France’s national cybersecurity strategy aims to position the country as a leading cyber power in response to the evolving cyber‑threat landscape. In particular, the recently published national cybersecurity strategy for 2026–2030 develops a structured approach based on five pillars:

• making France the largest pool of cyber talent in Europe by massively investing in early orientation, training and inclusion;
• strengthening the nation’s cyber-resilience by raising the overall level of cybersecurity across the economy and society, enhancing collective crisis‑response capabilities and preparing the entire nation to withstand large‑scale cyber-attacks;
• hindering the spread of cyber-threats by co-ordinating all available levers – judicial, technical, diplomatic, military and economic;
• maintaining control over the security of digital foundations by maintaining and advancing mastery of critical cybersecurity technologies; and
• supporting the security and stability of cyberspace in Europe and internationally by promoting a free, open and rules‑based digital space.

France’s cybersecurity framework is built upon a combination of European Union (EU) regulations, national legislation and non-binding technical standards – notably as follows.

EU Regulations and Directives

• Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation; GDPR).
• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (the “Cybersecurity Act”; CSA).
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”), as repealed by Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”; NIS2).
• Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification (the “NIS2 Implementing Regulation”).
• Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA).
• Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (the “Cyber-Resilience Act”; CRA).
• Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (the “CER Directive”).
• Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the “AI Act”).

French Legislation

• Law No 78-17 of 6 January 1978 relating to information technology, files and civil liberties (the French Data Protection Act, known as the Loi Informatique et Libertés; FDPA).
• Draft law on the resilience of critical infrastructure and the strengthening of cybersecurity (the “Draft Resilience Bill”); Text No 33 (2024–2025) submitted to the Senate on 15 October 2024; Text No 1112 adopted by the Senate under the fast-track procedure, and submitted to the National Assembly on 13 March 2025.
• Law No 2004-575 of 21 June 2004 on confidence in the digital economy (LCEN).
• Law No 2022-309 of 3 March 2022 for the implementation of a cybersecurity certification for digital platforms for the general public (the “Cyberscore Law”).
• Law No 2023-703 of 1 August 2023, on military programming for the years 2024–2030 (the “Military Programming Law”; LPM).
• Law No 2018-133 of 26 February 2018 (the “2018 Security Law”) on various provisions adapting to EU law in the field of security and its implementing acts, including:
1. Decree No 2018-384 of 23 May 2018, on the security of networks and information systems of essential service operators and digital service providers;
2. Order of 13 June 2018 establishing the procedures for the declarations provided for in Articles 8, 11 and 20 of Decree No 2018-384 of 23 May 2018 on the security of networks and information systems of operators of essential services and digital service providers; and
3. Order of 14 September 2018, establishing the security rules and deadlines referred to in Article 10 of Decree No 2018-384 of 23 May 2018 on the security of networks and information systems of essential service operators and digital service providers.
• Law No 2024-449 of 21 May 2024 on securing and regulating the digital space (the “SREN Law”).
• The French Defence Code, Articles L.1332-1 to L.1332-7; Articles L. 2321-1 to L. 2323-6; Articles R. 2321-1 to R. 2323-12, Article R. 1332-1, Article R. 1332-4 and Articles R. 1332-41-1 to R. 1332-41-23.
• The French Postal and Electronic Communications Code, Article L. 32-3, Article L. 33-1, Article L. 33-14; Article D. 98-5 Section III; Articles R. 9-12-1 to R. 9-12-3.
• The French Criminal Code, Articles 323-1 to 323-8; Articles 226-16 to 226-24.

Non-Binding Standards

To guide organisations in GDPR and data security compliance, the National Commission for Information Technology and Civil Liberties (CNIL), along with the European Data Protection Board (EDPB) regularly publish practical guides and recommendations that set the standard for personal data security. The following are a few examples:

• CNIL, Data security guide, 2024;
• CNIL, Deliberation No 2021-122 of 14 October 2021, adopting a recommendation on logging;
• CNIL, Developer’s GDPR Guide of 27 January 2020; and
• EDPB, Guidelines 9/2022 on personal data breach notification under the GDPR of 28 March 2023.

The French cybersecurity agency (ANSSI) has also issued many technical recommendations that set out best practices for securing IT environments, including:

• ANSSI, Securing multi-environment workstations (unclassified), 16 January 2026;
• ANSSI, Managing the remediation of a cyber incident, 16 January 2024;
• ANSSI, Recommendations on digital nomadism, 2023;
• ANSSI, Security recommendations for the architecture of a logging system, 28 January 2022; and
• ANSSI, Recommendations regarding multi-factor authentication and passwords, 8 October 2021.

ANSSI

France’s public cybersecurity landscape is orchestrated by ANSSI, which operates under the authority of the Secretary General for Defence and National Security (SGDSN). As the national cyber authority, ANSSI is responsible for proposing and implementing state cybersecurity policy, supervising regulated operators, and co-ordinating the operational response to cyber-threats. To deliver on these missions, its capabilities are structured in a tiered model.

National-level operations

Operating as an integral part of ANSSI, the national government Computer Emergency Response Team (CERT-FR) is the nation’s primary technical and operational division for cyber defence. It is primarily responsible for handling incidents affecting the most critical entities, such as State ministries and operators of vital importance (OIVs).

Regional support network

Complementing this central capability is a network of regional CSIRTs (CSIRT-Régions) and Cyber Resource Centres (CRCs), whose development is co-ordinated and supported by ANSSI as part of its national strategy. These regional bodies are not direct branches of ANSSI but are typically independent local structures designed to provide crucial “first-level” cybersecurity support. Their mission is to assist small and medium-sized enterprises (SMEs), local authorities and associations by offering free initial support in diagnosing incidents and by connecting them with nearby, trusted private-sector incident response providers.

CNIL

The CNIL is France’s national data protection authority. The CNIL’s mission consists of safeguarding individual rights while steering public and private organisations towards compliance, advising the government, and supporting innovation by anticipating the ethical implications of emerging technologies. To fulfil this role, it holds broad supervisory and enforcement powers, including conducting on‑site or online inspections, issuing injunctions and imposing substantial fines. The CNIL is one of the regulators empowered with the enforcement of the AI Act in France.

