The French PACTE law has created a new legal framework for digital assets (actifs numériques) and digital assets services providers (DASPs) (article 86 of the law). These provisions have been then specified notably by decree and by the AMF General Regulation. Article 721-4 of such regulation refers to the security of information systems, or cybersecurity, which is an important part of the DASP Application process. The requirements provided in such article aim to ensure that DASPs rely on a resilient and secure information system capable of facing threats (e.g., the content of portfolios holding digital assets, personal data leakage risks, inability to investigate in the event of a fraudulent incident or activity, etc.).
AMF Instruction No. DOC-2019-24 details such requirements and notably includes the obligation for the DASP to trace and keep records of any activity generated by the service offered for a period of 5 years and ensure inter alia their availability, confidentiality and integrity and the requirement that the relevant system comply with the National security agency for security of information systems’ (ANSSI)’s best practices. With regard to outsourcing, and vis-à-vis the authorities, the DASP remains fully responsible for the cybersecurity of the service for which it holds a license.
The AMF further requires from DASPs – except from advisers on digital assets – :
- the implementation and monitoring of an ongoing cybersecurity programme aimed at controlling the level of security of the information systems involved in providing the service(s);
- the implementation of operational measures to ensure a minimum level of security for the websites and/or mobile applications through which services are offered. These measures relate notably to the security of components and related applications, authentication requirements, encryption requirements (communication flows must be systematically encrypted using robust encryption protocols and algorithms and the applicant must guarantee the user’s data confidentiality and integrity);
- the obligation to advise users on the use of electronic wallets with a level of security in accordance with the state of the art (e.g. protection by password or encryption key and/or encryption of secrets);
- in the case of the use of a distributed ledger technology (i.e., a blockchain), the AMF may require it to be subject to security certification in a recognised scheme;
- security audit requirements; or
- the obligation to notify the AMF without delay following the occurrence of a significant security incident.
Specific requirements also apply depending on the service provided.
With regard to the custody service for instance, procedures for generating, storing, backing up, responding in the event of key compromise or secrecy having served to generate the keys, returning and destroying electronic portfolios must be formalised, verified and regularly monitored. Off-line storage of portfolios should be preferred in order to limit the risk of security intrusion.
Further, as regards the service of portfolio management on digital assets, the DASP must, for each user of its service, create an e-portfolio whose private key is generated by the proxy and is not transmitted or known by the user and is operated by the proxy with an e-portfolio solution that complies with the relevant requirements. Upon termination of the management contract, the proxy holder must not communicate to the user the private key of the e-wallet used during the contract, but must return the assets to the user via a specific form of transfer.