Cybersecurity 2020

Last Updated March 16, 2020

France

Law and Practice

Authors



Hogan Lovells (Paris) LLP possesses a depth of knowledge and a global presence. The firm's 15-strong Paris privacy and cybersecurity team of lawyers is uniquely placed to help clients with their multi-jurisdictional data projects. It is specialised by industry sectors (healthcare, automotive, finance, etc), which proves particularly efficient in terms of strategic advice offered to clients. Hogan Lovells Paris offers a truly specialist practice focused on privacy, cybersecurity, data protection, strategic advice, cybersecurity/investigations advice and public affairs/policy assistance as well as litigation capacities. It is a one-stop shop for all of its clients' data privacy needs around the globe (thanks to a team spanning Europe, the USA and Asia), with a perfect integration in one of the most pre-eminent international privacy teams. Key clients include private and public companies, major internet players, healthcare and life sciences businesses, leading financial institutions (including insurance corporations), retail and e-commerce majors, transportation and mobility companies.

Major Laws and Regulations

  • Regulation (EU) 2019/881 of 17 April 2019 (ENISA Regulation);
  • Directive (EU) 2016/1148 of 6 July 2016 (NIS Directive);
  • Regulation (EU) 2016/679 of 27 April 2016 (GDPR);
  • Regulation (EU) 910/2014 of 23 July 2014 (eIDAS Regulation);
  • Law No 78-17 of 6 January 1978 (French Data Protection Act);
  • Law No 2018-133, transposing NIS Directive;
  • Law No 2004-575 on confidence in the digital economy (LCEN);
  • Military Programming Act for 2014 to 2019;
  • Military Programming Act for 2019 to 2025;
  • Law No 2013-1168 of 18 December 2013;
  • Law No 1988-19 of 5 January 1988 on computer fraud;
  • Decree No 2015-350 of 27 March 2015;
  • Decree No 2015-351 of 27 March 2015;
  • Decree No 2018-384 of 23 May 2018;
  • Homeland Security Code;
  • Defence Code;
  • Public Health Code;
  • Criminal Code;
  • Criminal Procedure Code;
  • Monetary and Financial Code.

Basic Concepts or Principles

Article L 111-1 of the Homeland Security Code provides that security is a fundamental right and that the state has the duty to ensure safety throughout the national territory, which extends to cyberspace.

Brief Overview of Relevant Enforcement and Penalty Environment (Major Sanctions)

Fraudulent access to or fraudulent remaining in all or part of an automated data processing system is punishable by two years' imprisonment and a fine of EUR60,000 (Article 323-1 of the Criminal Code). Where this results in the deletion or modification of data contained in the system or in the alteration of the functioning of the system, the penalty is three years' imprisonment and a fine of EUR100,000. Where the offences mentioned above have been committed against a system for the automated processing of personal data implemented by the state, the penalty shall be increased to five years' imprisonment and a fine of EUR150,000.

Obstructing or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a fine of EUR150,000 (Article 323-2 Criminal Code). Where this offence was committed against a state-operated automated processing system of personal data, the penalty is increased to seven years' imprisonment and a fine of EUR300,000.

The fraudulent introduction of data into an automated processing system, the fraudulent extraction, possession, reproduction, transmission, deletion or modification of the data contained therein is punishable by five years' imprisonment and a fine of EUR150,000 (Article 323-3, Criminal Code). Where this offence was committed against a state-operated automated processing system of personal data, the penalty is increased to seven years' imprisonment and a fine of EUR300,000.

The act, without legitimate reason – in particular for research or computer security purposes – of importing, possessing, offering, transferring or making available equipment, an instrument, a computer program or any data designed or specially adapted to commit one or more of the offences mentioned above is punishable by the penalties laid down for the offence itself or for the most severely punished offence respectively (Article 323-3-1, Criminal Code).

Electronic communications operators or their agents or operators of vital importance (OVI) can be sanctioned by a fine of EUR150,000 for obstructing the implementation, by the ANSSI, of the technical markers used to detect events likely to affect the security of information systems. The individuals guilty of this offence can also be prohibited, for a maximum period of five years, from engaging in the professional activity in the course of which the offence was committed.

Executives of operators of essential services (OES) can be sanctioned by a fine of EUR100,000 for failing to comply with the security measures specific to them. Executives of OES can be sanctioned by a fine of EUR75,000 for failing to comply with the obligation to report an incident. Executives of OES can be sanctioned by a fine of EUR125,000 for obstructing the inspection operations.

Executives of digital service providers (DSP) can be sanctioned by a fine of EUR75,000 for failing to comply with the security measures specific to them. Executives of DSPs can be sanctioned by a fine of EUR50,000 for failing to comply with the obligations to report incidents or inform the public. Executives of DSPs can be sanctioned by a fine of EUR100,000 for obstructing the inspection operations.

Infringements of the provisions set out in the French Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

In accordance with Decree No 2009-834, the National Agency for Information Systems Security (ANSSI) is responsible for the following tasks:

  • to ensure the function of national authority for the defence of information systems;
  • to conduct inspections of the information systems of state services and public or private operators including OVI, OES and DSP;
  • to lead and co-ordinate interdepartmental work on information systems security;
  • to issue approvals for security devices and mechanisms designed to protect information systems from information covered by national defence secrecy.

The ANSSI assists in listing the "points of vital importance" (PVI) which, because of the potential criticality of their information systems, need to be monitored. Representatives of the ANSSI are then part of the teams in charge of the control of these PVI and carry out the control of their information system (Interministerial General Instruction No 6600/SGDSN/PSE/PSN of 7 January 2014).

When personal data is involved, CNIL is also responsible for enforcing cybersecurity rules. It can sanction any legal or natural person with administrative fines but does not have the power to criminally prosecute.

The Regulatory Authority for Electronic Communications, Posts and Press Distribution (ARCEP) controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, in particular network security and integrity.

The ANSSI has no power of sanction but can audit information systems as a trust provider and investigate information systems of OVIs (Interministerial General Instruction No 6600/SGDSN/PSE/PSN of 7 January 2014) and bring the violations of applicable cybersecurity requirements to the attention of the judicial authorities (Article R 1332-41-23, Defence Code).

The CNIL can carry out controls, which may have different origins:

  • annual control programme;
  • claims and reports by third parties/data subjects;
  • initiative of the commission to tackle specific issues;
  • control of video surveillance systems;
  • further control after the closure of a control procedure (to check compliance actions implemented by the controlled entity).

The decision to carry out a control is made by the President of the CNIL. During the control, CNIL agents may be assisted by experts, and are entitled to take a copy of any technical and legal information to assess the conditions under which the personal data processing is carried out. CNIL agents are also entitled to talk to any staff that may hold useful information, and have access to database, software, and contractual documents. After the control, the CNIL shall draft a report (except for documentary control) in which the CNIL agents record, in a factual manner, all the information that was brought to their attention during controls and the findings they made. This may lead to:

  • closure of the procedure;
  • closure of the procedure with observations addressed to the controlled entity (in case of minor breaches);
  • formal notice to comply with the French Data Protection Act; or
  • information transmission to the CNIL’s restricted committee, which may impose sanctions and/or notify the public prosecutor.

