by Sophie Agulhon ( Revue Défense Nationale 2024/8 n° 873)
translated by Mohamed SAKHRI
The governance of cybersecurity is a multidimensional and crucial issue for national security. It requires the coordination of actors from various backgrounds, both nationally and internationally, a notion that France has advocated since President Emmanuel Macron’s Paris Call on November 12, 2018. With over 1,200 endorsements from all continents (80 states, companies, civil society organizations, local authorities, and public authorities, including the European Commission), the French doctrine aims to spread globally.
Effective governance of cybersecurity strengthens a country’s digital sovereignty and technological independence, reducing its vulnerability to foreign cyber threats. It necessitates the establishment of policies, procedures, and technologies aimed at preventing cyberattacks and responding effectively to them. However, given the heterogeneity of cybersecurity issues across the territory, different forms of response are structured around categories of actors.
Typologies Related to Organizational Vulnerability to Cyber Risk
With the democratization of digital transformation, organizations within the European Union (EU) or operating within member states have also seen their exposure to cyber risks increase. To collectively ensure adequate security conditions and to raise the level of maturity regarding cyber risk in strategic sectors, the EU adopted the NIS 1 directive for “Network and Information Security” in 2016. This directive enabled the identification of Essential Service Operators (ESO). An essential service is necessary for maintaining critical societal or economic activities; its provision relies on networks and information systems, and an incident within these networks and systems would have a significant disruptive effect on the service’s delivery.
With the implementation of the NIS 2 directive, which will come into effect in France in October 2024, additional sectors will join those already deemed strategic for ESOs: the space sector, including operators of terrestrial infrastructures and space devices, food production, manufacturing—including industrial manufacturing, equipment, machine tools, transport means, and electronic and optical devices—information and communication technologies, including platforms, e-commerce sites, search engines, and social networks employing over 50 people, waste and wastewater management (similar to the management of drinking water already covered by NIS 1), chemical product production and distribution (now separated from manufacturing due to specific regulations), regional and local administrations, research, and higher education, as well as essential services for public health and safety.
In France, the cybersecurity landscape is structured around three main levels. First, there are the public cybersecurity actors who contribute to defining and deploying the cyber doctrine. Next, activities pertaining to France’s sovereignty include major public or private groups operating on sensitive infrastructures such as Aéroports de Paris (ADP), EDF, or Veolia, regulated by ANSSI as ESOs or even Vital Importance Organizations (VIO). With the transposition of the NIS 2 directive, ESOs will be referred to as Essential Entities (EE). Furthermore, service providers and other stakeholders of EEs are expected to become Important Entities (IE) with new associated cybersecurity obligations. Thus, the total number of organizations under cyber surveillance has increased from a few hundred to several thousand, as attack patterns now target service delivery and subcontracting chains to reach final customers. However, the status of IE partly overlaps with the third organizational level, which remains highly vulnerable to cyberattacks. Consequently, local authorities, Intermediate-Sized Enterprises (ISE), and Small and Medium Enterprises (SMEs) are the most fragile organizations. According to the “Cyber Threat Landscape 2022” report from ANSSI, cyberattacks are notably directed at these entities, and the trend has not reversed since then. In response to this urgency, the state is gradually structuring its cybersecurity governance through various key actors.
Landscape of National Cybersecurity Actors
National Agency for the Security of Information Systems (ANSSI)
Established in 2009, ANSSI is the French government agency responsible for the security of information systems (IS). Affiliated with the General Secretariat for Defense and National Security (SGDSN), it aims to protect the IS of public administrations, businesses, and critical infrastructures against cyber threats. As an independent authority, ANSSI develops security policies through guides and technical recommendations, also evaluating risks through IS security audits. ANSSI coordinates the national response to major cybersecurity incidents, possessing rapid detection and response capabilities through its Cyber Incident Response Center (CERT-FR). Lastly, it represents France in international forums and institutions.
