordinance No. 2005-1516 of December 8, 2005 relating to electronic exchanges between users and administrative authorities and between administrative authorities (only available in French here);
• Decree No. 2010-112 of February 2, 2010 taken for the application of Articles 9, 10 and 12 of Ordinance No. 2005-1516 of December 8, 2005 on electronic exchanges between users and administrative authorities and between administrative authorities (only available in French here);
• Order of June 13, 2014 approving the general security reference framework and specifying the methods for implementing the validation procedure for electronic certificates (only available in French here); and
• Order of 10 June 2015 extending the implementation deadlines for the general safety reference system (only available in French here).

1.2. Regulatory authority 

ANSSI

ANSSI is responsible for matters related to cybersecurity. It was created in 2009.

ANSSI is attached to the Secretariat-General for National Defense and Security ('SGDSN'). ANSSI is the authority responsible for assisting the Prime Minister in the exercise of his responsibilities in the field of defence and national security.

ANSSI has the following four objectives:

1. Monitoring cybersecurity incidents

ANSSI shall be notified directly by operators when a cyber incident occurs in a critical sector, essential sector, or affects a DSPs. ANSSI will provide support to the victim and then report the incident to sectoral ministries.

2. Security rules

ANSSI sets technical and organisational rules related mostly to cyber hygiene measures for any sector.

3. Controlling and inspecting

ANSSI triggers controls and inspections to be conducted by ANSSI directly or by an appointed service provider.

4. Crisis management

ANSSI proposes rules to be applied for the protection of the State's information systems and can impose measures in case of major crisis affecting the State.

CNIL

CNIL is an independent administrative authority responsible for ensuring the respect of privacy and data protection in France and was created in 1978.

It has the following four objectives:

1. Informing and protecting

Data subjects can contact CNIL if they are looking for information about data protection regulations. Individuals can also fill a complaint with CNIL in case of issues regarding the protection of their personal data. In 2020, CNIL received 13,585 complaints and 121,439 phone calls.

2. Advising and providing compliance toolkits

CNIL may be consulted by public players on draft laws or decrees. CNIL's opinions are there to inform public authorities about data protection but cannot be considered as 'validation' or 'refusal'as they are only opinion and not legal decisions. CNIL's opinions can be seen as best practices and warnings about data protection.

3. Controlling and sanctioning

In the event of non-compliance to data protection rules, CNIL may decide to issue a formal notice or to sanction organizations (formal notice and/or fines). In 2020, CNIL issued 14 sanctions for a total amount of €138,489,300.

4. Anticipating and innovating

CNIL also launched the Digital Innovation Laboratory ('LINC'), which offers a platform where contributors can publish works and thoughts on digital innovation. Another of CNIL's roles is to conduct reflections on the ethical and social issues of digital innovation.

1.3. Regulatory authority guidance

ANSSI

ANSSI issues guidance every year. Below is a non-exhaustive list of recent guidance:

• Guidance on cybersecurity for SMEs in 12 questions, 2021 (only available in French here). This guide presents accessible measures for a global protection of small and medium-sized enterprises ('SMEs').
• Guidance on how to react to ransomwares, 2020 (only available in French here). This guide provides guidance on how to reduce the risk of an attack by a ransomware and how to reduce the effect of such an attack.
• Guidance on the protection of essential systems, 2020 (only available in French here). The purpose of this guide is to support the technical implementation of rules 7 to 16 of the NIS Directive. It can be of interest for: OES, DSPs, critical operators, any entity with Information System protection needs, and service providers such as digital service companies ('DSCs') designing or operating information systems on behalf of the above entities.
• Guidance on digital security for local authorities, 2020 (only available in French here). This guide summarises the main regulations applicable to local authorities with regards to cybersecurity. It also provides recommendations linked to implementation.
• Good practices for travelling professionals, 2019 (only available in French here). This guide contains key factsheets and examples of good practices when individuals are on a business trip. 
• Good IT practice guide: 12 essential rules to secure your digital equipment, 2017 (only available in French here). This guide offers essential rules applicable to any company.
• Charter for the use of computer resources and digital tools - eight key points for SME's and ETI's, 2017 (only available in French here). Drafting a charter for the use of IT resources and providing it IT resources' users is a good practice. This guidance by ANSSI aims to provide recommendations that are non-exhaustive.