Section J3 of the Paris Criminal Prosecutor Office

Section J3 has a national competence, alongside local criminal prosecutors, for the investigation and prosecution of all sorts of cyber infringements. It works with specialised investigators, mainly from the Central Office for Combating Crime Linked to Information and Communication Technologies (OCLCTIC), the Paris Cybercrime Unit (BL2C), the Gendarmerie Command in Cyberspace (COMCyberGend) and the General Directorate for Internal Security (DGSI).

Arcep

The Electronic Communications, Postal and Print Media Distribution Regulatory Authority (Arcep) is France’s national regulator for electronic communications, postal services and print media distribution. It notably monitors the security obligations imposed on electronic communications operators. Such operators are legally required to ensure the continuity, availability and security of their networks under the European Electronic Communications Code (EECC) and the Postal and Electronic Communications Code. Arcep may initiate proceedings and, if necessary, impose sanctions on the operators concerned.

Arcom

The Regulatory Authority for Audiovisual and Digital Communication (Arcom) is the national authority responsible for regulating audiovisual media, digital platforms and online content in France. It notably works to protect freedom of speech in the public interest, while monitoring the security obligations imposed on online public communication service publishers and video-sharing platform service providers with regards to online protection of minors. Arcom also holds extensive sanctioning powers, allowing it to impose measures such as suspending programmes or services, reducing or withdrawing broadcasting authorisations, and ordering the publication of corrective statements. Arcom is one of the regulators empowered with the enforcement of the AI Act in France.

DGCCRF

The General Directorate for Competition, Consumer Affairs and Fraud Control (DGCCRF), which is a department within the French Ministry of the Economy, is inter alia in charge of consumer protection. As such, it may be involved in privacy investigations, platforms regulation, payment security and generally all frauds affecting consumers. The DGCCRF is one of the regulators empowered with the enforcement of the AI Act in France, and is the co-ordinator of all the regulators involved in that field in France.

Across critical sectors such as banking and health, cybersecurity oversight is ensured by dedicated national authorities such as the following.

ACPR

The French Prudential Supervision and Resolution Authority (ACPR), attached to the Banque de France, is the administrative authority responsible for supervising the banking and insurance sectors. It aims at ensuring financial stability, protecting customers, and combating money laundering and terrorist financing. As part of its oversight of banks and insurers, the ACPR monitors emerging risks, including cyber-risk. The ACPR conducts on‑site and off‑site inspections, applies a wide range of supervisory and sanctioning measures, and exercises resolution powers to safeguard financial stability. The ACPR is one of the regulators empowered with the enforcement of the AI Act in France.

AMF

The French Financial Markets Authority (AMF) is the independent public body responsible for regulating France’s financial markets. It supervises market participants, including asset management companies, investment firms and listed companies. Its primary missions are to ensure investor protection, promote orderly markets and provide information to the public.

With the implementation of DORA, the AMF’s remit has been explicitly extended to oversee the digital and cyber-resilience of the financial entities under its supervision.

ANS

The French Digital Health Agency (ANS), under the authority of the Ministry of Health, is responsible for strengthening the security of health information systems in France. It operates the CERT Santé, the dedicated Computer Emergency Response Team for the healthcare sector. Specifically, the CERT Santé supports healthcare and medico‑social organisations in responding to information‑system security incidents by providing prevention, alerts and essential cyber‑risk guidance. In addition, the ANS oversees compliance with key data-security requirements for healthcare providers, including monitoring adherence to the Health Data Hosting (HDS) certification scheme.

Essential and Important Entities

Legislative framework

The primary legislative framework governing cybersecurity for essential or critical entities in France is currently established by the 2018 Security Law, which transposes the original NIS Directive, alongside the specific LPM provisions codified in the French Defence Code.

The 2018 framework is now undergoing a comprehensive overhaul to transpose the NIS2 Directive. Indeed, the French government introduced the Draft Resilience Bill in late 2024, which will serve as the vehicle for implementing the NIS2 Directive into national law.

The legislative process at the French Parliament is still ongoing. Once enacted, this bill will repeal the 2018 framework and significantly broaden its scope.

Material scope: a two-tier system

The NIS Directive, as transposed by the 2018 Security Law, provides for a separate classification of “Operators of Essential Services” (OESs) and “Digital Service Providers” (DSPs).

OESs are entities designated by the State in traditional sectors (eg, energy, transport, banking) and subject to proactive, ex ante supervision. This stricter regime also applies to a few key digital infrastructure providers, namely Internet Exchange Points (IXPs), Domain Name System (DNS) providers, and Top-Level Domain (TLD) registries – a detail specified not in the 2018 Security Law itself but in its key implementing decree. In contrast, DSPs are an exhaustively defined category comprising only online marketplaces, online search engines and cloud computing services. These entities benefit from a much lighter, reactive ex post supervisory regime. Notably, this framework leaves significant gaps, as some providers in the digital supply chain – such as those qualified as managed service providers (MSPs) and managed security service providers (MSSPs) under the NIS2 Directive, as well as data centre service providers – are not explicitly covered at all.

The new NIS2 Directive framework fundamentally alters this landscape. All regulated organisations are now integrated into a two-tier system of “Essential Entities” (EEs) and “Important Entities” (IEs), which applies to a much larger number of critical and highly critical sectors.

EEs, operating in the “highly critical sectors” listed in Annex I of the NIS2 Directive, include “Digital Infrastructure”, which encompasses cloud computing and data centre providers alongside TLD registries and DNS providers. Furthermore, a new highly critical activity, information and communication technology (ICT) service management (business-to-business), has been created to directly bring MSPs and MSSPs into scope. EEs are subject to a robust, proactive supervisory regime.

IEs are entities operating in “other critical sectors” listed in Annex II of the NIS2 Directive. This second tier includes a diverse range of activities such as postal and courier services, waste management, food production and distribution, and the manufacturing of certain critical goods. It also covers other digital providers, namely online marketplaces, online search engines, and social networking service platforms. IE entities are subject to a lighter, ex post supervisory regime.

Size thresholds and exemptions

The outgoing NIS1 framework operates on a dual system for determining its scope.

• OESs are designated by the Prime Minister by order based on their criticality, irrespective of their size; there is no automatic exemption for smaller entities if they were deemed critical.
• For DSPs, a size-cap rule is applied, but only as an exemption. The law explicitly excludes DSPs that are micro or small enterprises (employing fewer than 50 people and with a turnover/balance sheet below EUR10 million).

