France - Country Commercial Guide

Cyber-Security in France

Last published date: 2019-10-13

The European Network and Information Systems (NIS) Security Directive sets a minimum baseline of requirements to ensure better protection of critical infrastructures in Europe. The legislation targets three groups of stakeholders: 1. it sets basic principles for Member States for common minimum capacity building and strategic cooperation; 2. it directs operators of essential services (OES) and digital service providers (DSP) to ensure they apply basic common security requirements.

DSPs are broadly defined to include: online/eCommerce marketplace (including app stores); online search engine (with the exclusion of search function limited to a specific website); and Cloud computing services.  NIS systems are considered the e-communications network, connected devices and digital data.

A DSP and an OES are expected to ensure “the ability of NIS to resist any action that could compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those systems.” Member states must identify OES and establish security and notification requirements for OES and for DSP. The level of security expected from OES should be higher than the level expected from DSP, because of the degree of risk posed to their infrastructure. Among obligations for both OES and DSP are to take technical and organizational measures to NIS risk management; to prevent and minimize the impact of NIS security incidents; to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide.

This Directive has been adopted by the EU in July 2016. Member States have until May 2018 to transpose the Directive into their national legal framework.