France (FR)

In October 2015 the French Prime Minister Manuel Valls launched the national cyber security strategy.

The national strategy is built upon 5 strategic objectives:

Obj.1 - Fundamental interests, defence and security of State information systems and critical infrastructures, major cybersecurity crisis. This includes reinforcing the security of its critical networks and resilience in case of a major cyberattack by expanding co-operation with private stakeholders at national and international levels. No specific sectors are cited but the strategy pays special attention to 5G.

In this respect, the national strategy will remain attentive to the type and capabilities of equipment and software installed within communication networks, to protect the privacy of correspondences, that of citizens and the resilience of these infrastructures, and will continue to adapt its regulatory framework to new emerging technologies.

Obj.2 - Digital trust, privacy, personal data, cybermalevolence.

Obj.3 - Awareness raising, initial training, continuing education.

Obj.4 - Environment of digital technology businesses, industrial policy, export and internationalisation

Obj.5 - Europe, digital strategic autonomy, cyberspace stability

The new strategy calls for the government to establish the means to protect its fundamental interests on the internet, to guard national information and defend critical infrastructure from cyber-attack. The government recognises that this will depend on having sufficient scientific, technical and industrial capabilities.

 

NATIONAL CYBER SECURITY STRATEGY - NIS Capacities

Year of adoption

October 2015, French National Cyber Security Strategy

Updates and revisions An initial cyber security strategy was first launched in 2011, focusing on internal cooperation and on active contribution to the development of cyber security policies in within international orgnizations such as European commission, NATO, UN, OCSE.
Implementation and monitoring

The national cyber security strategy is led by Agence nationale de la sécurité des systèmes d’information (ANSSI). ANSSI sets out the rules and policies for protecting state information systems and for monitoring and verify the implementation and adoption of all such measures. It provides a monitoring service, as well as detection and warning systems and is responsible to leading the response to computer attacks on any critical infrastructure or state networks. The Ministry of Defense is also contributing to fight cybercrime; lastly, the Ministry of Foreign Affairs and International Development ensures the coherence of France’s positions internationally as regards cyber security.

Operational capacity building

The national agency of IT security (ANSSI) is the officially recognized agency responsible for implementing a national cybersecurity strategy, policy and roadmap in France.

The French Internet Resilience Observatory, www.ssi.gouv.fr/en/strategic-committee/the-french-internet-resilience-ob..., established in 2011 aims at identify and measure relevant and representative indicators of resilience, and to make their results public.

Other capacity-building measures: research and education The CyberÉduhttps://www.cyberedu.fr/index.html, initiative launched in 2013 by ANSSI aims to strengthen the consideration of digital security in all French higher education courses in computer science. To date, the association is still being structuring, but several activities are being considered and discussed to be further developed.

Legal conditions

France has enacted specific legislation and regulation on cyber security through the following:

-White paper on Defense and National Security 2008 (French language)
-White paper on Defense and National Security 2013 (French language)
-Military Programming Law 2013 (French language)

The two White Papers highlighted the potentially enormous impact of cyber attacks on the life of the nation and stressed  the need for an early detection capability for cyber-attacks.

The 2013 White Paper on Defense and National Security also stated that the the Operators of Vital Importance (OVI) would have to:
-comply with the security standards defined by ANSSI in liaison with the operators;
-have strong detection mechanisms in place, operated by ANSSI or buy trusted service providers;
-report major incidents to ANSSI;

Business and Public Private partnership

In 2016, ANSSI was elected for 3 years at the Board of Directors of ECSO (European CyberSecurity Organisation), the European association created in June 2016 as part of the launch of the Public Private Partnership for European cybersecurity (cPPP).

12 areas of activities has been identified as Vital Importance Operators (OIV) by a national decree in 2006, including Space and Research, Health, Water management, Food, Energy, Electronic Communications, Transport, Finance, Industry, Istitutional and Military activities.

To avoid a large-scale cyber attack, ANSSI and SGDSN (General Secretariat for Defence and National Security) jointly announced the release of three decree on sectoral water management, health products and food. These three sectoral law determines the rules for computer security OIV (Vital Importance Operators) under Article 22 of the LPM (Military Programming Act) of 18 December 2013.  These rules provide in particular identification of vital systems (IVIS), notification of security incidents to ANSSI and controls to monitor the implementation of the device.

Overall assessment/best practices

Training and international co-operation are the main foundations of the French cybersecurity strategy. Central to successful implementation is a collective, multi-stakeholder approach: government, public sector (national and local levels), businesses and citizens.

Training (part of Obj. 2) is key to filling current gaps in awareness about the risks associated with the digitisation of society. The strategy therefore places emphasis on raising awareness among schoolchildren and students, as well as meeting the increasing demands from the public and private sector regarding cybersecurity by enhancing training in this area.

The content and number of training and higher education programmes for cybersecurity need to meet the real needs of businesses and public administrations. In addition, it is important to integrate cybersecurity training into all higher education that includes some information technology.

Another related objective is the establishment of a Expert Panel of Digital Trust to define training objectives in the short to long-term and to ensure continuing education for businesses through the support of trade unions.

Date of last WISER analysis August 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

CERT-FR - Officialy recognized national CIRT

CERT-DEVOTEAM -  Commercial CSIRT

Cert-IST - dedicated to the Industry, Services and Tertiary (IST). It was created in late 1998 by four partners:
Alcatel, CNES, ELF (Total) and France Telecom (Orange);


CERT-LEXSI - (Expertise Laboratory in Information Security) is a French Commercial CSIRT;


CERT-RENATER - dedicated to community members of RENATER (National Network for Telecommunications Technology, Education and Research);

  • Team Email: certsvp@renater.fr 
  • Telephone: + 33 1 53 94 20 44 
  • Fax: + 33 1 53 94 20 31


CERT-SocieteGenerale -  the Societe Generale Group, for its internal services and clients;


CERT-XMCO - French Commercial CSIRT;

  • Team Email: info@xmco.fr 
  • Telephone: +33 (0)1 47 34 68 61


CERT-SOLUCOM - a French Commercial CSIRT;

CERT Bank of France - the internal CSIRT of the Bank of France;


CERT Capgemini Sogeti - a French Commercial CSIRT;


CERT UBIK - a French Commercial CSIRT;


CERT Caisse des Dépôts (CERT-CDCFR) - the Caisse des Dépôts Group, for its internal services and clients;


OSIRIS CERT - the University of Strasbourg CSIRT.

Guidance and Updates

ANSSI regularly reports best practices and recommendations to different stakeholders.

In 2013 the guide 40 essential measures for a healthy network was released. It sets out 40 essential IT measures to safeguard the security of information system and explains how to implement them.

In 2014 ANSSI released a document called Managing Cyber Security for Industrial Control System which aimed at elaborating concrete and practical proposals to improve the cybersecurity of critical infrastructures.

As a result two document were produced:

- Classification Method and Key Measures describes a classification method for industrial control systems and the key measures to improve their cyber security. This document contains the cyber security classes for Industrial Control Systems, Control measures and a number of classification methods.

- Detailed Measures contains a detailed list of vulnerabilities, and describes Organisational and technical security measures, mapping and event logs.

Languages French, English
Date of last WISER analysis July 2017

 

Contact us for more info