France has a highly structured and centralized approach to cybersecurity regulation, largely driven by national defense policy and managed by a single powerful agency. While EU directives like NIS2 and DORA are transposed into French law, the core regulatory framework for critical infrastructure and national security is defined by the National Cybersecurity Agency (ANSSI) and the Military Programming Law (LPM).
1. ANSSI: The National Cybersecurity Authority
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is the central and most important regulatory body. Created under the Prime Minister’s authority (via the General Secretariat for Defence and National Security – SGDSN), its missions include:
- Regulating Critical Operators: ANSSI sets the technical and organizational security rules for critical entities in France.
- Incident Response: It runs the French Computer Emergency Response Team (CERT-FR) and receives mandatory incident notifications from critical operators.
- Certification and Qualification: It manages schemes like SecNumCloud (a robust security framework for cloud service providers) and qualifies private cybersecurity products and service providers (auditors, detection specialists).
- Expertise: It provides technical expertise, guidance, and best practices to government departments and private entities.
2. The Loi de Programmation Militaire (LPM)
The Military Programming Law (LPM) is the primary legislative vehicle that grants ANSSI its powers over critical infrastructure.
- Critical Information Systems (CIS): The LPM mandates specific, reinforced security obligations for Operators of Vital Importance (OIVs)—public and private entities in 12 sectors (like energy, transport, banking, healthcare) whose loss would seriously impair national economic or military power. These are defined under the broader French framework for Security of Activities of Vital Importance (SAIV).
- Mandatory Security Measures: OIVs are required to implement security rules (defined by ANSSI) on their most critical systems, often covering areas like network segmentation, detection capabilities, and accreditation.
- Incident Reporting: OIVs must immediately report security incidents affecting their CIS to ANSSI.
- Enforcement Powers: The LPM gives ANSSI the power to perform security inspections and, in case of a major crisis, impose mandatory security measures. The most recent LPM (2024-2030) dedicated €4 billion to strengthening cyber defense capabilities, including enhanced support for ANSSI’s analysis and detection work.
3. Integration with EU Law (NIS2 & DORA)
French law is rapidly integrating EU directives, which broadens the number of regulated companies beyond the traditional OIV scope:
- NIS2 Directive: This EU directive is currently being transposed. It replaces the old categories with Essential Entities and Important Entities, significantly increasing the number of organizations (including certain manufacturers and digital services) subject to mandatory risk management and reporting requirements, with ANSSI serving as the main competent authority.
- DORA (Digital Operational Resilience Act): As a Regulation, DORA is directly applicable in France but is overseen by the relevant financial and insurance sector regulators, in coordination with ANSSI for ICT-related matters.
In summary, French cybersecurity regulation is characterized by its strong focus on national sovereignty and the centralized role of ANSSI, which enforces strict requirements primarily through the LPM for critical entities and increasingly through the transposition of comprehensive EU law for the wider economy.
