Two months ago, Vincent Strubel, director general of ANSSI, was interviewed by the National Assembly Foreign Affairs Committee. And on this occasion, he drew up an unequivocal panorama of the state of the Cyber threat, while exposing French doctrine and regulatory instruments being deployed. At the end of reading this hearing, a question remains in mind, do the tools are enough, when operational means do not follow?
Solid legal architecture.
On the regulatory level, France checks all the boxes. The so -called “resilience” bill, under discussion at the Assembly, transposes three structuring European texts:
- Nis 2which extends security obligations to more than 10,000 public and private entities considered to be essential or important
- Dorawhich imposes digital operational resilience in the financial sector
- and the directive RArelating to the protection of critical entities
In parallel, theANSSI deploys the SECNUMCLOUD repositorysupposed to guarantee the accommodation of sensitive data under European legal sovereignty. This repository is now required for many strategic public uses, particularly in ministries, communities and health establishments.
The legal framework is therefore stabilizing and it is even perceived as a lever to strengthen a French and European cybersecurity ecosystem, particularly in terms of managed, accommodation and audit services.
But a two -speed execution
Thus the hearing of the director general of the ANSSI reveals another face, that of an administration aware of thegrowing difference between regulatory obligations and actual capacities of actors to respond to them.
If the large sovereign operators are protected (the ministries benefit from centralized supervision via the inter-ministerial state network (RIE), beyond the strategic nucleus, most of the economic and territorial fabric remains bare. SMEs, intercommunalities, health or research establishments regularly undergo paralyzing attacks. The example of the Paris-Saclay University, a ransom with a raan in August 2024 having disorganized its systems for several days, is cited as a symptomatic of chronic under-investment.
ANSSI talks about a goal of “Passing on a scale”, In other words, expanding the cultivation of cybersecurity far beyond the 500 priority entities towards the tens of thousands of actors now concerned by NIS 2. However, this tilting requires human, financial, technical resources, which are not currently there.
Tools, but no infrastructure
Vincent Strubel recalls that if France has a recognized cryptographic know-how, a sovereign cloud standard (Secnumcloud), a network of regional CSIRT in the process of structuring, and a fabric of qualified providers, In the field, contradictions accumulate. So The sovereign cloud remains marginalfor lack of clear budget incentives in public tenders, LHealth data are still widely accommodated on American infrastructure, and calls for projects funded by the France Recue Plan have not been enough to create a sustainable dynamic.
Same observation on the SECLUMCLOUD repository, Although it guarantees legal protection against extraterritoriality, it is deemed very complex to implement, expensive, and still widely optional. The executive multiplies discrete exemptions, as an example, some administrations use Microsoft services for critical treatments, based on “trusted clouds” without formal certification.
A risk of ineffectiveness
The risk is that of a display sovereigntywithout any operational translation. By multiplying the benchmarks, the obligations and the texts, France is exposed to a mirror effect with increasing requirements, but an execution delegated to actors who have neither the means, nor competence, nor human resources to respond to them.
The ANSSI itself, if it benefits from undisputed technical legitimacy, remains constrained by limited staff and an increasing charge. The audits, the support, the migration plans towards post-quantic cryptography, inter-ministerial supervision, support for communities, all of this is added without multiplication of equivalent means. For comparison with our German neighbors, BSI (Bundesamt für sicherheit in der informationtechnik) has a budget that is estimated at least double that of the ANSSI.
Vincent Strubel admits it half-word, the success of the 2024 Olympic Games (no major attack despite 12 times more attempts than to Tokyo) was possible because the state had massively concentrated its means on a limited number of targets. Which makes us understand that this model is not not generalizable without change of scale.
Sovereignty without budget or investment = operational illusion
If France has a clear doctrine, a solid regulatory corpus, and a respected technical agency, without Massive acceleration of investmentin particular in the local implementation (communities, labeled service providers, sovereign cloud, field training), The implementation of NIS 2 and other texts may remain theoretical.
Cybersecurity has become a systemic issue that can no longer be based solely on standards and a handful of experts. It presupposes an industrial, budgetary, and human mobilization much more important than that currently implemented, without this, digital sovereignty will remain a slogan.
