France (FR)

In October 2015 the French Prime Minister Manuel Valls launched the national cyber security strategy.

The national strategy is built upon 5 main objectives:

Obj.1 - Fundamental interests, defence and security of State information systems
and critical infrastructures, major cybersecurity crisis.

Obj.2 - Digital trust, privacy, personal data, cybermalevolence

Obj.3 - Awareness raising, initial training, continuing education.

Obj.4 - Environment of digital technology businesses, industrial policy, export and internationalisation

Obj.5 - Europe, digital strategic autonomy, cyberspace stability

The new strategy calls for the government to establish the means to protect its fundamental interests on the internet, to guard national information and defend critical infrastructure from cyber-attack. The government recognises that this will depend on having sufficient scientific, technical and industrial capabilities.

 

National Cyber Security Strategy

Year of adoption

October 2015, French National Cyber Security Strategy

Updates and revisions An initial cyber security strategy was first launched in 2011, focusing on internal cooperation and on active contribution to the development of cyber security policies in within international orgnizations such as European commission, NATO, UN, OCSE.
Implementation and monitoring

The national cyber security strategy is led by Agence nationale de la sécurité des systèmes d’information (ANSSI). ANSSI sets out the rules and policies for protecting state information systems and for monitoring and verify the implementation and adoption of all such measures. It provides a monitoring service, as well as detection and warning systems and is responsible to leading the response to computer attacks on any critical infrastructure or state networks. The Ministry of Defense is also contributing to fight cybercrime; lastly, the Ministry of Foreign Affairs and International Development ensures the coherence of France’s positions internationally as regards cyber security.

Legal capacity

France has enacted specific legislation and regulation on cyber security through the following:

-White paper on Defense and National Security 2008 (French language)
-White paper on Defense and National Security 2013 (French language)
-Military Programming Law 2013 (French language)

The two White Papers highlighted the potentially enormous impact of cyber attacks on the life of the nation and stressed  the need for an early detection capability for cyber-attacks.

The 2013 White Paper on Defense and National Security also stated that the the Operators of Vital Importance (OVI) would have to:
-comply with the security standards defined by ANSSI in liaison with the operators;
-have strong detection mechanisms in place, operated by ANSSI or buy trusted service providers;
-report major incidents to ANSSI;

Operational Capacity

The national agency of IT security (ANSSI) is the officially recognized agency responsible for implementing a national cybersecurity strategy, policy and roadmap in France.

The French Internet Resilience Observatory established in 2011 aims at identify and measure relevant and representative indicators of resilience, and to make their results public.

Public-private partnership In 2016 ANSSI was elected for 3 years at the Board of Directors of ECSO (European CyberSecurity Organisation), the European association created in June 2016 as part of the launch of the Public Private Partnership for European cybersecurity (cPPP).
Sector specific cyber-security plans

12 sector of activities has been identified as Vital Importance Operators (OIV) by a national decree in 2006, including Space and Research, Health, Water management, Food, Energy, Electronic Communications, Transport, Finance, Industry, Istitutional and Military activities.

To avoid a large-scale cyber attack, ANSSI and SGDSN (General Secretariat for Defence and National Security) jointly announced the release of three decree on sectoral water management, health products and food. These three sectoral law determines the rules for computer security OIV (Vital Importance Operators) under Article 22 of the LPM (Military Programming Act) of 18 December 2013.  These rules provide in particular identification of vital systems (IVIS), notification of security incidents to ANSSI and controls to monitor the implementation of the device.

Risk assessment plan  
Progress Measures

 

Date of last WISER analysis August 2016

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident
response teams (CSIRTs)

CERT-FR - Officialy recognized national CIRT

CERT-DEVOTEAM -  Commercial CSIRT

Cert-IST - dedicated to the Industry, Services and Tertiary (IST). It was created in late 1998 by four partners:
Alcatel, CNES, ELF (Total) and France Telecom (Orange);


CERT-LEXSI - (Expertise Laboratory in Information Security) is a French Commercial CSIRT;

CERT-RENATER - dedicated to community members of RENATER (National Network for Telecommunications Technology, Education and Research);

CERT-SocieteGenerale -  the Societe Generale Group, for its internal services and clients;

CERT-XMCO - French Commercial CSIRT;

CERT-SOLUCOM - a French Commercial CSIRT;

CERT Bank of France - the internal CSIRT of the Bank of France;

CERT Capgemini Sogeti - a French Commercial CSIRT;

CERT UBIK - a French Commercial CSIRT;

CERT Caisse des Dépôts (CERT-CDCFR) - the Caisse des Dépôts Group, for its internal services and clients;

OSIRIS CERT - the University of Strasbourg CSIRT.

Best practices

ANSSI regularly reports best practices and recommendations to different stakeholders.

In 2013 the guide 40 essential measures for a healthy network was released. It sets out 40 essential IT measures to safeguard the security of information system and explains how to implement them.

In 2014 ANSSI released a document called Managing Cyber Security for Industrial Control System which aimed at elaborating concrete and practical proposals to improve the cybersecurity of critical infrastructures.

As a result two document were produced:

- Classification Method and Key Measures describes a classification method for industrial control systems and the key measures to improve their cyber security. This document contains the cyber security classes for Industrial Control Systems, Control measures and a number of classification methods.

- Detailed Measures contains a detailed list of vulnerabilities, and describes Organisational and technical security measures, mapping and event logs.

Report an incident

CERT-FR - Team Email - Main Phone +33 (0)1 71 75 84 68 - Fax +33 (0)1 84 82 40 70 - Public PGP Key

CERT-DEVOTEAM - Team Email - Main Phone +33 (0)6 64 48 96 27 

Cert-IST - Team Email - Main Phone +33 5 34 39 44 88 - Fax +33 5 34 39 44 89 - Public PGP Key

CERT-LEXSI - Team Email - Main Phone +33(0) 810 33 60 60 - Public PGP Key

CERT-RENATER - Team Email - Main Phone + 33 1 53 94 20 44  - Fax + 33 1 53 94 20 31

CERT-SocieteGenerale - Team Email - Main Phone +33 (0)1-5898-7200 - Public PGP Key

CERT-XMCO - Team Email - Main Phone +33 (0)1 47 34 68 61

CERT-SOLUCOM - Team Email - Main Phone +33 (0)1.49.03.20.00 - Public PGP Key

CERT Bank of France - Team Email - Main Phone +33 1 42 92 93 02 - Public PGP Key

CERT Capgemini Sogeti - Team Email

CERT UBIK - Online Form  - Main Phone (+33) 6 5101 2463 - Public PGP Key

CERT Caisse des Dépôts (CERT-CDCFR) - Team Email  - Main Phone +33 (0)1 58 50 58 00 - Public PGP Key

OSIRIS CERT - Team Email - Main Phone +33 3 68 85 43 21 - Public PGP Key

Languages French, English
Date of last WISER analysis August 2016

 

Contact us for more info