The upcoming NIS2 framework’s reliance on a size-cap rule marks a significant departure from the logic of the 2018 Security Law. In most cases, entities employing fewer than 50 people and whose annual turnover and/or annual balance sheet total does not exceed EUR10 million are exempt from the NIS2 Directive. However, some entities in various sectors fall under the NIS2 Directive regardless of their size – for instance:

• if they provide public electronic communications networks (if they are at least medium-sized);
• if they are qualified trust service providers;
• if they provide domain name services; or
• if they have been specifically designated by a member state due to their critical role.

National specificities of the Draft Resilience Bill compared with the NIS2 Directive

While the Draft Resilience Bill faithfully transposes the NIS2 Directive’s overall scope, its most significant departure lies in its treatment of public administration entities. Indeed, the NIS2 Directive leaves the inclusion of regional and local bodies to a member state’s discretionary, risk-based assessment. Therefore, under the Draft Resilience Bill, the EE category includes regions, departments and municipalities with a population over 30,000, as well as major metropolitan and urban communities. Conversely, the IE category covers other local bodies, notably communities of municipalities (communautés de communes).

To ensure a clear separation of powers, the latest version of the Draft Resilience Bill establishes a new and independent sanctions committee. Instituted under the Prime Minister, this committee will have the sole authority to impose penalties, upon referral from ANSSI after an investigation has revealed a persistent infringement.

Operators of Vital Importance (OIVs)

The notion of OIVs was introduced by Law No 2013‑1168 of 18 December 2013 on military programming for the years 2014–2019, which notably required operators of vital infrastructures to implement specific measures to strengthen their protection against cyber-risks.

OIVs are defined in the French Defence Code as public or private operators running establishments or using facilities and structures whose unavailability could significantly reduce the nation’s war or economic potential, security or survivability.

While the specific list of entities designated as OIVs is classified for national security reasons, the overarching “sectors of activities of vital importance” are publicly defined and include (for instance) energy, transport, banking, financial market infrastructures, health and digital infrastructure.

The Draft Resilience Bill plans to replace and rewrite the entire chapter of the French Defence Code relative to OIVs, redefining its core concepts to align with the new NIS2 Directive framework. It provides that an OIV is automatically classified as an EE if its activities also qualify as an “essential service” under the framework of the CER Directive.

For completeness, it should be noted that the Draft Resilience Bill also transposes the CER Directive. This directive strengthens the physical resilience of critical entities against a wide range of threats. These obligations are not detailed further here, as they concern physical – rather than cybersecurity – requirements.

Essential and Important Entities

The requirements under the Draft Resilience Bill are substantially more demanding than those established by the 2018 Security Law and its implementing texts.

Governance

While OESs are required to adopt a security policy approved by their management, the 2018 Security Law does not impose specific obligations on management training. The NIS2 Directive takes a different approach. Management bodies of EEs and IEs must now approve their organisation’s cybersecurity risk-management measures and oversee their implementation. They are also required to receive dedicated cybersecurity training to ensure informed decision-making. In addition, NIS2 encourages them to promote regular cybersecurity training across their workforce.

The 2018 Security Law provides for personal liability for the managers of OESs. However, this liability is limited to financial penalties – up to EUR125,000 – for failing to comply with security rules or obstructing supervisory controls. By contrast, the NIS2 Directive allows member states to go further by temporarily prohibiting individuals with managerial responsibilities from exercising those functions. It also introduces sanctions targeting the entity itself (fines of up to EUR10 million or 2% of total worldwide annual turnover for EEs, and up to EUR7 million or 1.4% of total worldwide annual turnover for IEs).

Cyber-risk management

The 2018 Security Law requires designated OESs to comply with a detailed list of 23 security rules set out in a specific governmental order, such as conducting security accreditation, implementing network partitioning and establishing crisis management procedures. These stringent rules do not apply to DSPs, which are subject to a much more general and less prescriptive set of obligations defined directly in the law.

The new framework under the NIS2 Directive and the Draft Resilience Bill eliminates this distinction and mandates a single, non-exhaustive baseline of at least ten security measure categories that all in-scope entities – both EEs and IEs – must implement, including:

• risk analysis and information system security policies;
• incident handling;
• business continuity, disaster recovery and crisis management;
• security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• policies to assess the effectiveness of risk-management measures;
• basic cyber hygiene practices and cybersecurity training;
• policies on the use of cryptography and encryption; and
• human resources security, access control policies and asset management.

This new baseline is complemented by the NIS2 Implementing Regulation of 17 October 2024. This regulation is important as, for a specific list of entities, it moves beyond the high-level principles of the NIS2 Directive to define precise, legally binding requirements. It applies specifically to DNS service providers, TLD registries, cloud computing providers, data centre service providers, content delivery network providers, MSPs, MSSPs, online marketplaces, online search engines, social networking platforms and trust service providers. For these entities, it details technical and methodological requirements, as well as significant incident thresholds (see 2.3 Incident Response and Notification Obligations).

The implementation of the NIS2 Directive can be supported by aligning with the ISO/IEC 27001 standard, which provides a robust framework for an Information Security Management System (ISMS). However, it should be noted that certification to ISO/IEC 27001 alone is not sufficient, as it does not automatically cover all the specific prescriptive measures required under NIS2. It should therefore be used as a valuable, complementary tool, while full compliance in France will ultimately need to be measured against ANSSI’s forthcoming national framework.

Supply Chain Security

Under the 2018 Security Law transposing the NIS Directive, supply chain security is not an explicit, standalone requirement. It is only implicitly covered under the general risk management obligations for OESs.

Under the NIS2 Directive, this will become a core, explicit obligation. Entities must manage risks arising from their direct suppliers and service providers, including assessing the overall quality and cybersecurity practices of third-party products and services.

Operators of Vital Importance

Once designated, OIVs are subject to a stringent regulatory framework codified in the French Defence Code. Their obligations include the following.

Organisational measures

OIVs must appoint a Delegate for Defence and Security (Délégué pour la défense et la sécurité), who acts as the primary point of contact for the State and oversees the protection of the entity’s vital interests.

Physical and strategic planning

OIVs must identify their Points of Vital Importance (PIVs). They are required to draft an Operator Security Plan (PSO) and individual External Protection Plans to restrict access to sensitive facilities and systems to authorised personnel only. The Draft Resilience Bill updates this, now requiring an “Operator Resilience Plan” and, for each PIV, a “Specific Resilience Plan”.

