French view on the NIS Diretcive
transposition
Cybersecurity Framework in France - ANSSI
> The Agence Nationale de la Sécurité des Systèmesd’Information (ANSSI) was created on July 7th 2009 by a
decree (2009-834) of the Prime Minister, which defines
precisely its authority and missions.
> ANSSI is a service with national responsability, which
reports to the General Secretary for Defence and National
Security.
> ANSSI has 2 mains missions: prevent and react to cyber
attacks.
2
Cybersecurity Framework in France - From government to
critical infrastructures
Rising awareness on the need to enhance cybersecurity of
Operators of Vital Importance (OIV)
2008
White Paper on
Defence and
National Security
2009
Creation of
ANSSI
2011
French
Cybersecurity
Strategy
2013
White Paper on
Defence and
National Security
Information Systems
Security Authority
Information Systems
Defence & Security Authority
3
CIIP - An existing critical infrastructures protection framework
4
More than 200 critical infrastructure operators (“Operators of Vital Importance”)
identified, since 2006.
Food Energy
IndustryWater
Transport
Justice
Militaryactivities
Civilianadministration
Health
Finance
Telecom &broadcasting
Space &Research
.
12
sectors
identified
All sectors
Physical
“points”
12 Public-Private
critical sectors
> 200
operators
The CIIP law
5
Adopted in December 2013, the law aims at reinforcing the cybersecurity of critical
operators and allows ANSSI – and other State bodies – to further support them in
the event of a cyberattack against their critical information systems.
• The new framework will apply to all public
and private critical operators already
designated.
• In addition to their physical points,
operators will need to identify their “critical
information systems”.
• Dedicated security measures will
complement existing cybersecurity
objectives.12
sectors
identified
12
critical sectors
200+
critical operators
All sectors
Critical
information
systems
The CIIP law
6
SECURITY REQUIREMENTS
ANSSI will impose to the operators a set
of technical and organisational rules
INCIDENTS NOTIFICATION
ANSSI shall be notified directly by
operators of incidents occuring on their
critical information systems.
The law provides with 4 set of measures
INSPECTION
ANSSI can trigger security audits led by
itself, another State authority or a Trust
service provider.
MAJOR CRISIS
ANSSI can impose cybersecurity measures
in case of major crisis, declared by the
Prime Minister.
> A dynamic interministerial process to identify a new set of operators
that are essential to economic and societal activities : the operators of
essential services
> ANSSI will impose to these operators a set of technical and
organizational rules very similar to the rules applying to the critical
operators
NIS - Strategic objectives
7
Calendar and first challenges for the transposition
• Constrains : French presidential election in May and June 2017
• Promulgation of the law expected in beginning 2018
• Regulation : Decree to establish the list of essential services and
application measure for each operators
• Execution act for the rules regarding he functionment of the cooperation
group published in February 2017
• Bill submitted to ministries in May
8
Calendar for the transposition
Decree writingFormal
consultation of
minsitries
State
council
Publication
to the
official
journal
Notification
to the
European
Commission
LAw
Law decree
Appliction
decree
Travail en interne ANSSI sur les règles de
sécurité pour se mettre en conformité
avec le guide de référence européen
Writing of 3
15.Oct 15.Nov 15.Dec 15.Jan 15.Feb 15.Mar 15.apr 9.May
State
council
Ministry
council
Parliament Promulgati
on
Publication
to the
official
journal
Notification to
the European
Commission
Publication
to the official
journal
Notification to
the European
Commission
9
Where do we stand today
Interministerial meeting of 09/10/2017 outcomes:
➢ A dedicated law to transpose chapters IV and V
➢ ANSSI designated as single competent autority for the cooperation
group;
➢ CERT-FR designated as single French CSIRT for the CSIRT Network ;
➢ Prime minsister will establish the list of essential services and the list of
OES on the proposition of ministries or ANSSI;
➢ Prime minister will define security rules for OES information systems
10
> In the critical sectors already defined, the operators of essential services will be of the
same nature as the critical operators (airports, hospitals, electricity suppliers…) but less
sensitive.
The NIS directive covers many more companies. Are concerned and considered as OES :
> Industrial production sites
> Telecommunications operators
> Transport companies
> Hospitals, etc.
> Operators of essential services might be identified in other areas of activity (democratic
life, cybersecurity industry, tourism…)
> Methodology: Mix of quantitative and qualitative criteria
Challenge N°1 - Identification of the OES
11
Challenge N°2 – Working with the Private sector (RETEX)
12
Regulators
Starting in late November 2014, working groups led by ANSSI were set up to define
with the operators how core provisions would concretely apply.
Sectoral expertise
Public & Private
Operators
RegulatorsMinistries
Challenge N°3 – Articulation with CIIP framework
Challenges
• Apply the same rules to non OIV actors essential to
the functioning of the economy and society
• Harmonize the different frameworks of EU member
states
• Avoid new requirements for IS already submitted to the
LPM
Art 22 LPM (Code of Defense)
OIV National Security Classified information
Dedicated law
OES
Internal maketStakeholders essential to the
functioning of the economy and society
13
Challenge N°4 – Reach an acceptable security level
Key characteristics
• Tailored cybersecurity measures.
• Mostly basic cybersecurity measures.
• Taking into account ANSSI’s and the operators’ operational experience and existing
international standards.
• 95 % common to all the sectors. But, depending on the sector’s maturity, the timelines
for application can differ (delays not public).
• Apply only to the operators’ critical information systems.
Note: the law will includes sanctions in case operators would not respect their obligations.
20 categories of security rules were elaborated and agreed upon by all operators :
they are preventive actions aiming at reducing the risks of success for most
cyberattacks.
14
Challenge N°5 – Efficient Incident notification
15
ANSSI
Sectoral
Ministry
Victim Critical
operator
Shares information
on the cyber incident
Shares
feedback on
the incidents
Sends a form to notify
an incident on one of the SIIV
Provides support to the victim (from
recommendations to onsite support)Other
Critical
operators
Voluntary
Exchange
Information
Shares anonymised information
on the incident to prevent
potential attacks
Challenge N°6 – Assistance to the OES
16
ANSSI
Service
providers
Critical
operators
Government Industry
Client
A rigorous evaluation
process
Provision of trustworthy
servicesFeedback to strengthen the
qualification process
In order to facilitate the implementation of the CIIP law, ANSSI has established a
challenging and efficient process allowing the qualification of private “Trust
Service Providers”.
General overview- Adapt the security level to the risk
Basic rules,
Security of citizens / PME
Cybersecurity tailored
rules, security of the
econmy
Sectorial rules,
Security of most critical IS,
Government or critical
infrastructures
Hygiene and basic
principles
Normative and
regulatory
framework
Risk
analysis
COMPLEX
MED
IUM
SIMPLE
CY
BE
RA
TT
AC
K
17
ACYMA
NIS
CIIP
framework