Top Cybersecurity Laws and Regulations in France
As a prominent voice in the European Union (EU) and a founder of the European Council, France has also led European digital strategy and its efforts to become safer and more autonomous.
France has updated and refined its cybersecurity laws and regulations to reflect its dedication to building better cybersecurity practices. This post highlights those laws and regulations to help you understand cybersecurity requirements in France and how to achieve compliance.
Learn how UpGuard helps businesses become compliant with laws and regulations >
The French National Digital Security Strategy
In 2015, French Prime Minister Manuel Valls announced France’s national digital security strategy to help the French fully transition into a modern, digital society. The strategy was led by the agence nationale de la sécurité des systèmes d'information (ANSSI), also known as the French National Agency for the Security of Information Systems.
This initiative responds to the digital age’s emerging issues. While new technologies have inspired innovation and growth, addressing the increased risks of cybercrime, sabotage, the exploitation of personal data, espionage, and propaganda is necessary. These cyber threats affect the state of France and the EU, its citizens, and economic stakeholders.
France has noted that cyber attacks from state or non-state groups:
- Are unrestricted by borders or distances
- Are difficult to trace
- Can destroy the functionality of telecommunication and information systems and critical infrastructure with relative ease and little cost to the attacker
Accordingly, France’s National Digital Security Strategy focuses on the following:
- The security of critical operators that provide essential services to the economy and society to guarantee national sovereignty
- Data privacy, protection of personal data, and the promotion of digital trust with a solid response to cybercrime
- Continuing education, training, and awareness regarding the digital ecosystem and cybersecurity
- Industrial policy, digital technology for business, and exports making digital security advantageous for French companies
- Digital autonomy in Europe and cyberspace stability, enhancing France’s influence internationally
In May 2022, a European Union initiative led to the meeting of three European cybersecurity communities: Cyber Crisis Liaison Organisation Network (CyCLONe), CSIRTs (Computer Security Incident Response Teams) Network, and Network and Information Systems (NIS) Cooperation Group. These groups also include the European Commission and ENISA. Together, they pursue the common goal of strengthening Europe’s cybersecurity.
With the cooperation of ANSSI, the French Ministry for the Armed Forces, and the Minister of the Interior, among other stakeholders, and international forums such as NATO, the G7, and the OSCE, France is enhancing European and homeland cybersecurity. It is determined to respond to the technical advancements of information systems with appropriate security measures to protect the country’s infrastructure and economy.
Commission Nationale de l’Informatique et des Libertés (CNIL) Fines
In France, the data protection authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), which provides the public with information and support regarding protecting data and how to be compliant.
CNIL was created following a government proposal to introduce a unique identifier for every citizen of France (SAFARI) — the proposal aimed to interconnect government records. The government created an independent oversight committee to ensure that despite Information Technology (IT) developments, organizations would make adequate efforts to protect people’s privacy, rights, and liberties.
France’s CNIL aims to help anyone working with data to do so with the proper respect for privacy. It achieves these goals through workshops, online information, and advising companies so they can begin their activities with privacy in mind.
CNIL is also responsible for investigating non-compliance with data protection laws and issuing fines for non-compliance in France. It can be investigated on-site or online. In 2021, it carried out 173 of its 384 investigations online.
Some of CNIL’s fines, outlined below, illustrate how a financial penalty can motivate an entity, particularly an industry behemoth, to protect its data, clients, and country.
- November 2020 - CNIL fined Carrefour France and Carrefour Bank 2.25 million euros and 800,000 euros, respectively. The data protection non-compliance issues included keeping data too long, providing incomplete or inaccessible data to data subjects, and failing to respond when data subjects demanded access to their data.
- December 2020 - Amazon Europe Core received a 35 million euro penalty from CNIL for placing cookies on users’ devices without the required permissions and information.