Cybersecurity and monitoring

OIVs are specifically mandated to implement qualified detection systems (such as PDIS) to monitor their Information Systems of Vital Importance (SIIVs). These systems must be operated by certified service providers to ensure real-time detection of cyber-threats.

Audits and compliance

OIVs must regularly undergo security inspections and technical audits, often conducted at their own expense by ANSSI or State-certified auditors, to verify the resilience and compliance of their critical infrastructure.

The Draft Resilience Bill seeks to harmonise the cybersecurity obligations applicable to OIVs. It explicitly provides that the (current) former cyber-specific rules for OIVs under the French Defence Code are replaced by the new NIS2 Directive framework, so that OIVs will have to implement the same cybersecurity risk management and incident-reporting obligations as EEs.

Essential and Important Entities

The framework under the 2018 Security Law, transposing the NIS Directive, is based on a general principle. OESs and DSPs are required to notify ANSSI of incidents having a “significant” impact “without delay”. The implementing orders specify the modalities of the declaration (ie, via a form) but do not prescribe a mandatory multi-stage reporting process with fixed, harmonised deadlines across all sectors.

The NIS2 Directive alters this by mandating a uniform, multi-stage reporting process for any “significant incident” affecting both EEs and IEs. An incident is deemed to be significant if:

• it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or
• it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

For entities such as cloud providers and MSPs, the NIS2 Implementing Regulation of 17 October 2024 provides directly applicable, concrete thresholds, such as a complete service unavailability of more than 30 minutes or a direct financial loss exceeding EUR500,000.

The reporting timeline is now highly structured.

• Early warning: within 24 hours of becoming aware of an incident, an early alert to ANSSI.
• Incident notification: within 72 hours, a more detailed incident notification.
• Final report: no later than one month after the incident notification, a final report including:
1. a detailed description of the incident, including its severity and impact;
2. the type of threat or root cause that is likely to have triggered the incident;
3. applied and ongoing mitigation measures; and
4. where applicable, the cross-border impact of the incident.

In France, notifications are to be made to ANSSI. The latest version of the Draft Resilience Bill provides that the ANSSI will be required to inform the CNIL of any incident that may constitute a personal data breach.

Operators of Vital Importance (OIVs)

It is important to note that the OIV regime, codified in the French Defence Code, imposes stringent incident-reporting requirements that go beyond the general NIS Directive framework. This strict national regime is a key reason why OIVs’ core SIIVs were explicitly carved out of the 2018 Security Law’s scope.

Key OIV obligations include the following.

• Immediate notification: OIVs must notify ANSSI “without delay” of any incidents affecting the security or functioning of their SIIVs.
• Iterative reporting: the process is dynamic, requiring OIVs to transmit all available information as they become aware of it and to supplement this report throughout the crisis. The specific data to be communicated is often detailed in classified, sector-specific rules.

To avoid a dual-reporting structure, the Draft Resilience Bill plans to repeal these specific provisions. For cybersecurity incidents, OIVs will have to follow the same multi-stage notification process to ANSSI as EEs and IEs.

The French State, primarily through its national cybersecurity authority, ANSSI, has extensive responsibilities for ensuring national cyber-resilience, managing threat intelligence and fostering co-operation.

Under the current framework of the 2018 Security Law, the French State’s primary responsibility is to formally designate the OESs by order of the Prime Minister. By contrast, under the upcoming NIS2 Directive, an entity will be directly subject to the law as either EE or IE if it meets the new criteria of sector and size, placing the initial onus on the entity to self-assess and register with the national authority, ANSSI.

Compliance is monitored by the national authority, ANSSI, which is empowered to conduct security audits and on-site inspections. In its support role, ANSSI centralises incident reports and disseminating threat intelligence to the ecosystem.

This co-operative approach is anchored in concrete initiatives such as the Campus Cyber – a physical hub co-locating State experts with private companies – and practical tools such as the MonEspaceNIS2 digital platform, designed to guide businesses in their compliance efforts with the upcoming framework.

DORA is the primary legal framework that governs operational resilience. As a directly applicable EU legislation, DORA establishes a comprehensive and harmonised set of rules for managing ICT risks, superseding prior national laws and covering both financial entities and their critical technology providers.

Material Scope of Application

Scope for supervised financial entities

DORA applies to a wide range of financial entities operating in France. These include traditional entities such as:

• credit institutions;
• investment firms;
• insurance and reinsurance undertakings; and
• payment institutions.

It also covers newer participants, including crypto-asset service providers, crowdfunding platforms, and managers of alternative investment funds (AIFMs).

A key feature is the principle of proportionality, whereby requirements are tailored to an entity’s size, business profile and complexity.

Scope for critical third-party providers

For technology providers, DORA introduces a direct oversight framework for critical ICT third-party providers (CTPPs), such as cloud computing or data centre service providers, whose failure could cause systemic risk. CTPPs are designated by European Supervisory Authorities (ESAs) based on specific criteria, including the number of financial entities that rely on them and their systemic importance.

Territorial scope of application

The scope of application covers the following:

• entities with registered offices in France;
• EU operations of third-country financial institutions; and
• third-country ICT providers – providers designated as “critical” to EU financial entities are required to establish a corporate presence within the EU.

DORA defines ICT service providers very broadly as any undertaking providing ICT services. This includes everything from cloud platforms and data centres to software vendors and managed service providers.

DORA stipulates that contracts with ICT providers must include robust provisions covering the entire life cycle of the relationship. The key requirements are as follows.

• For subcontracting, contracts must state whether it is permitted for critical functions, ensure the primary provider remains fully liable, and grant the financial entity notification and termination rights to manage supply chain risk.
• Regarding oversight, contracts must grant the financial entity, its auditors and regulators with unrestricted rights to access, inspect and audit the provider’s systems, records and premises. These rights are supplemented by the direct investigatory powers of the lead supervisor for CTPPs and include requirements for advanced security testing, such as threat-led penetration testing (TLPT).
• To prevent vendor lock-in, financial entities must develop, maintain and test comprehensive exit strategies. Contracts must oblige providers to support an orderly transition and ensure the secure, complete and cost-effective portability of data.
• While DORA does not impose strict data localisation requirements, it does require contracts to specify all data processing and storage locations to guarantee unimpeded supervisory access. For non-EU CTPPs, the mandatory EU subsidiary serves as the legal anchor for these rights.
• Finally, financial entities must actively manage concentration risk by assessing dependencies on single providers within their formal risk framework. ESAs monitor this risk at a macro, sector-wide level to identify potential systemic vulnerabilities.