CNIL

CNIL issued a guide related to personal data security (only available in French here), as well as a checklist to evaulate the security level of personal data within an organization (only available in French here).

SGDSN

The SGDSN is an interministerial body under the authority of the French Prime Minister. It is responsible for assisting the Prime Minister in the exercise of his responsibilities in the field of defence and national security.

In 2016, it issued a guide to implement a business continuity plan (only available in French here).

Cybermalveillance

Cybermalveillance is a public interest group created by public and private figures with the aim of combating acts of cyber-maliciousness.

In 2021, Cybermalveillance issued guidance on cybersecurity for business executives of SMEs and ETIs (only available in French here).

Notable decisions

In December 2020, CNIL imposed two fines of €3,000 and €6,000 on two private doctors. The doctors insufficiently protected their patients' personal data, therefore there was a data breach, and the data was made available online, publicly. Moreover, the doctors failed to notify the data breach to CNIL.

In July 2020, CNIL imposed a €250,000 fine on Spartoo SAS in response to several breaches of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') among which failing to provide security measures such as a strong password for clients and not keeping bank cards in a clear text.

More recently, in June 2021, the CNIL fined Brico Privé €500,000 in response to several breaches of the GDPR, among which was failing to provide security measures such as a strong password for clients and employees and strong authentications for employees.

2. SCOPE OF APPLICATION

2.1. Network and Information Systems

Not applicable. However, as a similar concept see subsection 2.5 below on DSPs.

2.2. Critical Information Infrastructure Operators

Article R1332-2 of the Defense Code specifies that:

'A sector of vitally important activities, mentioned in 1° of II of Article R. 1332-1, is made up of activities contributing to the same objective, which:

• relate to the production and distribution of goods or services essential to:
• the satisfaction of the essential needs of the population;
• the exercise of the authority of the State;
• the functioning of the economy;
• the maintenance of defence capabilities; or
• the security of the nation, when these activities are difficult to substitute or replace; or
• may present a serious danger to the population.'

There are 12 sectors of critical importance:

• food;
• water management;
• health;
• civilian activities;
• legal activities;
• military activities;
• energy;
• finance;
• transport;
• communication, technologies and broadcasting; and
• space and research.

Critical operators are appointed by the coordinating ministry and the designation criteria and security objectives are set by the coordinating ministry.

Article R. 1332-1 of the Defense Code specifies that:

'I. The critical operators are designated from among:

• The public or private operators mentioned in Article L. 1332-1;
• Managers of establishments mentioned in Article L. 1332-2.

II. An operator of vital importance:

• Carries out activities mentioned in Article R. 1332-2 and included in a sector of vital importance;
• Manages or uses as part of this activity one or more establishments or works, one or more installations whose damage or unavailability or destruction as a result of an act of malice, sabotage or terrorism could, directly or indirectly:
• Seriously impair the war or economic potential, security or survivability of the nation;
• Seriously endanger the health or life of the population.'

A critical operator must fulflll the following obligations:

• designate a delegate for defence and security (privileged interlocutor of the ANSSI);
• draft an operator security plan which describes the organisation and security policy of the operator;
• draft a specific protection plan for each of the points of vital importance identified;
• notify to ANSSI security incidents affecting critical sectors; and
• declare to ANSSI any IT system of critical importance (form only available in French here).

2.3. Operator of Essential Services

According to Article 5 of the Cybersecurity Act, an OES is a public or private operator providing services essential to the functioning of society or the economy and whose continuity could be seriously affected by incidents affecting the networks and information systems necessary for the provision of such services.

According to ANSSI, three criterium must be met for a service to be essential:

1. The service is essential to the maintenance of critical societal or economic activities the provision of this service is dependent on networks and information systems.

2. An incident on these networks and systems would have a significant disruptive effect on the provision of the service; and

3. The significance of a disruptive effect is determined, in particular, by taking into account the following cross-sectoral factors:  

• the number of users dependent on the service provided by the entity concerned;
• the dependence of other Annex II sectors on the service provided by that entity;
• the impact that incidents could have, in terms of degree and duration, on economic or societal functions or on public safety;
• the market share of that entity;
• the geographical scope in terms of the area likely to be affected by an incident; and
• the importance of the entity in ensuring an adequate level of service, considering the availability of alternatives for the provision of that service.