- December 2021 - Following numerous complaints, CNIL’s investigation of Facebook led to a 60 million euro fine when it deemed that users could not reject cookies as easily as they could accept them, which interfered with Internet users’ freedom of consent. CNIL ordered Facebook to fix the issue within three months or face a fine of 100,000 euros per day.
Top Cybersecurity Laws and Regulations in France
France’s drive to transition to a modern digital society while addressing the inherent and growing cybersecurity risks has led to new acts, decrees, and regulations, in addition to updates of outdated legislation. We've collated the most prominent and important to help businesses operating in France handle the complexity of French cybersecurity laws and regulations.
All the following cybersecurity regulations support customer data security and data breach resilience. To help understand these French laws and regulations, we’ve included the following helpful information with each listed regulation:
- Whether or not the regulation is mandatory
- Non-compliance fines
- Links to compliance resources
1. Data Protection and Privacy Act 1978
This data protection regulation makes the following data types subject to authorization:
- Social security numbers, except when they are processed for scientific research, historical research, statistical reasons, or to provide users with an online government service;
- Biometric and health data require the organization to submit a declaration of compliance to the CNIL before data processing
Is Complying with the Data Protection and Privacy Act 1978 Mandatory?
France’s Data Protection and Privacy Act 1978 obligated information security from 1978. The Act is reinforced by the EU GDPR.
Articles 34 and 34-bis of DPA 1978 consider cybersecurity, insisting that public and private entities implement appropriate security measures when processing personal data. The stipulations include protecting this data from unauthorized access, modification, or theft.
These articles also require internet service providers (ISPs) to record cyber attacks and report data breaches to CNIL immediately.
What Are the Penalties for Data Protection and Privacy Act 1978 Non-Compliance?
Non-compliance with DPA 1978 used to carry a maximum fine of €3 million. With the introduction of the EU General Data Protection Regulation (GDPR), however, in effect 25 May 2018, all private or public data controllers and processors risk an administrative fine of up to €20 million or 4% of the organization’s global annual turnover, whichever is more.
CNIL may also seek an injunction to prevent the firm from processing data, conducting inspections, and issuing non-compliance warnings to the public. In the event of criminal sanctions, the data controller could face as much as five years in prison.
DPA 1978 Compliance Resources
The following list of free resources could help organizations achieve DPA 1978 compliance:
2. General Data Protection Regulation (GDPR)
CNIL is the regulatory authority for the EU’s GDPR, which obligates public and private sector organizations to protect data. GDPR came into place in May 2018 to reinforce the Data Protection and Privacy Act 1978 framework. With GDPR, personal data security now has more requirements. And data protection authorities are more empowered to support organizations.
Under GDPR, organizations handling data must:
- Implement policies and procedures to secure data
- Record data breaches
- Conduct a Privacy Impact Assessment (PIA) in the case of particular sensitive, high-risk processing
- Report data breaches to the CNIL within 72 hours if people are at risk
- Inform individuals when a data breach occurs if there is a high risk that it will impact them
Is Complying with GDPR Mandatory?
Yes, all firms collecting or processing data in the EU must comply with GDPR. It imposes cyber security obligations on organizations of all sizes and sectors.
CNIL has the power to investigate and verify a firm’s level of compliance with GDPR. It can impose a formal notice and fines on a data controller if dissatisfied.
What Are the Penalties for GDPR Non-Compliance?
Non-compliance with GDPR can lead to an administrative fine of €20 million or 4% of the organization’s annual turnover, whichever is more.
GDPR Compliance Resources
The following list of free resources could help organizations achieve GDPR compliance:
3. Military Programming Act of 2013
According to decrees 2015-350 and 2015-351 (27 March 2015), organizations in key sectors must:
- Implement detection tools to prevent cyberattacks on their networks and information technology infrastructures
- Notify cybersecurity breaches to the relevant authorities without delay
- Audit IT infrastructures regularly
This act designated the governmental agency ANSSI, operating under the General Secretary for Defense and National Security, to ensure that the law is applied correctly and upholds network and information systems security.