Financial entities are subject to a set of specific obligations designed to create a robust and consistent framework for managing technology-related risks.

Governance and Internal Control

Ultimate responsibility lies with the entity’s management body. Their obligations include:

• defining and approving the digital operational resilience strategy;
• setting risk tolerance levels for ICT risk;
• allocating sufficient budget;
• overseeing all arrangements with ICT third-party providers; and
• maintaining adequate ICT risk knowledge.

Financial entities must also establish control functions to ensure the proper implementation and monitoring of the risk framework.

ICT Risk Management Framework

Financial entities must implement a sound, comprehensive and well-documented ICT risk management framework. This is the operational core of DORA and must include the following.

• Strategies and policies: detailed policies for the protection, prevention and detection of anomalous activities, as well as response and recovery.
• Asset management: identification, classification and mapping of all supporting ICT assets and critical business functions.
• Business continuity: development and annual testing of business continuity plans and disaster recovery plans.
• Testing and review: the framework must be reviewed at least annually and after any major incident. It must be subject to regular, risk-based digital operational resilience testing, including, for significant entities, advanced TLPT at least every three years.

Incident Management and Reporting

DORA harmonises the reporting process.

Internal incident management

Financial entities must have a process in place for managing and classifying ICT-related incidents.

Incident materiality criteria

Reporting to national regulators (such as the ACPR or AMF) is mandatory for any “major ICT-related incident”, where materiality is determined by factors including the number of clients affected, service duration, geographical spread, loss of data confidentiality integrity, or availability, impact on critical services and functions, and direct and indirect costs and economic impact.

Reporting timelines for financial entities

The reporting timeline is multi-staged. It begins with an initial notification to the relevant national regulator. This must be submitted without undue delay, and no later than 24 hours after the incident has been classified as major. This is followed by an intermediate report within 72 hours of the initial notification, providing an update on the situation. Finally, a comprehensive final report detailing the root cause, overall impact and corrective actions must be submitted within one month of the incident being fully resolved.

Obligations for Third-Party Service Providers

Indirect reporting obligation

DORA does not impose a direct reporting timeline on third-party providers to regulators. However, their contracts must stipulate that they report any ICT incident impacting the services provided to a financial entity without undue delay. This contractual obligation is critical, as it enables the financial entity to meet its own strict reporting deadlines.

Direct information requests

For providers designated as CTPPs, the lead supervisor can request all the information needed to assess the impact of an incident independently of the financial entity’s reporting channel.

Responsible Regulatory Authorities

Under DORA, the enforcement framework is multi-layered, combining EU-level direct supervision with the support of national authorities.

The lead overseer (LO)

The LO is either the EBA, EIOPA or ESMA. This is the central enforcement authority. One of the ESAs is appointed as the LO for each designated CTPP and has primary responsibility for direct supervision, investigation and sanctioning, regardless of where the CTPP is headquartered.

National competent authorities (NCAs)

The ACPR and the French Financial Markets Authority (AMF) act in a supporting role. They assist the LO during on-site inspections in France and enforce DORA’s rules against the financial entities they supervise.

The European Central Bank (ECB)

For significant credit institutions within the eurozone, the ECB collaborates closely with the LO to ensure that supervisory activities concerning CTPPs align with prudential oversight.

Compliance obligations for CTPPs

CTPPs must adhere to a comprehensive set of resilience obligations, compliance with which is monitored by the LO. Key requirements include the following.

• Robust ICT risk management: Implementing and documenting a comprehensive framework with strict security controls, continuous system monitoring, and effective risk mitigation strategies.
• Advanced resilience testing: CTPPs must undergo regular, advanced security assessments, including TLPT, to proactively identify and remediate vulnerabilities. The results of these assessments are subject to review by the LO.
• Incident management and co-operation: processes are established to manage and report incidents to their financial entity clients without delay. CTPPs must also co-operate fully with the lead overseer during any investigation into an incident.
• Business continuity and disaster recovery: maintaining robust business continuity policies and disaster recovery plans that are regularly tested to ensure the rapid restoration of services after a disruption.
• Unrestricted regulatory audit rights: granting the LO and, by extension, the national authorities, full rights to conduct audits and on-site inspections, and to access all relevant information and premises.

Enforcement Measures and Sanctions

The LO has a powerful toolkit to enforce compliance. If a CTPP fails to meet its obligations, the following measures can be applied.

Supervisory audits and on-site inspections

The LO can conduct investigations and inspections at any time. These activities are used to verify compliance with DORA and may involve forensic reviews of systems and procedures, particularly where vulnerabilities have been identified.

Recommendations and corrective measures

If deficiencies are discovered, the LO will issue formal recommendations for corrective action. These recommendations are not mere suggestions; the CTPP is legally required to notify the LO of the measures it will take to implement them. Failure to comply can trigger financial penalties.

Financial penalties for non-compliance

If a CTPP fails to comply with its obligations (eg, by refusing an inspection or ignoring a recommendation), the LO can impose significant financial penalties. This takes the form of a periodic penalty payment, calculated daily until compliance is achieved. The penalty can be up to 1% of the CTPP’s average daily worldwide turnover from the preceding business year.

Recommendations for contract termination

Where a CTPP’s conduct poses a significant risk to financial stability and the CTPP fails to remedy the situation, the LO can recommend that financial entities suspend or terminate their service contracts with the non-compliant provider.

Cross-border enforcement and co-ordination

Owing to the global nature of CTPPs, enforcement is inherently cross-border.

• Joint examination teams: the LO establishes a team for each CTPP, including staff from the relevant ESAs and national competent authorities, to ensure co-ordinated, pan-European supervision.
• EU cyber crisis response: for large-scale incidents affecting multiple financial firms, enforcement actions are co-ordinated through EU-wide crisis management frameworks to ensure a unified and effective response.
• Information sharing: the framework requires close collaboration between the LO and national authorities to ensure consistent supervision across the Union.