The state is in charge of regulating and enforcing cybersecurity rules. Therefore, no subnational entity has competence for such matter.

In the event of a computer attack targeting information systems affecting the nation's war or economic potential, security or survival capacity, the ANSSI may carry out the technical operations necessary to characterise the attack and neutralise its effects by accessing the information systems that are at the origin of the attack (Article L 2321-2, Defence Code).

The ANSSI can also implement technical markers on the networks of electronic communications operators and hosting providers in order to detect events likely to affect the security of the information systems of public authorities, OIV and OES (Article L 2321-2-1, Defence Code).

After notifying ANSSI, electronic communications operators can also implement technical markers for the sole purpose of detecting events that may affect the security of the information systems of their subscribers (Article L 33-14 of the Postal and Electronic Communications Code).

The ARCEP controls the compliance of the three last procedures mentioned, as an independent administrative authority (Article L 2321-5, Defence Code).

Personal data disclosure can also be required from electronic communications operators in order to alert persons concerned by the cyber-attacks or technical data necessary to analyse them (Article L 2321-3, Defence Code).

With regard to personal data breach and information systems security incidents reporting and notification, please refer to Section 5 Data Breach Reporting and Notification. See also: www.legifrance.gouv.fr.

The USA has always been at the forefront of cybersecurity issues compared to the EU, which has always favoured a state-oriented approach to the issue. However, the EU has been a leader in data privacy and security of personal data.

France has been proactive in the cybersecurity domain by following a sector-based approach such as OVI or public administration.

The key developments are as follows:

  • in decision No SAN-2019-005, dated 28 May 2019, the CNIL pronounced a penalty of EUR400,000 against a housing management service company for having inadequately protected the personal data of its website users and implemented inappropriate data storage methods;
  • the CNIL also pronounced a sanction of EUR180,000 on 18 July 2019 against an insurance company for having insufficiently protected the personal data of its website users;
  • the European ENISA Regulation (2019/881), adopted on 17 April 2019, grants permanent mandate to the European Union Agency for Cybersecurity (ENISA) and broadens its competence, and provides a unique European cybersecurity certification framework;
  • the 5G Security Act, voted on 1 August 2019 (Law No 2019-810), aimed at safeguarding France's defence and national security interests in connection with the operation of 5G mobile radio networks;
  • the recommendation (UE) 2019/534, dated 26 March 2019, concerning cybersecurity of 5G networks;
  • the G7 conference on 10 May 2019, entitled Cybersecurity: co-ordinating efforts to protect the financial sector in the context of the global economy, which drew objectives in terms of co-ordination across jurisdictions, sectors, and authorities with national security agencies and invited stakeholders to develop large-scale crisis simulation exercises, such as the one co-ordinated by the Banque de France at the level of G7 joint crisis management exercise.

Significant pending changes are as follows:

  • the security of 5G equipment following the 5G Security Act and pending applications to ARCEP for authorisation of 5G equipment;
  • the implementation of the ENISA Regulation and the different certification schemes provided by ANSSI in France;
  • the cybersecurity requirements on approved digital assets service providers since the Decree dated 22 November 2019;
  • the transposition of the European Code of Electronic Communications Code that imposes security obligations on electronic communications services providers, including OTT actors;
  • to celebrate its tenth anniversary, the ANSSI has published ANSSI10+, a manifesto elaborating an action plan for the next decade;
  • on the occasion of the international cybersecurity forum in Lille, the government and companies in the sector agreed on a roadmap aimed at doubling the size of the sector in five years.

Please refer to the adjacent Cybersecurity – France Trends & Developments for more details.

The key laws are as follows:

  • The French Data Protection Act provides cybersecurity requirements and sanctions when personal data is involved;
  • Law No 88-19 of 5 January 1988 on computer fraud establishes the offences relating to any automated data processing system;
  • Military Programming Act No 2013-1168 of 18 December 2013 for 2014 to 2019 and Military Programming Act No 2018-607 of 13 July 2018 for 2019-2025 provide requirements for operators of vital importance;
  • EU Directive 2016/1148 of 6 July 2016 and Law No 2018-133 of 26 February 2018 (specified by Decree No 2018-384) provide specific requirements for networks and information systems for operators of essential services and digital service providers
  • EU Regulation 2019/881 of 17 April 2019 lays down the main requirements for European cybersecurity certification schemes with respect to ICT products, ICT services and ICT processes in the EU;
  • EU Directive 2015/2366 of 25 November 2015 on Payment Services 2 (PSD2), transposed in the French Monetary and Financial Code, sets out provisions for payment service providers (PSP) information systems;
  • Decree of 22 November 2019 provides several cybersecurity requirements for digital assets services providers information systems;
  • General regulation of the Financial Markets Authority (AMF) applies for financial establishments information systems;
  • The French Public Health Code applies to health data-hosting service providers;
  • EU Regulation 2017/745 applies to medical device that include software components.

The ANSSI assists the General Secretary for Defence and National Security in the exercise of its powers in the field of security of information systems. For more details on the ANSSI tasks and powers, see 1.2 Regulators.

The ARCEP also controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, in particular network security and integrity.

The Information Technology Fraud Investigation Brigade (BEFTI) is a police department of the Paris Regional Directorate of the Criminal Investigation Department. Its fields of action are intrusions into information systems, fight against counterfeiting on digital media, fraudulent capture of encrypted television media and traditional offences using new technologies as a means of commission.

The Information Technology and Electronics Department of the Criminal Research Institute of the National Gendarmerie deals with digital evidence on all types of media, especially on hard disks and mobile phones. It provides forensic expertise and scientific examinations for the benefit of magistrates and investigators, and is also able to assist them in the field or remotely, during searches or hearings in complex environments.

The French Digital Health Agency (ASIP Santé) is a public interest group that has been created in order to develop shared healthcare information systems. It is in charge of developing and carrying out national projects, elaborating certification referential for health data hosting, promoting interoperability and guaranteeing security, and assisting public authorities to implement the guidelines dedicated to the digitalisation of the health and medico-social sector. ASIP Santé does not hold any sanctioning power but develops guidelines and reference documents.

The ENISA provides practical advice and solutions to the public and private sectors of the member states and the EU institutions. Its activity consists of:

  • anticipating and supporting the EU in facing emerging network and information security challenges by collating, analysing and making available information and expertise on key NIS issues, taking into account the evolutions of the digital environment;
  • promoting network and information security as an EU policy priority, by assisting the European Union institutions and member states in developing and implementing EU policies and law related to NIS;
  • maintaining state-of-the-art network and information security capacities, by assisting the member states and European Union bodies in reinforcing their NIS capacities;
  • reinforcing co-operation at EU level among member states, European Union bodies and relevant NIS stakeholders, including the private sector.