National Commission for Informatics and Freedoms (CNIL)
Older (established in 1978) and known to the public, CNIL is responsible for overseeing the protection of personal data in France. Its mission is to ensure that the processing of personal data respects fundamental rights, including the right to privacy and data protection (GDPR). The use of technologies related to Artificial Intelligence (AI) to operate within IS, to protect IS through tools augmented by AI, or conversely to attack or deceive a target, elevates the importance of data even further. As such, this body seeks to collaborate more closely with ANSSI to better understand the impact of data in cybersecurity and promote good practices such as data annotation to ensure the quality of training models while protecting personal data.
Ministry of the Interior Command in Cyberspace (Comcyber-MI)
The Ministry of the Interior Command in cyberspace, under the authority of the Director General of the National Gendarmerie (DGGN), was established by decree published in the Official Journal on November 23, 2023. It is currently led by Major General Christophe Husson and is built upon three pillars: operational judicial, training, and strategy. The strategic component includes the development of a joint ministerial strategy against cybercrime shared between the Police and the Gendarmerie, aiming to standardize awareness and response to victims of cyberattacks across the territory. The goal is to facilitate the identification of local contacts for third-level organizations and individuals in case of cyber incidents. Consequently, Comcyber-MI also maintains relationships with the Public Interest Group for Assistance to Victims of Cybermalfeasance.
Public Interest Group for Assistance to Victims of Cybermalfeasance (GIP Acyma)
Established in 2017 following the Government’s digital strategy of 2015 and involving public and private stakeholders, GIP Acyma’s primary mission is to assist victims of cyberattacks, whether individuals, businesses, or local authorities. Its aim is to enhance resilience against cyber threats by providing tools and resources to raise awareness, prevent, and effectively respond to cybersecurity incidents while supporting cyberattack victims. It manages the platform CyberMalveillance.gouv.fr, which offers a one-stop solution for accessing a wide range of cybersecurity resources. This initiative contributes to the visibility and coherence of a cybersecurity ecosystem for the general public.
Discussion
The governance of cybersecurity is a key element of national security and modern defense. It protects critical infrastructures, enhances operational resilience, fosters international cooperation, and maintains a technological edge against increasingly sophisticated cyber threats. The ongoing dynamics among stakeholders warrant close observation by defense specialists, given the interconnectedness of modern defense systems that rely on information and communication technologies (which could compromise a country’s strategic data), as well as the evolution of modern geopolitical and cyber conflicts. More broadly, cybersecurity governance shares with the defense sector the aspiration to maintain a form of digital sovereignty and protect the nation, which could lead to increased dialogues between civilian and military spheres.
References
« Cybersécurité : Appel de Paris du 12 novembre 2018 pour la confiance et la sécurité dans le cyberespace » (https://www.diplomatie.gouv.fr/).
Agence nationale de la sécurité des systèmes d’information (Anssi), « La directive NIS 2 », 15 juin 2023 (https://cyber.gouv.fr/la-directive-nis-2).
Anssi, « FAQ – opérateurs de services essentiels (OSE) », 18 août 2022 (https://cyber.gouv.fr/).
Orange Cyberdéfense, « Tout savoir sur les changements de la nouvelle directive NIS 2 », 13 février 2024 (https://www.orangecyberdefense.com/).
CERT-FR, « Rapport menaces et incidents du CERT-FR », 10 février 2023 (https://www.cert.ssi.gouv.fr/cti/).
Anssi, « Le Panorama de la cybermenace », 22 février 2024 (https://cyber.gouv.fr/le-panorama-de-la-cybermenace).
Cnil, « IA : Annoter les données », 10 juin 2024 (https://www.cnil.fr/fr/ia-annoter-les-donnees).
Faure Antoine, « Avec le Comcyber-MI, le MIOM adapte sa réponse à l’évolution de la cybercriminalité », Gendinfo, 4 décembre 2023 (https://www.gendarmerie.interieur.gouv.fr/).
CyberMalveillance.gouv.fr, « Assistance et prévention du risque numérique au service des publics » (https://www.cybermalveillance.gouv.fr/).
