Presented in Bordeaux by the Minister Delegate in charge of Artificial Intelligence and Digital Technology, Anne Le Hénanf, on behalf of the government, the new national cybersecurity strategy sets the framework for public action for the period 2026/2030. Supported by the Prime Minister, it intends to go beyond a strictly technical approach to install cybersecurity as a resilience policy in its own right, engaging the State, communities, businesses and, more broadly, citizens. In a context of increasing attacks and growing dependence on digital infrastructures, the executive displays the ambition to structure a collective response, in continuity but also beyond the historically central role played by theANSSI.
Articulated around five pillars, talents, resilience, hindrance of the cyber threat, mastery of digital foundations and European cooperation, the strategy draws a coherent architecture and assumes several doctrinal inflections. In particular, it marks the end of the illusion of “zero incidents”, favors crisis preparation and places the question of skills at the heart of the system. This shift also results in an expansion of the actors mobilized, including more explicitly internal security forces, training structures and reporting systems, in addition to technical agencies. However, behind this political milestone, many modalities remain to be clarified, such as coordination with the education system, support for the most exposed actors, concrete levers of deterrence, European articulation and budgetary translation.
It is in this gap between the clarity of the strategic framework and the uncertainties of its implementation that the credibility of the government roadmap is now at stake.
Cyber talents: the systemic challenge of educational and territorial coordination
The first pillar, dedicated to talents, is presented as the basis of the entire strategy. The idea is that without skills, cybersecurity remains a discourse. The minister wants to make France the main pool of cyber talent in Europe, by acting on training, attractiveness and the diversification of profiles, particularly female ones.
But beyond the observation and the awareness messages, a structural question arises, what concrete coordination with National Education, higher education and the regions? The strategy evokes school, middle school, high school, orientation, early stereotypes. It suggests action from an early age. On the other hand, it does not yet specify how these ambitions will be linked to skills currently split between ministries, rectorates, universities, grandes écoles and local authorities.
This question takes on an additional operational dimension with regard to the actors already involved in cyber training within the State, whether it is thePN ACADEMYof CEGN or CNF-Cyber. The question is therefore not only that of the training offer, but of its governance and its territorial articulation.
The question is all the more sensitive as cyber training is already based on a fragmented landscape: sectors of excellence concentrated in certain metropolises, pressure on specialized teachers, competition between public and private actors to attract the best profiles. Without a clear coordination mechanism and without shared objectives, the risk is that the training effort will primarily benefit already attractive structures, while local administrations and less resourced areas would continue to suffer a chronic shortage.
Cyber resilience: prepare everyone, without burdening the most vulnerable
The second pillar establishes cyber resilience as a cardinal principle. It is based on a now well-established idea that the attack is no longer a marginal hypothesis, but indeed a plausible, sometimes recurring scenario. Therefore, the ability to react, maintain activity and coordinate to face a cyberattack becomes as important as prevention.
This approach is part of a strengthening of the operational management of the cyber threat within the Ministry of the Interior, in particular through the COMCYBER-MIthe devices of the National Police and the Gendarmerie, as well as theUNCYBER. It also relies on reporting and support tools intended for victims, such as those provided by the GIP ACYMA or 17CYBER
Crisis exercises, inspired by Rempar 2025, are presented as a central lever. They showed, according to shared feedback, that trained actors react better than those who improvise. But this logic immediately raises an operational question: how to support the least equipped players, namely small communities, small businesses and associations, without transforming the requirement for preparation into a disproportionate burden?
Because the issue is far from theoretical, whether for a large administration or a structured operator, participation in exercises, the drafting of continuity plans or the mobilization of dedicated teams is an absorbable investment. For a small municipality, an SME with a few dozen employees or an association, these requirements can quickly become an unabsorbable burden. The strategy affirms the inclusion of all, but leaves open the question of the differentiated level of requirements, financial and human support, and the simplification of systems for those who have neither an RSSI nor a crisis unit.
Obstructing the cyberthreat: between strategic principles and real effectiveness
The third pillar marks a rise in generality. It is no longer just a matter of protecting oneself or reacting, but of reducing the very expansion of the cyber threat, by acting on the conditions that make it possible and profitable. The speech mobilizes the judicial, economic and diplomatic registers, and evokes the need for international frameworks and guidelines.
At this stage, however, the strategy poses more of an intention than detailed tools, and a question remains, what concrete tools beyond the principles? Sanctions, economic pressure and judicial cooperation are mentioned, as an extension of the actions carried out by the specialized services of the National Police and the Gendarmerie, as well as international cooperation carried out in particular by EUROPOL And INTERPOLbut without precision on their operational application nor on their articulation with existing frameworks which are sometimes not very effective.
This question leads to another, even more delicate one, namely what real capacity to deter hybrid actors, sometimes state, sometimes criminal, often located outside cooperative jurisdictions? The strategy implicitly recognizes the difficulty, but does not yet explain how the State intends to influence groups whose economic model is based precisely on legal asymmetry and opacity. The pillar outlines a doctrine, but without yet demonstrating its capacity to modify the balance of power.
Digital foundations, AI and quantum: anticipate without rigidifying
The fourth pillar deals with emerging technologies, primarily artificial intelligence and quantum. The approach is intended to be balanced: securing the AI systems themselves, while taking into account the fact that AI lowers the technical barriers to attack; anticipate quantum through post-quantum cryptography, without waiting for a sudden break.
But here again, several tensions appear, and one of them concerns regulation, how to regulate these technologies without creating normative rigidities which would slow down innovation or disadvantage European players in the face of less constrained competitors? Another concerns international alignment, with AI and quantum cybersecurity standards being built on a global scale. The question of financing remains central: supporting cyber innovation requires choices, particularly in the allocation of the measures announced via France 2030.
Europe and international: avoid minimal coordination and normative fragmentation
The last pillar affirms that national cybersecurity cannot be thought of without Europe and the international. The reasoning is widely shared with interconnected systems, cross-border value chains, and technological dependencies. The European level, within theEUis presented as the relevant level.
But this strategic evidence masks two structuring questions. The first is that of regulatory fragmentation: how can we prevent an overlapping of national and European frameworks from complicating compliance for companies operating in several Member States? NIS2, cloud certifications, sectoral requirements and divergent national transpositions already constitute a complex landscape, which the national strategy must clarify rather than densify.
The second question is more political: what capacity to bring about a true European cyber doctrine, beyond minimal coordination? Cooperating, exchanging best practices and harmonizing rules are not always enough to produce a common vision of deterrence, response to major attacks or digital sovereignty. The French strategy displays European ambition, but its impact will depend on its capacity to involve its partners and to influence collective arbitrations.
A readable strategy, but suspended from its structuring decisions
Integrated into each of the pillars, these questions do not call into question the coherence of the national cybersecurity strategy. Rather, they draw the tipping points. Educational coordination, support for vulnerable actors, effectiveness of deterrence, balance between innovation and regulation, European governance are all projects which will condition the transformation of a strategic framework into fully operational public policy.
The Bordeaux presentation sets a course. The answers to these questions, more technical and more political, will show whether this course translates into a trajectory…
