The French CIIP Framework

A dedicated CIIP law

Establishing common requirements for the cybersecurity of critical operators

In 2013, years of experience and cooperation with critical operators led ANSSI to propose the adoption of a regulatory framework the « CIIP Law », promulgated on December 18, 2013. The law was proposed with a view of establishing a common minimum level of cybersecurity for all critical operators and reinforcing ANSSI to support them in the event of a cyberattack.

The law is destined to apply to more than 200 public and private operators from 12 sectors already identified as critical in France.
Security requirements will apply only to the operators’ most “critical information systems” that they are responsible to identify.

The law provides with 4 main measures:

• Incidents Notification

  ANSSI shall be notified directly by operators of incidents occurring on their critical information systems, while protecting the confidentiality of the operators. To know more

• Security Rules

  ANSSI will set technical and organisational rules, mostly basic cyber hygiene measures and common to all sectors. To know more

• Inspection

  ANSSI can trigger security inspections done by its services, another State authority or a Trust Service Provider on a regular basis or following an incident. To know more

• Major Crisis

  ANSSI can impose measures in case of a major crisis, declared by the Prime Minister. It lays down legal basis for action in the framework of crisis management plans.

A supporting CIIP Public – Private Partnership (PPP)

Bringing together the operators’ expertise and ANSSI’s operational experience towards the co-drafting of tailored cybersecurity measures

Starting in late November 2014, working groups (WG) were set up by ANSSI with all voluntary public and private operators as well as Ministries and Regulators, thus establishing an ambitious Public and Private Partnership (PPP) on CIIP.

These working groups aimed at working on a multistakeholder basis with the objective of:

• Co-drafting with the operators the deliverables defining how core provisions would concretely meet the sectors’ expectations and constraints (some sectors were even divided into sub sectors).
• Being pragmatic and tailored in order to avoid unnecessary burden for the operators.

The work of the WG was a huge investment in time and resources for ANSSI and the operators.

• March2014

  Experimentation phase

  First meetings with volunteer operators to work on critical information, incident notification and security rules definition

• October2014

  First kick-off meeting

  Followed by:

  • 3 working meetings
  • Bilateral meetings with operators on specific subjects
  • Close-off meeting

• June2015

  Elaboration of the legal documentation by ANSSI

  • Elaboration of the definitive security rules for the first sectors
  • Elaboration of the legal documentation (sectoral orders)

• January2016

  Interministerial consultation

  Approval of the sectoral orders

• July2016

  Sectoral orders coming into effect for the first sectors

  Other sectoral orders followed on October 1st, 2016. The next ones will come into effect in 2017

Requirements and Tools

Defining tailored deliverables

After 2 years, 18 WG, 200 meetings and more than 300 experts involved, the WG managed to develop:

• A critical information systems typology.
• A set of tailored security rules. Cross-sectoral, they are mainly composed of basic cyber measures and fall within 20 categories including network mapping, network segmentation, implementation of trusted detection capabilities, accreditation, etc.
• A security incidents Framework including a typology of incidents to be notified and reporting forms.

While these deliverables will translate into new requirements for them, operators will also benefit from strengthened attention and support from ANSSI. In case of an incident, ANSSI may for instance provide direct assistance, thus constituting a strong incentive for the operators.

Supporting Trust Service Providers

Involving the private sector in order to support operators raise their level of cybersecurity

Taking into account the fact that ANSSI can’t alone support the operators facing all challenges related to CIIP and in view of supporting them implement the CIIP law, ANSSI established a challenging and rigorous evaluation process allowing it to qualify private cybersecurity “Trust Service Providers” and products.

As of today, providers can be qualified for services in the fields of:

• Security Audits
• Detection
• Incident reponse
• Integration and architecture (planned)

The qualification process guarantees, skilled and trustworthy services
Know more about Trust Service Providers here

The French CIIP Framework in brief

Find more information in the FAQ section

Towards the NIS directive implementation

On July 6, 2016, the Council of the European Union and the European Parliament adopted the European network and information system security Directive (“NIS Directive”, first European legislation dedicated to cybersecurity, aiming at:

• strengthening national cybersecurity capabilities;
• establishing a framework for cooperation among EU Member States –at both political and operational levels ;
• strengthening the cybersecurity of “operators of essential services” and “digital service providers”.

ANSSI is particularly supportive of the operational cooperation established between EU Member States, through the existing cyber security incident response teams (CSIRTs) network which was created by the NIS directive. The large-scale attacks that all countries face in 2017 confirmed the need for an overall threat evaluation and enhanced coordination in handling incidents.

ANSSI was since designated national coordinator for the transposition of the NIS Directive in France. Levering from ANSSI’s and operators’ experience, the transposition of the NIS Directive in France will benefit from the work already accomplished within the framework of the implementation of the CIIP law.

The national transposition is furthermore drawing on France’s counterparts experience, especially from the reference documents issued by the NIS Cooperation group established in 2017 at the EU level. France also contributed to this exchange of best practices, sharing its national expertise to collaborate to the “Reference document on security measures for Operators of Essential Services”.

On 15 February 2018, the French Parliament voted in favour of the legislative proposal, thus making an important step towards the full transposition into France’s national law. On 22nd May 2018, another step is taken with the publication of the decree to pursue the implementation of the French law.