French view on the NIS Diretcive

transposition

Cybersecurity Framework in France - ANSSI

> The Agence Nationale de la Sécurité des Systèmesd’Information (ANSSI) was created on July 7th 2009 by a

decree (2009-834) of the Prime Minister, which defines

precisely its authority and missions.

> ANSSI is a service with national responsability, which

reports to the General Secretary for Defence and National

Security.

> ANSSI has 2 mains missions: prevent and react to cyber

attacks.

2

Cybersecurity Framework in France - From government to

critical infrastructures

Rising awareness on the need to enhance cybersecurity of

Operators of Vital Importance (OIV)

2008

White Paper on

Defence and

National Security

2009

Creation of

ANSSI

2011

French

Cybersecurity

Strategy

2013

White Paper on

Defence and

National Security

Information Systems

Security Authority

Information Systems

Defence & Security Authority

3

CIIP - An existing critical infrastructures protection framework

4

More than 200 critical infrastructure operators (“Operators of Vital Importance”)

identified, since 2006.

Food Energy

IndustryWater

Transport

Justice

Militaryactivities

Civilianadministration

Health

Finance

Telecom &broadcasting

Space &Research

.

12

sectors

identified

All sectors

Physical

“points”

12 Public-Private

critical sectors

> 200

operators

The CIIP law

5

Adopted in December 2013, the law aims at reinforcing the cybersecurity of critical

operators and allows ANSSI – and other State bodies – to further support them in

the event of a cyberattack against their critical information systems.

• The new framework will apply to all public

and private critical operators already

designated.

• In addition to their physical points,

operators will need to identify their “critical

information systems”.

• Dedicated security measures will

complement existing cybersecurity

objectives.12

sectors

identified

12

critical sectors

200+

critical operators

All sectors

Critical

information

systems

The CIIP law

6

SECURITY REQUIREMENTS

ANSSI will impose to the operators a set

of technical and organisational rules

INCIDENTS NOTIFICATION

ANSSI shall be notified directly by

operators of incidents occuring on their

critical information systems.

The law provides with 4 set of measures

INSPECTION

ANSSI can trigger security audits led by

itself, another State authority or a Trust

service provider.

MAJOR CRISIS

ANSSI can impose cybersecurity measures

in case of major crisis, declared by the

Prime Minister.

> A dynamic interministerial process to identify a new set of operators

that are essential to economic and societal activities : the operators of

essential services

> ANSSI will impose to these operators a set of technical and

organizational rules very similar to the rules applying to the critical

operators

NIS - Strategic objectives

7

Calendar and first challenges for the transposition

• Constrains : French presidential election in May and June 2017

• Promulgation of the law expected in beginning 2018

• Regulation : Decree to establish the list of essential services and

application measure for each operators

• Execution act for the rules regarding he functionment of the cooperation

group published in February 2017

• Bill submitted to ministries in May

8

Calendar for the transposition

Decree writingFormal

consultation of

minsitries

State

council

Publication

to the

official

journal

Notification

to the

European

Commission

LAw

Law decree

Appliction

decree

Travail en interne ANSSI sur les règles de

sécurité pour se mettre en conformité

avec le guide de référence européen

Writing of 3

15.Oct 15.Nov 15.Dec 15.Jan 15.Feb 15.Mar 15.apr 9.May

State

council

Ministry

council

Parliament Promulgati

on

Publication

to the

official

journal

Notification to

the European

Commission

Publication

to the official

journal

Notification to

the European

Commission

9

Where do we stand today

Interministerial meeting of 09/10/2017 outcomes:

➢ A dedicated law to transpose chapters IV and V

➢ ANSSI designated as single competent autority for the cooperation

group;

➢ CERT-FR designated as single French CSIRT for the CSIRT Network ;

➢ Prime minsister will establish the list of essential services and the list of

OES on the proposition of ministries or ANSSI;

➢ Prime minister will define security rules for OES information systems

10

> In the critical sectors already defined, the operators of essential services will be of the

same nature as the critical operators (airports, hospitals, electricity suppliers…) but less

sensitive.

The NIS directive covers many more companies. Are concerned and considered as OES :

> Industrial production sites

> Telecommunications operators

> Transport companies

> Hospitals, etc.

> Operators of essential services might be identified in other areas of activity (democratic

life, cybersecurity industry, tourism…)

> Methodology: Mix of quantitative and qualitative criteria

Challenge N°1 - Identification of the OES

11

Challenge N°2 – Working with the Private sector (RETEX)

12

Regulators

Starting in late November 2014, working groups led by ANSSI were set up to define

with the operators how core provisions would concretely apply.

Sectoral expertise

Public & Private

Operators

RegulatorsMinistries

Challenge N°3 – Articulation with CIIP framework

Challenges

• Apply the same rules to non OIV actors essential to

the functioning of the economy and society

• Harmonize the different frameworks of EU member

states

• Avoid new requirements for IS already submitted to the

LPM

Art 22 LPM (Code of Defense)

OIV National Security Classified information

Dedicated law

OES

Internal maketStakeholders essential to the

functioning of the economy and society

13

Challenge N°4 – Reach an acceptable security level

Key characteristics

• Tailored cybersecurity measures.

• Mostly basic cybersecurity measures.

• Taking into account ANSSI’s and the operators’ operational experience and existing

international standards.

• 95 % common to all the sectors. But, depending on the sector’s maturity, the timelines

for application can differ (delays not public).

• Apply only to the operators’ critical information systems.

Note: the law will includes sanctions in case operators would not respect their obligations.

20 categories of security rules were elaborated and agreed upon by all operators :

they are preventive actions aiming at reducing the risks of success for most

cyberattacks.

14

Challenge N°5 – Efficient Incident notification

15

ANSSI

Sectoral

Ministry

Victim Critical

operator

Shares information

on the cyber incident

Shares

feedback on

the incidents

Sends a form to notify

an incident on one of the SIIV

Provides support to the victim (from

recommendations to onsite support)Other

Critical

operators

Voluntary

Exchange

Information

Shares anonymised information

on the incident to prevent

potential attacks

Challenge N°6 – Assistance to the OES

16

ANSSI

Service

providers

Critical

operators

Government Industry

Client

A rigorous evaluation

process

Provision of trustworthy

servicesFeedback to strengthen the

qualification process

In order to facilitate the implementation of the CIIP law, ANSSI has established a

challenging and efficient process allowing the qualification of private “Trust

Service Providers”.

General overview- Adapt the security level to the risk

Basic rules,

Security of citizens / PME

Cybersecurity tailored

rules, security of the

econmy

Sectorial rules,

Security of most critical IS,

Government or critical

infrastructures

Hygiene and basic

principles

Normative and

regulatory

framework

Risk

analysis

COMPLEX

MED

IUM

SIMPLE

CY

BE

RA

TT

AC

K

17

ACYMA

NIS

CIIP

framework