The European ENISA Regulation 2019/881 adopted on 17 April 2019 grants permanent mandate to ENISA and broadens its powers, with more resources and additional missions, in particular drawing up the European cybersecurity certification framework by preparing the technical ground for specific certification schemes.

The ANSSI is the national authority for defence and information systems security. It assists the Secretary General for Defence and National Security in the exercise of its powers in the field of information systems security. The ANSSI is responsible for the following tasks, among others:

  • to ensure the function of national authority for the defence of information systems;
  • to conduct inspections of the information systems of state services and public or private operators, especially OVI, OES and DSP;
  • to lead and co-ordinate interdepartmental work on information systems security;
  • to issue approvals for security devices and mechanisms designed to protect information systems from information covered by national defence secrecy.

When personal data is involved, the CNIL is responsible for enforcing cybersecurity rules as the GDPR requires any controller and/or processor to ensure the security of processing (Article 32 GDPR). Failure to comply with these requirements can be sanctioned with an administrative fine for any legal or natural person. However, the CNIL cannot instigate criminal prosecution. In 2018, the CNIL has sanctioned two companies with fines of EUR400,000 and EUR180,000 for violation of personal data processing security obligations with respect to their web users and customers.

The CNIL has also published two guidelines in 2018 on personal data security which provide useful advice on security compliance with data protection regulation.

Concerning personal data, the European Data Protection Board (EDPB) can provide guidelines on cybersecurity. On 13 November 2019, the Board adopted Guidelines 4/2019 regarding data protection by design and by default, which contain cybersecurity measures.

The Financial and Monetary Code sets out a general principle of co-operation between the AMF and the ANSSI to provide each other with information relevant to the performance of their respective missions in the area of information systems security (Article L 631-1, Financial and Monetary Code).

Approved digital assets services providers are subject to cybersecurity requirements pursuant to Decree No 2019-1213, dated 21 November 2019. The AMF conducts audits for information systems of financial establishments and participates in discussions on cybersecurity risks through several working groups, such as the G7 Cyber Expert Group, the Financial Stability Board and the European Systemic Cyber Group.

Articles 321-24 and 321-69 of the AMF General Regulation requires asset management companies to ensure security, integrity and confidentiality of information when processing electronic data as well as the implementation and maintenance of a business continuity plan to ensure that, in the event of an interruption of systems and procedures, essential data are safeguarded and management activities are continued. In 2019, the AMF conducted cybersecurity audits of five major asset management companies pursuant to its 2019 action plan.

PSD2 also introduced incident reporting requirements. Where a major operational or security incident has occurred, a PSP must, without undue delay, notify the ANSSI and the payment service users (PSU), of the potential impact of the incident on the financial interests of PSU.

In April 2019, the European Supervisory Authorities, composed of the EBA, ESMA and EIOPA, issued a joint advice on cybersecurity (equivalent to a legislative proposal) mentioning the need for greater harmonisation of rules on local governance of cybersecurity and on the identification, collection and reporting of cyber-incidents to regulators. It also referred to the need for a common checklist for member states to monitor critical IT service providers, especially those providing cloud computing services.

The ARCEP controls the compliance of the telecommunications operators with the requirements set out by the Posts and Electronic Communications Code, including network security and integrity.

There are also cybersecurity requirements in the medical field. Health data can only be hosted by a service provider having been certified on the basis of a certification referential established by ASIP Santé, by a certifying body authorised by the French Accreditation Committee (COFRAC) or any other equivalent European Accreditation Committee.

Pursuant to EU Regulation 2017/745, medical devices are also subject to cybersecurity requirements, particularly as to their software components.

ASIP Santé is a public interest group that has been created in order to develop shared healthcare information systems. More details on ASIP Santé are provided in 2.2 Regulators.

In 2013, ANSSI published a computer hygiene handbook which provides 42 measures to protect data and IT systems from cyberthreats. The guidelines were updated in 2017. The ANSSI also elaborated a guide for the implementation of an information system security policy (PSSI Guide). The objective of the PSSI Guide is to provide support to information systems security managers in developing an information systems security policy within their organisation. It focuses on 16 domains of cybersecurity, especially information systems security risks management, insurance and certification, incident management or business continuity planning. The General Security Repository (RGS) provided by the ANSSI is specifically required for information systems implemented by administrative authorities in their relations with users (ie, teleservices such as the payment of fines to the administration). Indirectly, the RGS is intended for all service providers that assist administrative authorities in securing the electronic exchanges they implement, as well as for manufacturers whose business is to offer security products. EBIOS Risk Manager is the method for assessing and processing digital risks published by the ANSSI. The ANSSI also provides other standards depending on the degree of sensibility of information and the entity concerned.

The CNIL has published two guidelines in 2018 on personal data security which provide useful advice on security compliance with the GDPR (www.cnil.fr/fr and www.cnil.fr/sites).

Other cybersecurity standards may apply when they demonstrate compliance with applicable cybersecurity requirements. In particular, the following standards may apply.

  • ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management System (ISMS) and assessing and treating information security risks of the organisation. It mainly consists in determining the context of the organisation (business needs, scope of the ISMS), ensuring a strong security leadership (top management commitment, drafting of policy and defining precise roles and responsibilities) and providing strong security support through resources and competence, awareness, communication and document management.
  • ISO 27002 constitutes a code of practice for information security controls by providing guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment.
  • ISO/IEC 27018 establishes a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors by augmenting the above-mentioned ISO 27002 controls, with specific items for cloud privacy, and provides completely new security controls for personal data.

The two CNIL guidelines concerning security of personal data are widely applied, especially since the GDPR came into force.

The PSSI Guide elaborated by the ANSSI constitutes one of the main frameworks for the implementation of an information system security policy.

ISO 27001 and 27002 norms are also commonly applied to ensure a standard of networks and information systems security.

Written Information Security Plans or Programmes

The objective of the PSSI Guide is to provide support to information systems security managers in developing an information systems security policy within their organisation. It focuses on 16 domains of cybersecurity, in particular information systems security risks management, insurance and certification, incident management or business continuity planning.

Incident Response Plans

ANSSI and the Association for Management of Risks and Insurance of Companies (AMRAE) provide a framework to offer executives and risk managers a step-by-step approach to build a digital risk management policy within their organisation. The 15 steps are organised in three main categories, which are to understand the digital risk and organise consequently, to build a security base and to operate the digital risk and enhance its cybersecurity policy.

Appointment of Chief Information Security Officer (or Equivalent)

The ANSSI provides guidelines concerning the chief information security officer (RSSI) in its Information Hygiene Guide (Fiche 39). This RSSI must be known to all users and will be the first contact for all matters relating to the security of information systems, especially the definition and enforcement of the rules to be applied according to the context and the centralisation and processing of security incidents observed or reported by users.

