The ANSSI recently published its panorama of the cyberthreat 2024, a richly informative document that I invite you to consult. This overview looks at the means used by attackers and the vulnerabilities exploited. The year was particularly marked by vulnerabilities affecting security equipment located at the edge of information systems and by attacks targeting the supply chain.

In June 2024, a survey conducted by ANSSI among the members of CLUSIF, an association of cyber professionals, revealed that an attack costs an average of between 5 and 10 % of an organisation's turnover. These costs can be broken down into operating losses, the cost of external support and restoration services, and damage to reputation.

The bill on "the resilience of critical infrastructures and the strengthening of cybersecurity", adopted by the Senate on 12 March, is now being examined in committee by the French National Assembly. The bill aims to transpose the ECN, NIS2 and DORA directives. The REC directive updates the security arrangements for critical activities, while the DORA directive concerns the financial, banking and insurance sectors.

As a reminder, the aim of the NIS2 directive is to strengthen the cybersecurity of around 15,000 essential entities and 1,500 local and regional authorities. The application criteria include sectoral and size criteria. The sectors targeted include providers of digital infrastructure and information and communication services. In terms of size, players with fewer than 50 employees and a turnover of less than €10 million are not affected. Finally, organisations already subject to equivalent sector-specific regulations will not be affected either.

It is up to each organisation, whether public or private, to check whether it is affected by NIS2 and, if so, to declare itself to ANSSI. To facilitate this process, ANSSI has opened a dedicated page, "monespacenis2.cyber.gouv.fr", which includes an online test to determine whether your entity is regulated by NIS 2. This test has no legal value and should be confirmed by a more detailed analysis if necessary.

If your organisation is regulated by NIS2, incidents will have to be reported to ANSSI. The bill defines an incident as "an event compromising the availability, authenticity, integrity or confidentiality of data".

Vincent Strubel, Director of the ANSSI, has announced a three-year compliance period, during which investment in cyber security will have to be demonstrated.

After this period, administrative fines may reach €10 million or 2 % of annual worldwide turnover.

The next steps are the final adoption of the law, the implementing decrees, and then the publication of technical guidelines by ANSSI.