France Moves Forward on Implementation of Cybersecurity Framework for Operators of Critical Infrastructures

France Moves Forward on Implementation of Cybersecurity Framework for Operators of Critical Infrastructures

On November 28, 2016, four sector-specific orders were adopted by France's Secretary General for Defense and National Security, on behalf of the Prime Minister. These orders (document in French) aim to complete the information systems security plan applicable to the Operators of Critical Infrastructures ("OCI") in the finance, audiovisual and information, industry, and electronic communications and internet sectors.

The four sector-specific orders set forth: (i) technical and organizational security measures; (ii) the obligation for OCIs to carry out an impact assessment so as to identify the critical importance information systems among their information systems; and (iii) the obligation to set up a notification and a resolution procedure for security incidents. These four new orders follow three previous orders in force since July 1, 2016, related to the health care products, water management, and food supply sectors.

Pursuant to the Defense Code (Articles L. 1332-6-1 and R. 1332-41-1), the Prime Minister has authority to adopt security measures proposed by ANSSI, the French national cybersecurity agency, in relation to the cybersecurity of OCIs. The implementation of such measures is compulsory, and failing to comply with such legal requirements is a criminal offense that may trigger fines of up to EUR 750,000 for businesses.

France has become a leading country in terms of implementation of a regulatory framework for defining cybersecurity measures and securing the information systems in key sectors identified by a ministerial order of June 2, 2006, as critical for the nation. These sectors are divided into three categories—government, protection of citizens, and social and economic life of the nation. Other sector-specific orders are expected to be adopted in 2017 for the remaining sectors.

The four orders adopted on November 28, 2016, will become effective on January 1, 2017, and will be mandatory for entities that have been designated as OCIs. Other public and private entities operating in France in one of the four sectors to which these orders relate should also take this opportunity to review their own cybersecurity standards in order to properly assess and limit the exposure of their information systems and the related liability risk.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at

Olivier Haas

Daniel J. McLoon
Los Angeles

Mauricio F. Paez
New York

Undine von Diemar

Hatziri Minaudier, associate in the Paris Office, assisted in the preparation of this Alert.

 Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.