Is Complying with the Military Programming Act of 2013 Mandatory?
Yes. Organizations must adopt certain measures when requested by relevant authorities.
What Are the Penalties for MPA 2013 Non-Compliance?
Non-compliance with MPA 2013 can result in a fine of 150,000 euros.
MPA 2013 Compliance Resources
The following list of free resources could help organizations achieve MPA 2013 compliance:
4. Military Programming Act 2014-2019 (MPA 2014-2019)
This act (no. 2013-1168 of 18 December) outlines several cybersecurity obligations for vitally important operators (VIOs). Article L.1332-1 of the French Defence Code defines these vitally important operators as public or private establishments, the loss of which would seriously impair the economic or military power of the country. This includes banks, nuclear power plants, hospitals, restoration, education, and digital infrastructure. The exhaustive list of VIOs can be found in the annex of Decree No. 2018-384.
Article 22 of MPA 2014 - 2019 gave France’s National Cybersecurity Agency (ANSSI) new prerogatives on behalf of the Prime Minister. With the introduction of this act, it could enforce security and control measures.
Is Complying with MPA 2014 - 2019 Mandatory?
According to Article 22 of this law, vitally important operators must report incidents detected on their IT systems to the relevant authorities.
According to decrees 2015-350 and 2015-351, VIOs must implement detection tools to prevent cyber attacks on their networks and IT infrastructures. They must also perform regular security audits of their IT infrastructures and adopt any particular measures requested by the relevant authorities.
What Are the Penalties for MPA 2014-2019 Non-Compliance?
Non-compliance can lead to a fine of as much as 150,000 euros.
MPA 2014-2019 Compliance Resources
The following list of free resources could help organizations achieve MPA 2014 - 2019 compliance:
5. NIS2 Directive
The main goals of the NIS2 Directive, proposed in December 2020, are to:
- Cover more sectors than NIS1
- Replace NIS1’s identification process
- Harmonize security requirements and reporting obligations
NIS2, approved in November 2022, standardizes and clarifies risk management measures and reporting obligations across all critical sectors. It sets minimum regulatory rules and promotes cooperation between each member state’s relevant authorities.
This directive established CyCLONe, which coordinates crisis management for large-scale cybersecurity incidents.
NIS2 also introduces a size cap so that the directive covers all medium and large entities. It covers public administrations, as they are often cyber attack targets, commonly via ransomware, but does not apply to defense or national security entities, the judiciary, law enforcement, public security, parliaments, and central banks.
To avoid over-reporting and burdening the covered entities, NIS2 streamlines earlier reporting obligations. It also proposes that encryption be mandatory for key services.
Is Complying with NIS2 Mandatory?
This NIS directive entails various incident reporting and information management obligations to help strengthen cybersecurity across the EU.
What Are the Penalties for NIS2 Non-Compliance?
Each EU member state may set its own penalty limit for NIS2 non-compliance. Non-compliance with NIS2 could lead organizations to face fines in France's region of €20 million.
NIS2 Compliance Resources
The following list of free resources could help organizations achieve NIS2 compliance:
6. eIDAS Regulation (910/2014)
eIDAS stands for Electronic Identification, Authentication, and Trust Services. This was created to foster digital trust in electronic transactions across EU member states. It intends to create a foundation for secure electronic transmission between public authorities, businesses, and citizens to make public and private online services, business, and commerce more effective.
The eIDAS regulation builds on the European Parliament and the European Council’s 1999/93/EC directive, which delivered a secure framework for safe and secure electronic transactions. It aims to enhance people’s digital rights and enjoyment of a single market with cross-border digital services while simultaneously fighting the potentially diverse power of cybercrime.
