The ANSSI recently published its panorama of the cyberthreat 2024, a richly informative document that I invite you to consult. This overview looks at the means used by attackers and the vulnerabilities exploited. The year was particularly marked by vulnerabilities affecting security equipment located at the edge of information systems and by attacks targeting the supply chain.

En juin 2024, une enquête menée par l'ANSSI auprès des membres du CLUSIF, une association de professionnels du cyber, a révélé qu'une attaque coûte en moyenne entre 5 et 10 % du chiffre d'affaires d’une organisation. Ces coûts se répartissent entre pertes d'exploitation, frais de prestations externes pour l'accompagnement et la remise en état, atteinte à la réputation.

The bill on "the resilience of critical infrastructures and the strengthening of cybersecurity", adopted by the Senate on 12 March, is now being examined in committee by the French National Assembly. The bill aims to transpose the ECN, NIS2 and DORA directives. The REC directive updates the security arrangements for critical activities, while the DORA directive concerns the financial, banking and insurance sectors.

As a reminder, the aim of the NIS2 directive is to strengthen the cybersecurity of around 15,000 essential entities and 1,500 local and regional authorities. The application criteria include sectoral and size criteria. The sectors targeted include providers of digital infrastructure and information and communication services. In terms of size, players with fewer than 50 employees and a turnover of less than €10 million are not affected. Finally, organisations already subject to equivalent sector-specific regulations will not be affected either.

It is up to each organisation, whether public or private, to check whether it is affected by NIS2 and, if so, to declare itself to ANSSI. To facilitate this process, ANSSI has opened a dedicated page, "monespacenis2.cyber.gouv.fr", which includes an online test to determine whether your entity is regulated by NIS 2. This test has no legal value and should be confirmed by a more detailed analysis if necessary.

Si votre organisme est régulé par NIS2, les incidents devront être déclarés à l’ANSSI. Le projet de loi définit un incident comme « un événement compromettant la disponibilité, l'authenticité, l'intégrité ou la confidentialité des données ».

Vincent Strubel, Director of the ANSSI, has announced a three-year compliance period, during which investment in cyber security will have to be demonstrated.

Après cette période, les amendes administratives pourront atteindre 10 millions d'euros ou 2 % du chiffre d'affaires annuel mondial.

The next steps are the final adoption of the law, the implementing decrees, and then the publication of technical guidelines by ANSSI.