Involvement of Board of Directors (or Equivalent)

The PSSI Guide provides guidelines on the entities responsible for the application of the PSSI. A senior security officer can receive a delegation from the board of directors to take all necessary steps to design and implement a security adapted to the needs and objectives of the company and to ensure compliance. He or she is assisted in their mission by a Security Committee. The board of directors shall determine, on the proposal of the senior security officer, the information system security guidelines, in line with the objectives of the company and the various policies implemented. The board of directors can be the validation body of the PSSI. The senior security officer participates in the deliberations of the board of directors, acting as an advisor on any security-related matters such as the definition of objectives, allocation of resources and personnel. The Security Committee, chaired by the senior security officer, brings together the security of the various functions of the company. It ensures the co-ordination of the implementation of the PSSI: it specifically verifies the consistency of the security rules and arbitrates conflicts.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, etc

ANSSI and AMRAE provide a framework to offer executives and risk managers a step-by-step approach to build a digital risk management policy within their organisation. The key elements are to identify critical cyber-attacks scenarios, to quantify the impact of these scenarios (financial, legal or reputational), to define a strong digital security strategy and contract strong and adapted insurance policies.

Multi-factor authentication

The ANSSI issued guidance on the secured administration of information systems. For administrative actions, the ANSSI recommends using an authentication with at least two factors. In any case, the use of multi-factor authentication is considered as a priority by the ANSSI. The use of electronic certificates as a mean of authentication is also recommended. These certificates should be obtained from a digital certificate service operator (PSCE) qualified by the ANSSI or to deploy a key management infrastructure that complies with the requirements of the RGS governing this area.

Anti-phishing measures

In 2016, the ANSSI issued a few recommendations to counter phishing that includes the following advice: 

  • never click on a suspicious link or attachment;
  • never respond to a suspicious email – if in doubt, contact the sender through another channel;
  • have a unique password for each application;
  • check the security settings of the email account; and
  • enable two-factor authentication. 

Ransomware

In the Information Hygiene Guide, the ANSSI recommends regular back-up of the data vital to the proper functioning of the entity held by the users' workstations and servers. This data should be hosted on disconnected equipment, and its restoration must be checked periodically. Further, in February 2020, the ANSSI released a paper regarding the threat status of ransomware.

Threat intelligence

The OpenCTI (Open Cyber Threat Intelligence) project, developed by ANSSI in partnership with the EU Computer Emergency Response Team (CERT-EU), is a tool for managing and sharing knowledge in the field of cyber-threat analysis. Initially designed to structure the ANSSI's information on computer threats, the platform also facilitates interactions between ANSSI and its partners. The tool, which is entirely free, is available for use by the "threat intelligence" stakeholders. The application will enable them to store, organise, visualise and share their own knowledge in this field.

Insider Threat Programmes

The ANSSI recommends that any user of the information system, whatever his or her hierarchical position and attributions, should not have administrative privileges on his or her workstation. This measure is intended to limit the consequences of the unfortunate execution of malicious code. 

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The French Data Protection Act and the GDPR provides that the data controller can conduct audits and inspections of its data processor.

The ANSSI provides guidelines concerning control of the risk of outsourcing which contain “security clauses” allowing the subcontractor to be required to be subject to security audits or to a monitoring panel which will co-ordinate and manage the implementation and evolution of the security component of the service – ie, compliance with the schedule, conformity of services, compliance with the obligation to collaborate, validation of upgrades to improve security and even with data protection.

For more details on vendor due diligence, please see 9.1 Processes and Issues.

Use of Cloud, Outsourcing, Offshoring

The ANSSI published a baseline named SecNumCloud on cloud computing service providers (These guidelines are necessary to be granted the qualification of trusted provider for cloud services).

Training

The ANSSI provides guidelines concerning the chief information security officer (RSSI) in its IT Hygiene Guide (Fiche 1). In order to be up to date on the state-of-the-art in information systems security, operational teams must therefore follow – on taking up their position and then at regular intervals – training courses, in particular on the legislation in force, the main risks and threats, authentication and access control and network partitioning and logging.

The ENISA provides practical advice and solutions to the public and private sectors of the member states and the EU institutions. For more details, please refer to 2.3 Overarching Cybersecurity Agency.

Concerning personal data, the EDPB can provide guidelines on cybersecurity. On 13 November 2019, the Board adopted Guidelines 4/2019 regarding data protection by design and default, which contain cybersecurity measures, notably the implementation of an information security management system and access management or risk assessments.

GDPR requirements with respect to the security of the processing of personal data directly apply in France. GDPR requires that controllers and/or processors implement appropriate technical and organisational measures when processing personal data, including pseudonymisation, encryption, ongoing confidentiality, integrity, availability, resilience and ability to restore mechanisms.

The CNIL also published two guidelines in 2018 on personal data security which provide useful advice on security compliance with the GDPR.

Under the French Data Protection Act, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In accordance with the GDPR, the data controller must notify the data breach to the CNIL, when it can result in a risk to the rights and freedoms of natural persons, within 72 hours after having become aware. The data controller must notify the data breach to data subjects without undue delay if the data breach is likely to result in high risks to the rights and freedoms of natural persons.

In addition, more details on data protection requirements are provided in Chambers Global Practice Guide 2020: Data Protection & Privacy – France.

Please refer to 3.1 De Jure or De Facto Standards.

Pursuant to Article R 1332-41 and seq of the Defence Code, each OVI is required to:

  • compile, keep up to date and communicate to the ANSSI the list of the information systems of vital importance (covered by national defence secrecy);
  • implement systems to detect events that may affect the security of their vital information systems;
  • communicate to the ANSSI information relating to incidents affecting the security or functioning of their vital information systems and respond to potential follow-up requests;
  • co-operate with the ANSSI for audits and provide all necessary information.

Operators of essential services are defined as public or private operators offering services which are essential to the functioning of society or the economy and whose continuity could be seriously impacted by incidents affecting the networks and information systems necessary for the provision of those services. The OES are subject to specific security requirements, regarding:

  • the governance of network and information system security (development and implementation of a security policy and certification);
  • the protection of networks and information systems (architecture and administration of networks’ security and access control);
  • the defence of networks and information systems (detection and management of security incidents); and
  • resilience of activities (crisis management in the event of security incidents with a major impact on essential services).

The OES must declare, without delay to the ANSSI incidents affecting the networks and information systems necessary for the provision of essential services, when any incidents have or are likely to have a significant impact on the continuity of these services, taking into account the number of users and the geographical area affected as well as the duration of the incident. Security audits can also be carried out by the ANSSI or a qualified external auditor.

There is no specific requirement on denial of service attacks (DDoS) attacks. However, the ANSSI has provided guidelines on dealing with DDoS attacks in 2015, which provide advice for victims of cyber-attacks to implement content delivery networks (CDN) and to have appropriate contacts with transit operators to react effectively.

Digital service providers with more than 50 employees and an annual turnover of more than EUR50 million are subject to specific cybersecurity requirements. They must designate a representative on the national territory, who fulfils the security obligations on behalf of DSPs and constitutes a point of contact with the ANSSI. DSPs must comply with specific information systems security requirements in accordance with Commission Implementing Regulation (EU) 2018/151 of 30 January 2018. These security obligations deal with the logical and physical security of information systems and facilities, incident management, business continuity management, monitoring, auditing and control and compliance with international standards. DSPs must declare to the ANSSI any incident having a significant impact on the provision of their services.

