Transposition of the NIS directive in France

On 25 May 2018, yet another step is taken toward the complete transposition of the NIS directive into France’s national law with the publication of the decree n°2018-384 executing the legislative proposal voted by the French Parliament on 15 February 2018.

As the French coordinator for the transposition, ANSSI worked alongside all relevant stakeholders to prepare this executive act that defines the cybersecurity framework for “operators of essential services” and “digital service providers”.

An ambitious transposition

By choosing an ambitious transposition, France has established a list of sectors for essential services, following consultations by ANSSI with public and private stakeholders and its European partners. This list refers to many sectors including banking, logistics or catering.

Operators will be appointed soon based on this list of sectors, and will be subject to the following obligations:

• Identify a representative
• Identify the essential information system (s)
• Apply security rules
• Report any security incidents that may have a significant impact
• Be subject to security checks

Also concerned, Digital Service Providers  are subject to obligations for risk analysis, the application of technical and organizational measures and the reporting of incidents. DSP will also be subject to security checks.

A collective work at the European level

The national transposition is furthermore drawing on France’s counterparts experience, especially from the reference documents issued by the NIS Cooperation group established in 2017 at the EU level. France also contributed to this exchange of best practices, sharing its national expertise to collaborate to the “Reference document on security measures for Operators of Essential Services”.

This risk management approach is based on four main themes:

• security governance of networks and information systems;
• protection of the security of networks and information systems;
• defense of networks and information systems;
• resilience of activities.

The large-scale attacks that all countries face in 2017 confirmed the need for an overall threat evaluation and enhanced coordination in handling incidents. Created by the NIS directive, the “CSIRTs network”  is essential to collectively address these issues. It provides enhanced operational cooperation between between EU Member States, through the existing cyber security incident response teams (CSIRTs).