Directive 1999/93/EC aims to make it easier for people to access services, such as healthcare, across Europe using the access credentials common to their home country. This level of accessibility and digital infrastructure, however, requires data protection, secure electronic identification, and authentication regulated by eIDAS.
eIDAS defines the standards for electronic identification in the EU, including:
- Electronic signatures
- Electronic seals
- Time stamps
It aims to give electronic transactions the legal validity of paper documents.
Is Complying with eIDAS Mandatory?
Complying with eIDAS is mandatory for trust service providers serving clients within the EU. This includes companies that provide the following:
- Validation services
- Electronic registered delivery services
- Qualified web certificate for authentication
- Qualified timestamping
- Electronic identification
- Advanced and qualified electronic seals
What are the Penalties for eIDAS Non-Compliance?
There are no specific penalties for using the EU trust mark incorrectly or without being accredited.
eIDAS Compliance Resources
7. Payment Card Industry Data Security Standard (PCI DSS)
Launched in September 2006, the PCI DSS requirements aim to see to it that all entities storing, processing, and transmitting credit card information do so securely. It manages PCI security standards and aims to improve account security.
It’s an independent body created by JCB, Discover, American Express, MasterCard, and Visa and administered by the PCI Security Standards Council (PCI SSC), but the payment brands are responsible for enforcing compliance.
These firms wish people to use their cards worldwide, so these standards apply in France. The 12 requirements for PCI DSS compliance, in no intentional order, are as follows:
- Proper document policies, including regular equipment inventories, logs of accessing cardholder data, and documents regarding information flow about card transactions;
- Regular scans and vulnerability testing of payment system infrastructure, including hardware, software, and employees;
- Maintenance of access logs to track data flow and how and when sensitive data was accessed;
- Restriction of physical access to cardholder data, whether digital or written.
- Maintenance of unique access credentials for each member of staff with authority to access or process cardholder data;
- Restriction of access to data so that only those who need cardholder data can access it;
- Prompt software updates for all software on devices that store or interact with cardholder data;
- Proper use of antivirus software, which includes the entity keeping it running and updated and the POS provider doing the same if it cannot be installed directly by the user;
- Encryption of all cardholder data;
- Encryption of all transmitted cardholder data;
- The use and maintenance of strong passwords to access and process cardholder data;
- Proper firewall maintenance protects against hackers and prevents unauthorized access to cardholder data.
Is Complying with PCI DSS Mandatory?
PCI DSS is a standard, not a law. However, it is enforced through contracts between merchants, payment brands, and banks. To avoid fines and other repercussions, all service providers and merchants that process, transmit, or store cardholder data must comply with PCI DSS.
What are the Penalties for PCI DSS Non-Compliance?
Non-compliance with PCI DSS can lead to a firm being penalized between €4,300 and €86,000 per month until they are compliant.
Banks may also impose fees or make their transactions more costly. And the card brand may seek compensation for costs incurred due to the security incident. These costs could be as much as €4700 to €9500 per month.
PCI DSS Compliance Resources
8. PSD 2
The EU’s Payment Services Directive is a European regulation for electronic payment services. It aims to make payments more secure in Europe, help banking services adapt to emerging technologies, and boost innovation. It has helped banks open their payment services to Third-Party Payment Services Providers.
The original PSD began in 2007. 2013s PSD2 considers two developments that changed the landscape of payment processing: Account Information Services (AIS), which allowed customers to view their financial situation efficiently, and Payment Initiation Services (PIS), which facilitated online banking to make online payments.
After some delays, PSD2 finally went into force in September 2019, including regulations to protect online payments, using strong authentication, such as multi-factor authentication, and improving customer data security.
Is Complying with PSD2 Mandatory?
Yes, PSD2 is mandatory in the EU and the European economic area. Companies must apply for a license to become a payment initiation service provider (PISP) or an account information service provider (AISP).
What are the Penalties for PSD2 Non-Compliance?
Potential penalties for PSD2 non-compliance are significant. An entity can be fined 4% of its total turnover, depending on which penalty is more.