A multi-layered framework combining the GDPR, DORA and the NIS2 Directive governs the regulation of data protection, cybersecurity and operational resilience.

Direct Provisions Impacting International Data Transfers

GDPR

The GDPR serves as the legal foundation for personal data transfers and is strictly enforced by the CNIL. Transfers outside the European Economic Area (EEA) are permitted only through lawful mechanisms such as EU adequacy decisions, Standard Contractual Clauses (SCCs) – supplemented by a mandatory Transfer Impact Assessment (TIA) – or Binding Corporate Rules (BCRs). When a financial entity’s ICT provider processes personal data in a third country, the transfer must comply with these strict GDPR requirements, as well as any DORA obligations.

DORA

DORA does not impose a blanket data localisation requirement. However, it makes outsourcing to third countries conditional on maintaining full regulatory compliance and oversight.

• Risk-based approach: DORA requires financial entities to conduct a thorough risk assessment before outsourcing critical or important functions to a third-country provider. This assessment must consider potential risks relating to data security, business disruption, and the ability of French supervisors to conduct effective oversight.
• Guaranteed supervisory access: contracts must explicitly guarantee the access, inspection and audit rights of the financial entity and its regulators.
• Extraterritorial anchor: for CTPPs, the mandatory establishment of an EU-based subsidiary ensures that DORA’s rules are enforceable regardless of the parent company’s location.

The NIS2 Directive

The NIS2 Directive reinforces supply chain security for all EEs and IEs. It requires entities to assess the cybersecurity practices of their direct suppliers. This includes vetting providers in third countries and considering the geopolitical risks associated with their jurisdiction. In France, ANSSI is responsible for overseeing the implementation of the NIS2 Directive. There is a strong national focus on “digital sovereignty”, meaning that outsourcing critical functions to certain third countries may be subject to greater supervisory scrutiny.

Indirect Provisions Affecting International Data Transfers

Supervisory expectations for cloud and ICT provider oversight

The ACPR and AMF expect French financial institutions to demonstrate robust due diligence when relying on non-EU cloud and ICT providers:

• if a cloud provider in a third country cannot contractually guarantee full compliance with DORA’s audit and access requirements, the French supervisors expect the financial entity to either renegotiate the terms or implement an exit strategy; and
• DORA’s extraterritorial oversight framework means that non-EU CTPPs are indirectly incentivised to align their global operations with EU standards to avoid compliance issues.

Supply chain due diligence and data flow vetting

Financial entities remain fully accountable for risks introduced by their supply chain:

• regulators expect firms to perform thorough due diligence on third-country providers, assessing their legal environment and potential obstacles to data access or contract enforcement; and
• contracts must explicitly detail the jurisdictions in which data will be stored and processed, and the financial entity must approve any changes to these locations.

Incident reporting

Under DORA, when reporting a major ICT incident, a financial entity must specify whether the incident originated with or impacted a third-party provider located outside the EU. This gives French and European supervisors critical insights into the risks posed by third-country dependencies, enabling them to identify concentration risks or jurisdiction-specific threats.

Mandatory TLPT for the financial sector is governed by DORA, which is based on the national TIBER-FR initiative and is aligned with the TIBER-EU framework. The French regulators, the ACPR and AMF, conduct oversight.

TLPT Scope

TLPT is an advanced, intelligence-led testing regime designed to rigorously assess the resilience of significant financial entities against sophisticated, real-world cyber-attacks.

Entities in scope

The obligation applies to financial entities identified as “significant” by the ACPR and AMF based on their size, business profile and systemic importance. This includes major banks, certain insurance undertakings, and key financial market infrastructures.

Systems in scope

The tests must cover the “live critical production systems” that underpin an entity’s critical or important functions.

ICT third-party providers

Although the obligation lies with the financial entity, critical ICT providers (such as major cloud service providers) are inherently part of the scope. DORA allows for “pooled tests”, whereby multiple financial entities can collectively test a shared provider, co-ordinated by the provider itself.

Key TLPT obligations Under DORA

Frequency and risk-based approach

Eligible financial entities must conduct a full TLPT at least every three years. The frequency may be adjusted by national authorities based on the entity’s risk profile or new threats emerging.

Scenario selection and threat intelligence

The entire test must be driven by specific, tailored threat intelligence. Scenarios must realistically mimic the tactics, techniques and procedures (TTPs) of advanced threat actors who are deemed to pose a genuine threat to the entity. In France, threat intelligence may be sourced from internal teams, specialist external providers, and national authorities such as ANSSI.

Red team qualifications

The testers (the “red team”) must have a high level of expertise and be functionally independent from the defence and response teams (the “blue team”). DORA mandates that testers hold relevant certifications and have a proven track record in threat intelligence and penetration testing. For each test, at least one of the testing providers involved must be an independent, external entity.

Cross-border recognition and reliance

DORA establishes the crucial principle of mutual recognition. If a financial group’s subsidiary in another EU member state conducts TLPT in compliance with DORA, the French authorities must recognise it as fulfilling the requirement for the group’s French operations.

Enforcement and non-compliance

Failure to conduct a required TLPT or to adequately address the identified vulnerabilities constitutes a breach of DORA:

• supervisory actions – the ACPR and AMF can issue binding orders requiring an entity to conduct a test or implement a remediation plan to address identified weaknesses; and
• sanctions – non-compliance can lead to administrative sanctions, including significant financial penalties imposed by the national supervisor as part of DORA’s general sanctions regime.

The CRA, which is directly applicable in France, establishes a horizontal regulatory framework for the security of digital products across the EU. It applies to all products with digital elements (PDEs), meaning any hardware or software – whether final products or components marketed separately – made available on the EU market.

A central aspect of the CRA is that it imposes cybersecurity obligations on manufacturers, importers and distributors from the design stage and throughout the entire life cycle of the product.

Under the CRA, PDEs are classified into four categories.

• Default category: all digital products not considered important or critical (eg, smartphones or computers).
• Important Class I products: 19 categories, including cybersecurity products (eg, public key infrastructure (PKI) components, security information and event management (SIEM), password managers), core digital products (operating systems, routers, browsers) and sector‑specific items (smart home devices, toys).
• Important Class II products: four categories – hypervisors, firewalls/Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), microprocessors and microcontrollers.
• Critical products: three categories – hardware security modules (HSMs), smart cards or similar devices, and gateways for smart meters.

