On November 28, 2016, four sector-specific orders were adopted by France's Secretary General for Defense and National Security, on behalf of the Prime Minister. These orders (document in French) aim to complete the information systems security plan applicable to the Operators of Critical Infrastructures ("OCI") in the finance, audiovisual and information, industry, and electronic communications and internet sectors.
The four sector-specific orders set forth: (i) technical and organizational security measures; (ii) the obligation for OCIs to carry out an impact assessment so as to identify the critical importance information systems among their information systems; and (iii) the obligation to set up a notification and a resolution procedure for security incidents. These four new orders follow three previous orders in force since July 1, 2016, related to the health care products, water management, and food supply sectors.
Pursuant to the Defense Code (Articles L. 1332-6-1 and R. 1332-41-1), the Prime Minister has authority to adopt security measures proposed by ANSSI, the French national cybersecurity agency, in relation to the cybersecurity of OCIs. The implementation of such measures is compulsory, and failing to comply with such legal requirements is a criminal offense that may trigger fines of up to EUR 750,000 for businesses.
France has become a leading country in terms of implementation of a regulatory framework for defining cybersecurity measures and securing the information systems in key sectors identified by a ministerial order of June 2, 2006, as critical for the nation. These sectors are divided into three categories—government, protection of citizens, and social and economic life of the nation. Other sector-specific orders are expected to be adopted in 2017 for the remaining sectors.
The four orders adopted on November 28, 2016, will become effective on January 1, 2017, and will be mandatory for entities that have been designated as OCIs. Other public and private entities operating in France in one of the four sectors to which these orders relate should also take this opportunity to review their own cybersecurity standards in order to properly assess and limit the exposure of their information systems and the related liability risk.