Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

It depends on whether the organisation is defined as an organisation of essential importance or whether the organisation is considered a data controller or processor.

For organisations of essential importance, rules and procedures are imposed on them by either decree, ordinance or ministerial orders. As such, since 2016, entities operating in the electricity, maritime, finance, ISPs, space, gas, media, nuclear and arms industries shall adopt compulsory security measures, such as detection tools, defensive tools, strong authentication and restricted access protocols.

The same cybersecurity measures have been recommended by the CNIL regarding personal data on data controllers and processors, private or public. The GDPR has even provided, under article 32, security requirements that may be expected from data controllers and processors, namely:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

France has rules requiring organisations to keep records of cyberattacks. As such, pursuant to article 34-bis of the Data Protection Act of 1978 (which extends to all data controllers and processors under the GDPR) and organisations of essential importance, in accordance with article 22 of the Military Programming Act 2013, ISPs are required to keep records of cyberattacks. Such records are collected by way of audit and must specify how the attack happened, its consequences and the measures taken. The law does not specify for how long these records must be kept.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Pursuant to article 34-bis of the Data Protection Act of 1978, ISPs must report, without any delay, data breaches to the CNIL. Under the GDPR, this obligation is now borne by every data controller and processor, private or public.

According to article 29 of the Data Protection Working Party Opinion 03/2014 on breach notification, three types of incidents must be reported:

  • confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data;
  • availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
  • integrity breach – where there is an unauthorised or accidental alteration of personal data.

To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, can be submitted online.

Regarding organisations of essential importance and in accordance with article 22 of the Military Programming Act 2013, they must report any cybersecurity breach or incident to the ANSSI.

Notification of violation and breach is followed by a report. Information required in reports of cyberthreats depends on the business sector of the organisation considered of essential importance. Regarding personal data, the GDPR is more precise on the matter: data controllers and processors must provide precise information on the time of the attack, its nature, the personal data affected, the remedies applied and the potential consequences of the breach, among others.

Time frames

What is the timeline for reporting to the authorities?

Entities must report without any delay to the CNIL when personal data is concerned, and to the ANSSI if the entities affected are qualified as of essential importance. The GDPR provides more precision about the timeline, namely that the incident must not be reported later than 72 hours (where feasible) after the entity has become aware of the breach.

To facilitate reporting, dedicated forms have been provided online and, in the particular case of personal data, can be submitted online.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

According to article 34-bis of the Data Protection Act of 1978 and in the case of a personal data beach, ISPs are compelled to report, without any delay, to customers aggrieved by such breach. This obligation has been extended to all data controllers and processors under the GDPR. Such notification may be levied if the CNIL certifies that appropriate measures have been taken to make direct or indirect identification impossible. According to article 29 of the Data Protection Working Party, in its guidelines on personal data breach notification for the new regulation, dedicated messages should be used when communicating a breach. These include, among others:

  • direct messaging (eg, email, SMS and direct message);
  • prominent website banners or notifications;
  • postal communications; and
  • prominent advertisements in print media.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

December 2019