The CRA places its main obligations on manufacturers, who must ensure that any product with digital elements they place on the market complies with the regulation’s essential cybersecurity requirements. To do so, manufacturers must conduct a cybersecurity risk assessment that guides security measures across all phases of the product’s life cycle, from planning and design to development, production, delivery and maintenance.

Manufacturers must document their risk assessment and the technical measures or standards used to meet the essential requirements, keeping this technical documentation available for market surveillance authorities upon request. Before placing a product on the market, they must complete the appropriate conformity assessment, and then issue an EU declaration of conformity and apply the CE marking.

Manufacturers must notify actively exploited vulnerabilities and severe security incidents affecting the security of their products with digital elements. They are required to submit the following.

• An early warning within 24 hours of becoming aware of the issue.
• A full notification within 72 hours.
• A final report which is required:
1. within 14 days after a corrective measure becomes available (for actively exploited vulnerabilities); or
2. within one month for severe incidents.

In France, the implementation of the CRA relies on several national authorities with distinct roles.

The Agence Nationale des Fréquences (ANFR) is responsible for market surveillance. It ensures that products made available in France comply with the CRA’s requirements and may impose sanctions, including product withdrawal from the market or financial penalties of up to EUR15 million or 2.5% of the manufacturer’s global annual turnover.

ANSSI plays a key role in the practical implementation of the CRA, acting as the notifying authority responsible for assessing, supervising and notifying conformity assessment bodies. It also provides technical support to the ANFR for market‑surveillance activities and centralises reports of actively exploited vulnerabilities and major incidents, co-ordinating remediation actions with manufacturers when necessary.

The French cybersecurity certification landscape combines European harmonisation efforts with national sovereignty imperatives. Certifications and qualifications evaluate the security robustness of ICT products, services and processes. While historically utilised as voluntary markers of quality, these certifications are increasingly becoming mandatory prerequisites for market access and public procurement in France.

The European Framework

At EU level, the CSA established the European Cybersecurity Certification Framework (ECCF) in 2019 to harmonise evaluation approaches across the internal market. In 2024, the European Commission adopted the first scheme under this framework: the Common Criteria-based European Cybersecurity Certification Scheme (EUCC).

The EUCC provides a unified assessment process specifically for certifying the security of ICT products, including software, hardware and technological components such as microchips and smartcards. The scheme classifies products under two defined assurance levels based on risk:

• “substantial” assurance – for products designed to resist basic-to-moderate cyber-attack potential; and
• “high” assurance – for products that must withstand sophisticated, well-resourced threats.

While obtaining an EUCC certificate is inherently voluntary, it is increasingly important for demonstrating compliance with other mandatory frameworks, such as the NIS2 Directive and the CRA. Following a transition period, ANSSI issued France’s first EUCC certificates in 2025.

The Proposed Cybersecurity Act 2

In January 2026, the European Commission proposed a comprehensive cybersecurity package including a Cybersecurity Act 2 (CSA2), alongside targeted amendments to the NIS2 Directive. This proposal shifts the regulatory focus towards systemic vulnerabilities by introducing the EU’s first horizontal framework for ICT supply chain security. It empowers the European Commission to identify “key ICT assets” and prohibit entities from utilising components from high-risk suppliers. Furthermore, the CSA2 broadens the scope of the certification framework beyond individual products to include managed security services and the overall “cyber posture” of an organisation.

French National Framework: ANSSI Security Visas

At the national level, ANSSI issues “Security Visas” to validate the trustworthiness of cybersecurity solutions, making a clear distinction between two mechanisms.

• Certifications: these attest to the technical robustness of a product against predefined threats, based on independent laboratory testing. France utilises the internationally recognised Common Criteria (CC) alongside its specific First Level Security Certification (CSPN). The CSPN is an agile, two-month evaluation scheme that assesses resistance to moderate attacks, updated in 2025 to mandate stricter hardware and communication security against logical and relay attacks.
• Qualifications: these go beyond technical robustness. A qualification acts as a formal government recommendation, attesting that a product or service complies with the specific regulatory, organisational and strategic requirements necessary for deployment by the French State or OIVs.

Sovereign Cloud Certification: SecNumCloud 3.2

Under the French government’s “Cloud au Centre” doctrine, French State administrations, their operators and certain public interest groups that use cloud services to host or process particularly sensitive data (ie, data covered by secrets protected by law and data necessary for essential State functions) must choose cloud services implementing security and protection measures that effectively prevent unauthorised access by non-EU authorities, a condition that in practice requires using SecNumCloud-qualified solutions. Version 3.2 imposes rigorous sovereignty requirements to prevent extraterritorial interference (eg, under the US CLOUD Act, the FISA or the PATRIOT Act).

Sector-Specific Certifications: Healthcare

France heavily relies on sector-specific certification schemes for critical industries such as healthcare. In this regard, any entity hosting personal health data collected in certain conditions must obtain the mandatory HDS certification (see 6.3 Cybersecurity in the Healthcare Sector for detailed obligations).

Platform Transparency: the Cyberscore Law

The Cyberscore Law introduced a French legal framework for cybersecurity certification – commonly referred to as the “Cyberscore” – applicable to consumer-facing digital platforms, by amending the French Consumer Code. This certification aims to require certain online platforms to carry out a cybersecurity audit of their services (including data security and localisation) and to inform users in a clear, visible way about the level of security of their data.

Although the law entered into force on 1 October 2023, its practical application has been stalled, as the necessary decree and implementing order detailing which platforms are covered, the thresholds and the precise audit criteria have never been published. As a result, three years after adoption, the Cyberscore scheme is still not operational.

Cybersecurity overlaps heavily with data protection under the GDPR and the FDPA, stringently enforced by the CNIL. The principle of integrity and confidentiality, requiring personal data to be processed in a manner that ensures appropriate security against unauthorised processing, loss or destruction, forms part of the core principles of the GDPR. This is operationalised through obligations mandating controllers and processors to implement technical and organisational measures appropriate to the risk.

In the event of a personal data breach, controllers are required to notify the relevant supervisory authority (in France, the CNIL) within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. This notification, submitted via the dedicated CNIL portal, must describe:

• the data controller and its legal representative (eg, address, workforce, business sector);
• the nature of the breach (eg, date, origin of the incident, cause of the breach, nature of data affected, type and number of data subjects affected, security measures prior to the breach);
• possible consequences for affected personal data;
• possible harm for affected data subjects and level of severity of the breach (ie, negligible, limited, high or maximal);
• information to the affected data subjects (if any); and
• cross-border and other notifications.