OES must fulfill the following obligations:

• application of security rules to critical information systems ('CIS') identified by the OES;
• notification to ANSSI of security incidents affecting the essential services; and
• ANSSI, or an audit provider qualified by ANSSI, may check the compliance of the OES with the security rules and its level of security.

2.4. Cloud Computing Services

Not applicable. However, as a similar concept see subsection 2.5 below on DSPs.

2.5. Digital Service Providers

According to Article 10 of the Cybersecurity Act:

'Digital service provider means any legal person who provides any of the following services:

a) Online marketplace, namely a digital service that enables consumers or professionals, within the meaning of the last paragraph of the introductory article of the Consumer Code, to conclude online sales or service contracts with professionals either on the website of the online marketplace or on the website of a professional who uses the computer services provided by the online marketplace;

(b) online search engine, i.e. a digital service which allows users to search, in principle, all websites or websites in a given language, on the basis of a query on any subject in the form of a keyword, phrase or other entry, and which returns links from which it is possible to find information related to the content requested

c) Cloud computing service, i.e. a digital service that provides access to a scalable and variable set of computing resources that can be shared.'

The DSP will have to:

• analyse the risks to its information systems;
• take technical and organisational measures in each of the following areas;
• security of systems and facilities;
• incident management;
• business continuity management;
• monitoring, auditing, and control;
• compliance with international standards;
• notify ANSSI of any security incident likely to have a significant impact on the continuity of the services they provide; and
• be subject to security checks, carried out at the request of the Prime Minister, by ANSSI or by qualified service providers.

2.6. Other

Not applicable.

3. REQUIREMENTS

3.1. Security measures

According to Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended), personal data must be:

'6° Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, or access by unauthorised persons, by means of appropriate technical or organisational measures'.

Moreover, as far as critical operators are concerned, ANSSI lists the safety rules (only available in French here) that these operators must put in place as follows:

• develop an information systems security policy;
• safety approval;
• map the systems;
• update the security systems;
• implement an efficient and secure logging system;
•  implement qualified detection systems by ANSSI, other State services, or qualified service providers;
• set up an IT security incident management organisation and process security incidents based on the requirements of the security incident response service provider framework;
• process alerts and reporting cyber incident to ANSSI;
• implement a crisis management procedure in case of major cyber attacks;
• identity and access management to ensure traceability of access to critical systems;
• secure administration of information systems by setting up dedicated hardware and software resources for administration operations; and
• partition between the different parts of the critical systems and apply a filtering policy to ensure that only strictly necessary flows are used.

Finally, the ANSSI recommends the following 12 rules for SMEs (only available in French here):

1. Choose passwords carefully;
2. Update software regularly;
3. Know users and service providers well;
4. Make regular backups;
5. Securing company's Wi-Fi access;
6. Be as careful with smartphones or tablets as with computers;
7. Protect data when travelling;
8. Be careful when using email;
9. Download programs only from official publisher websites;
10.  Be careful when paying for services or products on the internet;
11.  Separate personal and professional use; and
12.  Take care of personal and professional information, as well as the digital identity.

3.2. Notification of cybersecurity incidents

ANSSI must be notified if the cybersecurity incident affects critical operators, OESs, or DSPs.

CNIL must be notified if personal data is seriously affected by the cybersecurity incident.

If the cybersecurity incident seriously affects personal data and causes a serious threat to the privacy of individuals, the data subjects affected by the breach must be notified.

3.3. Registration with a regulatory authority

The authority responsible for the registration is ANSSI. Registration with ANSSI is only for specific categories of operators: critical operators, OESs, and DSPs.

3.4. Appointment of a 'security' officer

Critical operators must appoint a security officer. According to Article R1332-5 of the Defense Code:

'The critical operator shall communicate to the minister coordinating its sector of vital activities the name of the person responsible for performing the function of defence and security delegate. This person must be authorised in accordance with the conditions set out in Articles R. 2311-1 et seq. of the Defence Code relating to the protection of national defence secrets.

The delegate for defence and security represents the operator of vital importance before the administrative authority in all matters relating to the security of installations and security plans.'

Articles R. 2311-1 et seq. of the Defense Code defines what is a national defence secret and sets out the requirements to be met in order to protect national defense secrets.