Under the French Public Health Code, health data processed in the context of healthcare service can only be hosted by service providers that have been certified on the basis of ASIP Santé certification referential, by a certifying body authorised by COFRAC or any other equivalent European Accreditation Committee. Pursuant to EU Regulation 2017/745, medical devices are also subject to cybersecurity requirements when medical device include software components.

The Cyber-stress-test framework issued by the European Central Bank (ECB) on 2 May 2018 provides key guidelines and regulatory tools used by supervisory authorities to assess protection, detection and response capabilities against potential cyber-attacks of (including but not limited to) payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies and asset management companies.

OVI must report any data security incident or breach to ANSSI. Security incident or breach is defined, under Article L 1332-6-2 of the Defence Code as “any incident affecting the operation or security of the information systems”.

The OES must declare, without delay to the ANSSI, incidents affecting the networks and information systems necessary for the provision of essential services, when these incidents have or are likely to have a significant impact on the continuity of these services, taking into account the number of users and the geographical area affected as well as the duration of the incident.

DSPs must report to the ANSSI any incident having a significant impact on the provision of their services. More information on threshold and triggers are provided in 5.7 Reporting Triggers and 5.8 “Risk of Harm” Thresholds or Standards.

Electronic communications services providers must notify personal data breach to the CNIL without undue delay. When the personal data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the electronic communications services providers must notify the concerned subscriber or natural person without delay. Under the French Data Protection Act, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data being processed in the context of the provision to the public of electronic communications services”.

Under data protection laws, personal data breaches must also be notified within 72 hours after becoming aware of the incident. More details on personal data breach notification are provided in 4.1 Personal Data and in Chambers Global Practice Guides: Data Protection & Privacy 2020 – France. Healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities shall report serious information systems security incidents to the regional health agency without undue delay. Decree No 2016-1214 of 12 September 2016 lists serious information systems security incidents as: (i) incidents with potential or proven consequences for the safety of care; (ii) incidents with consequences for the confidentiality or integrity of health data; and (iii) incidents affecting the normal functioning of the institution, organisation or service.

PSPs (credit institutions, payment institutions and electronic money institutions) must notify the Prudential Supervisory and Resolution Authority (ACPR) and the Bank of France of major operational and security incidents related to the payment services they provide that meet the criteria set out in the European Banking Authority's guidelines. Payment service users may also be notified where the incident has or could have an impact on their financial interests.

Assets management companies must notify the AMF without delay of any incident the occurrence of which is likely to result in the asset management company incurring a loss or gain of a gross amount exceeding 5% of its regulatory capital. More information on threshold and triggers are provided in 5.7 Reporting Triggers and 5.8 “Risk of Harm” Thresholds or Standards.

Cybersecurity requirements with regard to personal data protection only deal with personal data within the meaning of the GDPR.

Cybersecurity requirements with respect to hosting of health data apply to health data processed in the context of healthcare services.

Cybersecurity requirements may apply to classified information pursuant to Ministerial Order of 30 November 2011.

Otherwise, there are no distinctions based on the data elements regarding other cybersecurity requirements. Cybersecurity requirements deal with the potential consequences of cyber-attacks, not data elements by themselves.

As a general rule, the more sensitive the data affected, the more important the notification and remediation obligations are.

For OVI, the requirements cover any information system operated by public or private entities for which an attack on security or functioning could significantly reduce the war or economic potential, security or survival capacity of the nation or could present a serious danger to the population (1332-6-1, the Defence Code).

For OES, the requirements cover the networks and information systems necessary for the provision of services essential to the functioning of society or economy.

For DSPs, the requirements cover any network and information system necessary for the provision of their services in the European Union.

For certified hosting providers of health data, the requirements cover the hosting information systems.

For electronic communications services providers, the requirements cover the networks and information systems necessary for the provision of electronic communications services.

For PSP and other financial actors, the requirements cover information systems necessary for the provision of services.

Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. The National Authority for Medicine and Health Products Safety provides guidelines concerning cybersecurity on medical devices, which complies with the ISO 14971 norm and focuses on patients' data, encryption keys, medical devices’ firmware and events loggers.

Personal data breach is detailed in Chambers Global Practice Guide 2020: Data Protection & Privacy – France.

There is no legal requirement concerning industrial control systems. However, the ANSSI has published multiple guidelines with respect to cybersecurity of industrial systems, security of SCADA application server software and cybersecurity requirements applicable to providers of industrial systems integration and maintenance services. See the following:

  • the ANSSI guide on cybersecurity of industrial information systems;
  • the ANSSI guide on protection profile of a SCADA application server software published in 2015; and 
  • the 2016 ANSSI guide on cybersecurity requirements for industrial systems integration and maintenance providers.

There is no legal requirement concerning security for IoT. ENISA published good practices with respect to security of IoT in the context of smart manufacturing. However, some specific requirements apply where personal data is involved.

In accordance with the GDPR, the controller must notify the data breach to the CNIL, when it can result in a risk to the rights and freedoms of natural persons, within 72 hours after having become aware of it. The controller must notify the data breach to data subjects without undue delay if the data breach is likely to result in high risks to the rights and freedoms of natural persons.

DSPs must report to the ANSSI any incident having a significant impact on the provision of their services as soon as possible. To determine this threshold, DSPs must take into account the number of affected natural and legal persons with whom a contract for the provision of services has been concluded, the number of affected users who have used the service based on previous traffic data, the duration of the incident or the severity of service disruption.

Reporting requirements for OVIs concern any incident affecting the security or functioning of their vital information systems triggers the obligation to report the incident to the ANSSI. The latter can transmit to the co-ordinating ministers of the vital activity sectors concerned, when its analysis of the incident justifies it, a summary of the information collected relating to the incident (R 1332-41-10, Defence Code).

Electronic communications services providers must notify personal data breach to the CNIL without undue delay. When the personal data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the electronic communications services providers must notify the concerned subscriber or natural person without delay. Electronic communications operators can also be required by the ANSSI to alert the users or owners of vulnerable, threatened or attacked information systems (L 33-14, Postal and Electronic Communications Code). The ANSSI may also request the communication of users' personal data in order to alert them directly (L 2321-3, Defence Code).

Healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities shall report serious information systems security incidents to the regional health agency without delay. The regional health agency transmits information of significant security incidents to ASIP Santé without undue delay.

Criteria triggering a report to the ACPR and the Bank of France for PSP are set out in the guidelines EBA/GL/2017/10 published by the EBA in 2017. The assessment is based on transactions affected, PSUs affected, service downtime, economic impact, high level of internal escalation, other PSP or relevant infrastructures potentially affected and reputational impact.

