With our partner Salesforce, unify sales, marketing and customer service. Accele your growth!
The bill relating to the resilience of critical infrastructure and the strengthening of cybersecurity carried by Clara Chappaz Minister delegated responsible for artificial and digital intelligence, marks a decisive stage in the adaptation of the French legislative framework to new digital threats. Adopted on March 4, 2024 by the Senate Special Commission and adopted by the Senate on March 12, this text transposes three essential European directives: the Directive on the Resilience of Critical Entities (REC), the Network and Information Directive Security 2 (Nis 2) and the Digital Operational Resilience Act (Dora).
A reorientation towards the resilience of critical infrastructure
The REC directive (2022/2557) replaces a protection logic a resilience -based approach, forcing operators of vital importance (OIV) to deploy adaptation plans to risks. Its application in France extends securing to previously not covered sectors, including heat networks, hydrogen and sanitation. It also requires incident notification obligations and provides for a regime of administrative sanctions which can reach 2 % of turnover or 10 million euros.
The amendments adopted specified the criteria for the designation of Vital importance operators (OIV) and reinforced the analysis of dependencies with regard to subcontractors, integrating an obligation of Special resilience plan For the most sensitive critical infrastructures.
A paradigm change in cybersecurity with Nis 2
Directive NIS 2 (2022/2555) expands the regulatory framework to 15,000 essential and important entities, against 500 before. This text introduces a strict classification distinguishing “essential” and “important” entities according to their sector of activity and their size, involving increased cybersecurity obligations. In addition, local authorities are integrated into the system, due to an increase in cyber attacks of which they are the target. The ANSSI, a national authority in charge of cybersecurity, thus sees its strengthened skills, particularly in terms of supervision and sanction.
Several amendments adopted in public session have made it possible to specify the national cybersecurity strategy, by integrating Training objectivesA Support for communities and the implementation ofKey performance indicators to ensure follow -up of advances.
Reinforced protection of the financial sector with Dora
Digital Operational Resilience Act (Dora, 2022/2556) specifically targets the banking and financial sector, highly vulnerable to cyber attacks. This text imposes strict requirements for digital risk management to strict risk management, with reinforced control of technological interdependencies. Cyber risk is considered more threatening than climate or market risk, according to the Banque de France financial stability report in December 2024.
The adjustments provided provide for a One -stop shop for the Cyber incident declaration In the financial sector and clarified compliance criteria, avoiding double regulation with NIS 2.
Strengthening encryption and data protection
A key amendment forbidden to impose on encryption service providers The integration of technical devices aimed at voluntarily weakening the safety of communications, such as key deciphering keys or not granted access to protected data. This provision strengthens digital sovereignty and the confidence of businesses and citizens in the tools for securing exchanges.
Vigilance points raised by the Special Commission
Despite the urgency of strengthening cybersecurity, several criticisms emerged as to the implementation of this bill. The special commission noted a lack of consultation with the stakeholders, despite the consultations carried out by the ANSSI. In addition, the risk of a “legislative subtransposition” generating a “regulatory surtimition” is pointed out, with 40 planned implementing decrees.
To remedy it, several amendments have specified the Control and sanction methodsreduced certain constraints for communities and established a Cybersecurity compliance label allowing companies to enhance their compliance efforts.
The text adopted by the Senat must go into second reading in the National Assembly, where it can again be amended, certain changes not being aligned with the positions of the government
