In October 2015 the French Prime Minister Manuel Valls launched the national cyber security strategy.
The national strategy is built upon 5 main objectives:
Obj.1 - Fundamental interests, defence and security of State information systems
and critical infrastructures, major cybersecurity crisis.
Obj.2 - Digital trust, privacy, personal data, cybermalevolence
Obj.3 - Awareness raising, initial training, continuing education.
Obj.4 - Environment of digital technology businesses, industrial policy, export and internationalisation
Obj.5 - Europe, digital strategic autonomy, cyberspace stability
The new strategy calls for the government to establish the means to protect its fundamental interests on the internet, to guard national information and defend critical infrastructure from cyber-attack. The government recognises that this will depend on having sufficient scientific, technical and industrial capabilities.
National Cyber Security Strategy
|Year of adoption||
October 2015, French National Cyber Security Strategy
|Updates and revisions||An initial cyber security strategy was first launched in 2011, focusing on internal cooperation and on active contribution to the development of cyber security policies in within international orgnizations such as European commission, NATO, UN, OCSE.|
|Implementation and monitoring||
The national cyber security strategy is led by Agence nationale de la sécurité des systèmes d’information (ANSSI). ANSSI sets out the rules and policies for protecting state information systems and for monitoring and verify the implementation and adoption of all such measures. It provides a monitoring service, as well as detection and warning systems and is responsible to leading the response to computer attacks on any critical infrastructure or state networks. The Ministry of Defense is also contributing to fight cybercrime; lastly, the Ministry of Foreign Affairs and International Development ensures the coherence of France’s positions internationally as regards cyber security.
France has enacted specific legislation and regulation on cyber security through the following:
The two White Papers highlighted the potentially enormous impact of cyber attacks on the life of the nation and stressed the need for an early detection capability for cyber-attacks.
The 2013 White Paper on Defense and National Security also stated that the the Operators of Vital Importance (OVI) would have to:
The national agency of IT security (ANSSI) is the officially recognized agency responsible for implementing a national cybersecurity strategy, policy and roadmap in France.
The French Internet Resilience Observatory established in 2011 aims at identify and measure relevant and representative indicators of resilience, and to make their results public.
|Public-private partnership||In 2016 ANSSI was elected for 3 years at the Board of Directors of ECSO (European CyberSecurity Organisation), the European association created in June 2016 as part of the launch of the Public Private Partnership for European cybersecurity (cPPP).|
|Sector specific cyber-security plans||
12 sector of activities has been identified as Vital Importance Operators (OIV) by a national decree in 2006, including Space and Research, Health, Water management, Food, Energy, Electronic Communications, Transport, Finance, Industry, Istitutional and Military activities.
To avoid a large-scale cyber attack, ANSSI and SGDSN (General Secretariat for Defence and National Security) jointly announced the release of three decree on sectoral water management, health products and food. These three sectoral law determines the rules for computer security OIV (Vital Importance Operators) under Article 22 of the LPM (Military Programming Act) of 18 December 2013. These rules provide in particular identification of vital systems (IVIS), notification of security incidents to ANSSI and controls to monitor the implementation of the device.
|Risk assessment plan|
|Date of last WISER analysis||August 2016|
Current status: NIS Directive and national CERTs/CSIRTs
Computer security incident
response teams (CSIRTs)
CERT-FR - Officialy recognized national CIRT
CERT-DEVOTEAM - Commercial CSIRT
Cert-IST - dedicated to the Industry, Services and Tertiary (IST). It was created in late 1998 by four partners:
CERT Bank of France - the internal CSIRT of the Bank of France;
ANSSI regularly reports best practices and recommendations to different stakeholders.
In 2013 the guide 40 essential measures for a healthy network was released. It sets out 40 essential IT measures to safeguard the security of information system and explains how to implement them.
In 2014 ANSSI released a document called Managing Cyber Security for Industrial Control System which aimed at elaborating concrete and practical proposals to improve the cybersecurity of critical infrastructures.
As a result two document were produced:
- Classification Method and Key Measures describes a classification method for industrial control systems and the key measures to improve their cyber security. This document contains the cyber security classes for Industrial Control Systems, Control measures and a number of classification methods.
- Detailed Measures contains a detailed list of vulnerabilities, and describes Organisational and technical security measures, mapping and event logs.
|Report an incident||
CERT-DEVOTEAM - Team Email - Main Phone +33 (0)6 64 48 96 27
CERT-RENATER - Team Email - Main Phone + 33 1 53 94 20 44 - Fax + 33 1 53 94 20 31
CERT-XMCO - Team Email - Main Phone +33 (0)1 47 34 68 61
CERT Capgemini Sogeti - Team Email
|Date of last WISER analysis||August 2016|