Assets management companies must notify the AMF without delay of any incident the occurrence of which is likely to result in the assets management company incurring a loss or gain, a cost related to its civil or criminal liability, an administrative penalty or damage to reputation of a gross amount exceeding 5% of its regulatory capital. Under the same conditions, they shall inform the AMF of any event that prevents the asset management company from meeting the conditions for its authorisation (Article 318-6 AMF regulation).

Notification requirements apply based on different thresholds, depending on the applicable regulation, with the exception of OVI.

Requirement for personal data breach notification to the CNIL applies when the breach is likely to result in a risk to the rights and freedoms of data subjects and must be notified to data subjects when the breach is likely to result in a high risk to their rights and freedoms .

OES must report to the ANSSI any incident having a significant impact on the continuity of their services. To determine this threshold, OES must take into account the number of affected users, the geographical area affected and the duration of the incident. After consultation with the concerned OES, the ANSSI can inform the public of the security incident when this information is necessary to prevent or treat the incident. If the incident has a significant impact on the continuity of essential services provided by the OES in other EU member states, the ANSSI informs the local competent authorities. 

DSP must report to the ANSSI any incident having a significant impact on the provision of their services. To determine this threshold, DSPs must take into account the number of affected users, the duration of the incident, its geographical spread, the severity of service disruption and the magnitude of the incident impact on the functioning of society and economy, in accordance with Law No 2018-133 and Commission Implementing Regulation (EU) 2018/151 of 30 January 2018. After consultation with the concerned DSP, the ANSSI can inform the public of the security incident when this information is necessary to prevent or treat the incident or when it is justified by a general interest motive. If the incident has a significant impact on services provided in other EU member states, the ANSSI informs the local competent authorities, which can make the incident public.

With respect to electronic communications services providers, when the data breach is likely to harm the personal data or privacy of a subscriber or another natural person, the electronic communications services providers must notify the concerned subscriber or natural person without delay.

With respect to healthcare institutions and organisations and services engaged in preventive, diagnostic or care activities notification requirements, Decree No 2016-1214 of 12 September 2016 lists serious information systems security incidents as incidents: (i) with potential or proven consequences for the safety of care; (ii) with consequences for the confidentiality or integrity of health data; and (iii) affecting the normal functioning of the institution, organisation or service. Significant information systems security incidents are incidents having potential or proven impact on the departmental, regional or national organisation of the healthcare system and incidents likely to affect other institutions, organisations or services.

In the financial sector, the EBA guidelines provide two levels of risk regarding the criteria triggering notification to the ACPR and the Bank of France: a “lower impact level” and a “higher impact level”. Risk of harm is acknowledged when either one or more criteria of the higher impact level or three or more criteria of the lower impact level are met.

Assets management companies must notify the AMF without delay of any incident the occurrence of which is likely to result in the assets management company incurring a loss or gain, a cost related to its civil or criminal liability, an administrative penalty or damage to reputation (resulting from non-compliance with articles 57 to 59 of the delegated Commission Regulation (EU) No 231/2013 of 19 December 2012 which includes cybersecurity requirements) of a gross amount exceeding 5% of its regulatory capital. Under the same conditions, they shall inform the AMF of any event that prevents the asset management company from meeting the conditions for its authorisation (Article 318-6, AMF regulation).

Any person having knowledge of the secret convention for the deciphering of a means of cryptology likely to have been used to prepare, facilitate or commit a crime or offence to refuse to hand it over to the judicial authorities can be sanctioned to three years' imprisonment and a fine of EUR270,000 (Article 434-15-2, Criminal Code).

The LCEN provides for a general obligation of prior declaration to the ANSSI for the supply, transfer from an EU member state or importation of a means of cryptology not performing exclusively authentication or integrity control functions. The transfer to an EU member state and the export of a means of cryptology not exclusively performing authentication or integrity control functions shall be subject to authorisation by the ANSSI.

In the event of a computer attack targeting critical and strategic information systems the ANSSI can carry out the technical operations necessary to characterise the attack and neutralise its effects by accessing the origination information systems (Article L 2321-2, Defence Code). The ANSSI can also implement technical markers on electronic communications operators’ networks and on hosting providers’ networks to detect events likely to affect the security of the information systems of public authorities, OVI and OES (Article L 2321-2-1, Defence Code). Personal data disclosure can also be required from telecommunications operators to analyse technical data. The ARCEP controls the compliance of the last two procedures.

Intelligence authorities have broad power in terms of cybersecurity measures subject to appropriate procedural safeguards. After prior authorisation issued by the Prime Minister after the non-binding opinion of the National Commission for the Control of Intelligence Techniques, intelligence agencies can:

  • request connection data to telecommunications operators, internet service providers and hosting providers, real-time collection of connection data on telecommunications operators and hosting providers networks;
  • order telecommunications operators, internet service providers and hosting providers to implement automated processing on their network in order to detect terrorist threats (ie, "deep packet inspection");
  • use a technical device in order to obtain technical connection data of a terminal equipment;
  • intercept correspondence transmitted via electronic means;
  • access computer data stored on a computer system or displayed on a computer screen; and
  • intercept communications transmitted through electronic communications networks and received or sent from abroad.

General recommendations concerning cybersecurity are issued by the ANSSI. However, whenever personal data is involved, it will trigger the intervention of the CNIL and the application of the provisions set out in the French Data Protection Act and the GDPR.

For the purposes of information systems security, a person acting in good faith can transmit to the ANSSI alone (and not to the public prosecutor as required by the Criminal Procedure Code) information on the existence of a vulnerability concerning the security of an automated data processing system. The authority must preserve the confidentiality of the identity of the person making the transmission and of the conditions under which it was made (Article L 2321-4, Defence Code).

The ANSSI and the CNIL can require sharing of cybersecurity information as described above.

See 7.1 Required or Authorised Sharing of Cybersecurity Information.

As previously mentioned, in decision No SAN-2019-005 dated 28 May 2019, the CNIL pronounced a penalty of EUR400,000 against a housing management service company for having inadequately protected the personal data of its web users and implemented inappropriate data techniques.

The CNIL has also pronounced a sanction of EUR180,000 on 18 July 2019 against an insurance company for having insufficiently protected the personal data of its website users.

See 1.7 Key Developments and 8.1 Regulatory Enforcement or Litigation.

The first layer of legal standards is set out in the GDPR and the French Data Protection Act by requiring that appropriate technical and organisational measures are implemented when processing personal data, including pseudonymisation, encryption, ongoing confidentiality, integrity, availability, resilience, ability to restore and process for testing processing security.

Specific security standards are applicable for information systems operated by OVI, OES and DSP and for information systems in specific sectors (eg, health, finance).

The ANSSI elaborated a guide for the elaboration of an information system security policy (PSSI Guide). The objective of the PSSI Guide is to provide support to information systems security managers in developing an IT security policy within their organisation. It focuses on 16 domains of cybersecurity, particularly information systems security risks management, insurance and certification, incident management and business continuity planning.