For instance, according to Article R2311-7 of the Defense Code, unless otherwise provided for by law, no one is qualified to have access to classified information and media unless:

• he or she has first been granted clearance; and
• he or she needs to have access to such information and media in order to perform his or her duties or carry out his or her mission, in accordance with the catalogue of jobs justifying clearance, drawn up in accordance with the procedures specified by order of the Prime Minister.

3.5. Other requirements

According to Article 11 of the Cybersecurity Act, DSPs must appoint a representative established on the national territory of ANSSI if it is established outside the EU and does not have any representative within the EU.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

The health sector is considered as a critical sector, therefore the requirements applicable to the critical operators must be met.

Cybersecurity in the financial sector

E.g. cybersecurity regarding blockchain and cryptocurrencies

The financial sector is considered to be a critical sector, as well as an essential sector, therefore the requirements applicable to critical operators and to essential services operators must be met.

Cybersecurity practices for employees

ANSSI made available good practices guides for working remotely as well as regarding a Charter for the use of IT Resources and Digital Tools (only available in French here).

Cybersecurity in the educational sector

The educational sector is considered as an essential sector, therefore the requirements applicable to the OES must be met.

5. PENALTIES

Critical operators

Article 22 of the Military Programming Act and Article L.1332-7 of the Defense Code provide that non-compliance by critical operators with their key obligations is punishable by a fine of €150,000.

OES

According to the Cybersecurity Act, OES may be subject to the following fines:

• €100,000 for non-compliance with security rules;
• €75,000 for failure to communicate a cybersecurity incident; and
• €125,000 for obstruction of inspection operations.

DSPs

According to the Cybersecurity Act, DSPs may be subject to the following fines:

• €75,000 for non-compliance with security rules;
• €50,000 for failure to communicate a cybersecurity incident; and
• €100,000 for obstruction of inspection operations.

Investigations will be carried out by ANSSI or qualified service providers.

In France, data breaches may fall within one of the following offences:

• collecting personal data by fraudulent, unfair, or unlawful means is punishable by five years of imprisonment and a fine of
• €300,000 (Article 226-18 of the Penal Code (only available in French here));
• using any technical means or device to intercept and capture data, without ministerial authorisation, is punishable by up to five years of imprisonment, as well as a fine of €300,000 for an individual and a fine of €1.5 million for a legal person (Article 226-3 of the Penal Code);
• theft of information is punishable by three years of imprisonment and a fine of €45,000 (Article 311-1 of the Penal Code);
• identity theft is punishable by a year of imprisonment and a fine of €15,000 (Article 226-4-1 of the PenalCode);
• obstructing or distorting the operation of an automated data processing system is punishable by five years of imprisonment and a fine of €150,000 (Article 321-1 of the Penal Code); and
• the fraudulent introduction of data into an automated processing system or the fraudulent destruction or alteration of the data contained therein shall be punishable by five years of imprisonment and a fine of €300,000 (Article 323-3 of the Penal Code).

Finally, according to Article 83 of the GDPR, if a data controller does not notify the data protection authority within 72 hours or fails to justify the delay or if the notification is incomplete, a sanction of up to 2% of the annual global turnover can be applied.

The assessment of the amount of the sanction considers:

• the seriousness of the breach, due to the nature (sensitive or not) of the data and documents in question;
• the number of persons concerned;
• the responsiveness of the company in correcting the security flaw and its cooperation with the CNIL; and
• the size of the company and its financial standing.

6. OTHER AREAS OF INTEREST

ANSSI developed a risk management method called Ebios Risk Manager (only available in French here). This method helps organisation to determine the security measures adapted to the threat they are facing and to set up the monitoring and continuous improvement framework following a risk analysis shared at the highest level.

In March 2021:

• A huge data breach affected the personal health data of more than 500,000 individuals. Following the breach, the judicial tribunal of Paris asked for the website to be blocked (only available in French here).
• A fire reached the data centers of OVH in Strasbourg and more than three million websites that were hosted by OVH were affected. On the contrary, if the data controllers of those data centers implemented a disaster recovery plan or a business continuity plan ensuring continuity of service, or if data was restored from the backups without significant consequences for data subjects, then there was no need to notify the CNIL.

Katia Beider Independent Privacy Expert [email protected]