If the breach poses a high risk to individuals’ rights and freedoms, affected data subjects must also be notified without undue delay.

It should be noted that the European Commission’s proposed “Digital Omnibus”, published in late 2025, includes provisions modifying the GDPR seeking to streamline incident reporting to extend the supervisory authority notification deadline to 96 hours.

The CNIL actively sanctions organisations for fundamental IT hygiene failures. Enforcement is increasingly driven by a close collaboration with ANSSI. In 2024, the CNIL published an updated “Practice guide for the security of personal data” that heavily integrates ANSSI’s recommendations. In practice, the CNIL treats ANSSI’s guidelines as the legal “state of the art” during investigations and enforcement procedures.

As an illustration, in January 2026, the CNIL levied a record cumulative fine of EUR42 million against telecoms operators FREE MOBILE and FREE following a massive data breach affecting 24 million subscribers in October 2024. The CNIL, notably applying Article 32 of the GDPR, cited severe negligence, including weak VPN authentication (lack of MFA) and ineffective intrusion detection systems, directly benchmarking the companies’ failures against the expected ANSSI standards.

Cybersecurity obligations for AI are rapidly evolving, driven by the AI Act and intersecting heavily with existing data protection frameworks.

Security-by-Design and Component Security

The AI Act mandates that “high-risk” AI systems achieve declared levels of accuracy, robustness and cybersecurity before being placed on the market and throughout their life cycle. This embeds a strict security-by-design expectation, requiring resilience against adversarial attacks, data poisoning and model manipulation.

General purpose AI (GPAI) models presenting systemic risks face additional burdens, including mandatory adversarial testing and robust cybersecurity protections.

Incident-Reporting Requirements

Under the AI Act, the primary duty to track, document and formally report serious incidents rests with the providers of high-risk AI systems and GPAI models with systemic risk. They must report incidents, including severe cybersecurity breaches or malfunctions, to the competent market surveillance authorities or the European AI Office (for GPAI models) without undue delay. Other operators, such as deployers, have a related duty to inform the provider and competent authorities of any serious incidents they identify.

The European Commission’s “Digital Omnibus” proposal aims to streamline this landscape by introducing a single-entry point for incident reporting, effectively unifying notification obligations under the AI Act, the NIS2 Directive and the GDPR.

Interaction With General Cybersecurity and Data Protection

The AI Act clearly states that its application is without prejudice to that of the GDPR. The texts are therefore complementary, and certain resources developed within the framework of the GDPR can be used as a basis for compliance with the AI Act (in particular, data protection impact assessments).

In France, the CNIL published recommendations in 2024 and 2025 concerning the development of AI systems. Aligning with EDPB Opinion 28/2024, the CNIL emphasises that AI models generally fall within the scope of the GDPR due to the memorisation capabilities of models trained on personal data. The CNIL has dedicated practical how-to sheets to guide professionals, including on ensuring the security of AI development, which outlines the precise risks and measures to consider during the design phase to guarantee that AI systems are built in a secure environment.

Governance and Threat Landscape in France

With regard to governance, the French government has recently proposed a decentralised regulatory model for AI, with the DGCCRF acting as the central operational co-ordinator. Control responsibilities would be divided among sectoral authorities (mainly the CNIL, Arcom and DGCCRF). The CNIL in particular would play a major role, being responsible for the oversight and enforcement of most prohibited practices and obligations relating to high-risk AI systems falling under Annex III of the AI Act. However, the CNIL would not have any role in relation to high-risk AI systems covered under Annex I of the EU AI Act. ANSSI and the Pôle d’Expertise de la Régulation Numérique would provide pooled technical support. This government proposal is currently subject to parliamentary approval.

Finally, in February 2026, ANSSI published a threat intelligence report (CERTFR-2026-CTI-001) on generative AI facing cyber-attacks. The report notes that, while generative AI cannot yet autonomously execute full attacks from end to end, it is increasingly integrated into attacker toolsets for victim profiling, social engineering and malware development, lowering the barrier to entry for less experienced actors. Furthermore, the report warns that generative AI systems (such as LLMs) themselves are lucrative targets, highly susceptible to model poisoning, software supply chain compromises and data exfiltration.

The healthcare sector faces strict cybersecurity obligations to protect sensitive medical data across health sector entities, medical devices and electronic health record (EHR) systems.

Health Sector Entities and EHR Systems

Entities handling electronic health records must comply with the General Security Policy for Health Information Systems (PGSSI-S) established by the ANS.

Furthermore, any entity hosting health data collected in the course of prevention, diagnosis, care or social and medical-social follow-up activities must hold the HDS certification. Technical operations considered to be part of the hosting activity notably include:

• the provision and operational maintenance of the physical sites hosting the hardware infrastructure of the information system used to process health data or of the hardware infrastructure itself;
• the administration and operation of the information system containing the health data; and
• the retention of the health data.

The updated HDS Version 2.0 (mandatory by May 2026) introduces stringent data sovereignty rules, requiring all health data storage to reside exclusively within the EEA and mandating explicit transparency for any remote access from outside the EEA.

The certification requires audits by independent bodies accredited by the French Accreditation Committee (COFRAC). Failure to comply carries severe risks, including criminal penalties.

Sector-Specific Incident Reporting

France imposes stringent sector-specific incident-reporting obligations. As such, healthcare establishments, bodies and professionals must immediately report significant security incidents affecting their health information systems to the competent state authorities. This reporting is typically facilitated through the regional health agencies (ARS) and the dedicated CERT Santé.

Medical Devices

Connected medical devices must satisfy the General Safety and Performance Requirements (GSPR) under the EU Medical Device Regulation (MDR). To obtain CE marking and market access, manufacturers must integrate cybersecurity across the software life cycle, commonly utilising the universally recognised EN IEC 81001-5-1:2022 standard.

Procurement-Related Security

In public procurement, health data security is increasingly tied to national sovereignty. For instance, recent government tenders for major infrastructures such as the national Health Data Hub explicitly mandate that providers hold an ANSSI SecNumCloud qualification, effectively excluding standard foreign cloud offerings to immunise public health data against extraterritorial laws.