The General Security Repository (RGS) provided by the ANSSI is specifically required for information systems implemented by administrative authorities in their relations with users (ie, teleservices such as the payment of fines to the administration). Indirectly, the RGS is intended for all service providers who assist administrative authorities in securing the electronic exchanges they implement, as well as for manufacturers whose business is to offer security products.

Any information system handling classified information must be subject to certification that the information system is qualified to handle classified information in accordance with the security objectives sought, and that the certification authority accepts the residual security risks. In addition, the security features implemented for these systems must be approved by the ANSSI (IGI-1300).

All the information systems of the state's administrations are subject to the provisions set out in the state’s Security of Information Systems Policy, especially the need to use products and services qualified by the ANSSI as well as hosting their most sensitive data on the national territory.

In the health sector, the French Digital Health Agency has developed, along with the Delegation for the Health Information Systems Strategy, a general policy for the security of health information systems (PGSSI-S), which proposes guidelines and a common framework for the level of security of the information systems.

Before the GDPR came into force, the French Data Protection Act provided for a controller-oriented liability. Thus, the controller was sanctioned and had to bring a recourse action against the data processor that was at fault.

In a decision dated 30 December 2015, the French Supreme Administrative Court (Conseil d'État) confirmed the CNIL's sanction to a major telecom operator for failing to ensure the security measures carried out by its processors to protect the personal data entrusted to them. The fact that the company had implemented a security obligation in the agreement did not exempt it from taking positive measures to ensure personal data security.

Since the entry in force of the GDPR, direct liability of processors can be sought.

A class action may be brought if at least two consumers consider that they have suffered loss or damage as a result of the same failure by a professional. The action must be brought by an approved association and the suit can only be filed to compensate for material damage, exclusively for consumer or competition disputes.

Specific class action and representative action are also permitted under the provisions of the French Data Protection Act when personal data is involved in accordance with Law No 2016-1547 of 18 November 2016.

Due to the amount of potential administrative fines, reputational and business risks, cybersecurity has become a key element of due diligence in corporate transactions. Conducting due diligence requires analysis of applicable regulatory requirements with respect to cybersecurity, analysis of cybersecurity practices and questions to management, if applicable. Share purchase agreements may include warranties on cybersecurity policies and practices, if need be.

There is no regulation requiring disclosure for cybersecurity risk profile or experience. However, this issue is usually asked by M&A practitioners in the context of audits.

All significant issues have already been addressed.

Hogan Lovells (Paris) LLP

17, avenue Matignon
CS 30027
75378 Paris cedex 08
France

+33 1 5367 4747

+33 1 5367 4748

www.hoganlovells.com
Author Business Card

Trends and Developments


Authors



Hogan Lovells (Paris) LLP possesses a depth of knowledge and a global presence. The firm's 15-strong Paris privacy and cybersecurity team of lawyers is uniquely placed to help clients with their multi-jurisdictional data projects. It is specialised by industry sectors (healthcare, automotive, finance, etc), which proves particularly efficient in terms of strategic advice offered to our clients. Hogan Lovells Paris offers a truly specialist practice focused on privacy, cybersecurity, data protection, strategic advice, cybersecurity/investigations advice and public affairs/policy assistance as well as litigation capacities. It is a one-stop shop for all of its clients' data privacy needs around the globe (thanks to a team spanning Europe, the USA and Asia), with a perfect integration in one of the most pre-eminent international privacy teams. Key clients include private and public companies, major internet players, healthcare and life sciences businesses, leading financial institutions (including insurance corporations), retail and e-commerce majors, transportation and mobility companies.

Security of 5G Equipment

On 1 August 2019, France adopted Act No 2019-810 aiming to preserve defence and national security interests in the context of 5G mobile radio networks operation. This act sets up an authorisation regime prior to the operation of radio devices on French territory. Authorisations will be granted by the Prime Minister and, more specifically, by the National Agency for Information Systems Security (ANSSI) after a non-binding opinion of the Regulatory Authority for Electronic Communications, Posts and Press Distribution (ARCEP).

The authorisation regime applies to all operators, whatever their nationalities, planning to operate certain devices on French territory, which, by virtue of their functions, present a risk to the continuity, integrity, security, or availability of the network, or the confidentiality of communications. The devices falling under the scope of this authorisation regime are any hardware or software enabling the connection of end-users' terminals to the 5G mobile radio network and future generations' networks. The Ministerial Order of 6 December 2019, setting out a comprehensive list of devices subject to the authorisation regime, indicates that the concerned devices are equipment used to ensure communication within the network (eg, new radio base station) and equipment used to ensure the security, integrity and availability of the network (eg, security edge protection proxy).

This authorisation regime deals with devices operated directly or indirectly by certain designated operators of vital importance, designated as such by virtue of their activity as operators of an electronic communications network open to the public. Operators of vital importance are public or private operators operating establishments or using facilities and works, the unavailability of which could significantly diminish the nation's war or economic potential, security or capacity for survival. 

Authorisation is granted for a maximum duration of eight years. The terms and conditions of this authorisation regime are set out by Decree No 2019-1300 of 6 December 2019.

Failure to obtain the appropriate authorisation is subject to five years' imprisonment and a EUR300,000 fine. The ANSSI can refuse to grant an authorisation if there is a serious risk of non-compliance with obligations resulting from security and integrity of the network or services, or confidentiality of communications. In assessing said risks, the ANSSI takes into consideration the possible control or act of interference of non-EU member states upon the operator or its subcontractors.

This authorisation regime echoes the recent toolbox regarding Cybersecurity of 5G Networks released by the EU Commission on 29 January 2020, and precedes the upcoming French procedure for the allocation of 5G in the 3.4-3.8 GHz frequency band scheduled in April 2020.

French Transposition of the European Electronic Communications Code

On 11 December 2018, the European Union adopted EU Directive 2018/1972 establishing the European Electronic Communications Code (EECC). The EECC must be transposed in each EU member state before 21 December 2020.

The EECC materially increases the scope of EU electronic communications regulation beyond traditional telecom operators, to over-the-top (OTT) entities. OTT are pure players using the internet network to offer communications services (eg, voice, messaging, video, text, images, groups, etc) partly replacing the services of telecom operators.

Regarded as electronic communications services providers, OTT actors will have to comply with certain obligations imposed on traditional telecom operators, in particular with respect to cybersecurity requirements. The EECC provides that publicly available electronic communications services providers must "take appropriate and proportionate technical and organisational measures to appropriately manage the risks posed to the security of networks and services. Having regard to the state of the art, those measures shall ensure a level of security appropriate to the risk presented. In particular, measures, including encryption where appropriate, shall be taken to prevent and minimise the impact of security incidents on users and on other networks and services".

Recital 95 of the EECC specifies that OTT actors not relying on numbering resources are subject to appropriate security obligations based on their specific nature and their economic importance. However, because such OTT actors do not exercise actual control over the transmission of signals over networks, Recital 95 of the EECC states that security obligations on OTT actors not relying on numbering resources should be lighter where justified by an assessment of security risks involved.

Because they are publicly available electronic communications services providers, OTT actors may also be required to notify, without undue delay, the competent authorities of any security incident having a significant impact on the operation of networks or services. The significant impact is assessed based on the number of users affected, the duration of the incident, its geographical spread, the extent to which the functioning of the network or service is affected and the extent of the impact on economic and societal activities.

The French government launched the transposition procedure of the EECC with a draft transposition ordinance, open to public consultation until 16 March 2020. In this draft transposition ordinance, the French government decided not to submit OTT actors to security and notification requirements if they do not rely on numbering resources in accordance with Recital 95 of the EECC. According to this draft ordinance, OTT not relying on numbering resources are subject to confidentiality and neutrality obligations with respect to messages transmitted and information related to communications and other requirements imposed for national defence, public security and public order.

In this respect, they can be required to assist law enforcement and intelligence agencies with the implementation of interceptions justified by public security, and to comply with the ANSSI's orientations in the event of threats or breach of information systems of operators of vital importance, establishments classified for environmental protection and nuclear plants designated by administrative authorities.     

Cybersecurity Obligations on Approved Digital Asset Service Providers

On 22 May 2019, France adopted Act No 2019-486 on the growth and transformation of companies (Pacte Act). The Pacte Act created a specific legal regime for digital or crypto-assets providers (eg, tokens, cryptocurrencies) services. Such services include activities such as holding on behalf of third parties digital assets or access to digital assets, the service of buying or selling digital assets in exchange of legal currency or the service of exchanging digital assets for other digital assets.

The provision of certain digital assets services is subject to notification to the French Financial Markets Authority (AMF).The AMF can also grant a visa under certain conditions set out by Decree No 2019-1213 of 21 November 2019; application for such visa is carried out on a strictly voluntary basis. This new visa regime for fundraising through the issuance of virtual utility tokens is not mandatory but optional and meant to be attractive to start-up companies looking for investors through initial coin offerings. Only public offerings of so-called "utility tokens", which are not considered as financial instruments, are eligible for this optional visa. Conditions for granting the visa include cybersecurity requirements that can be audited by the AMF with an opinion of the ANSSI.

In December 2019, the AMF has granted its first visa to a cryptocurrency fundraising platform called French-ICO.

Decree No 2019-1213, adopted on 21 November 2019, provides that approved digital assets service providers can be required to evaluate and certify their products or be subject to an audit by a trust service provider.

The products evaluation and certification process and security audits are carried out pursuant to a referential of requirements adopted on 19 December 2019. This referential sets out the cybersecurity requirements applicable to approved digital assets service providers and comprise in particular a cybersecurity programme, operational measures, measures for electronic wallet security, measures for shared electronic recording device security or security audits.

These cybersecurity requirements respond to the cybersecurity concerns raised by digital assets, illustrated by the Financial Stability Board paper entitled Crypto-assets Markets: potential channels for future financial stability implications, dated 10 October 2018.

Backdoor Access to end-to-end Encryption in Communication Services for French Law Enforcement

French law provides that any person having knowledge of the secret convention for the deciphering of a means of cryptology likely to have been used to prepare, facilitate or commit a crime or offence must hand it over to the judicial authorities. Violation of this legal obligation can be sanctioned to three years' imprisonment and a fine of EUR270,000.

On 30 March 2018, the French Constitutional Council extended this legal obligation to a smartphone access code unlocked by its owner. Such request is made before a judge and it must be ascertained whether this natural person is capable of decrypting the means of cryptology – in other words, if the person has knowledge of the decryption key.

French intelligence services may also request encryption service providers to transmit decryption keys to their encryption services within 72 hours, under certain circumstances. Such request can only be carried out with the prior authorisation of the French Prime Minister who must seek a non-binding opinion from the National Commission for the Control of Intelligence Techniques. To the best of our knowledge, even if this opinion is non-binding, the Prime Minister has never granted such an authorisation after an unfavourable opinion of the National Commission for the Control of Intelligence Techniques.

In practice, when relying on end-to-end encryption mechanism, the encryption service provider does not have knowledge of the decryption key. Under this encryption technique, only the sender and the recipient of the message can decipher encryption. This message cannot be deciphered by the service provider nor by any third party.

Due to this difficulty and the development of end-to-end encryption of communication services, the French government has pushed encryption service providers to give access to data protected by end-to-end encryption. To this end, the French Homeland Ministry has recently revealed existence of negotiations with encryption service providers in order to create and obtain backdoor access.

On this matter, the ANSSI stated in 2016 that backdoor access for law enforcement and intelligence agencies would have a "disastrous effect" and result in "weakening of encryption mechanisms". Finally, this may go against the new cybersecurity obligations imposed by the EECC on OTT actors, which include encryption measures. In particular, Article 40 of the EECC imposes security obligations on OTT actors (relying or not on numbering resources) providing services available to the public, including encryption. In this respect, Recital 97 of the EECC recommends the promotion of end-to-end encryption, where appropriate, in order to safeguard the security of networks and services but without prejudice as to the member states’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences. 

Hogan Lovells (Paris) LLP

17, avenue Matignon
CS 30027
75378 Paris cedex 08
France

+33 1 5367 4747

+33 1 5367 4748

www.hoganlovells.com
Author Business Card

Law and Practice

Authors



Hogan Lovells (Paris) LLP possesses a depth of knowledge and a global presence. The firm's 15-strong Paris privacy and cybersecurity team of lawyers is uniquely placed to help clients with their multi-jurisdictional data projects. It is specialised by industry sectors (healthcare, automotive, finance, etc), which proves particularly efficient in terms of strategic advice offered to clients. Hogan Lovells Paris offers a truly specialist practice focused on privacy, cybersecurity, data protection, strategic advice, cybersecurity/investigations advice and public affairs/policy assistance as well as litigation capacities. It is a one-stop shop for all of its clients' data privacy needs around the globe (thanks to a team spanning Europe, the USA and Asia), with a perfect integration in one of the most pre-eminent international privacy teams. Key clients include private and public companies, major internet players, healthcare and life sciences businesses, leading financial institutions (including insurance corporations), retail and e-commerce majors, transportation and mobility companies.

Trends and Development

Authors



Hogan Lovells (Paris) LLP possesses a depth of knowledge and a global presence. The firm's 15-strong Paris privacy and cybersecurity team of lawyers is uniquely placed to help clients with their multi-jurisdictional data projects. It is specialised by industry sectors (healthcare, automotive, finance, etc), which proves particularly efficient in terms of strategic advice offered to our clients. Hogan Lovells Paris offers a truly specialist practice focused on privacy, cybersecurity, data protection, strategic advice, cybersecurity/investigations advice and public affairs/policy assistance as well as litigation capacities. It is a one-stop shop for all of its clients' data privacy needs around the globe (thanks to a team spanning Europe, the USA and Asia), with a perfect integration in one of the most pre-eminent international privacy teams. Key clients include private and public companies, major internet players, healthcare and life sciences businesses, leading financial institutions (including insurance corporations), retail and e-commerce majors, transportation and mobility companies.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.