Cyber Space: Global insights on cyber and data risk for insurers
Issue 4, July 2025. The French Rejection: How delay in notifying law enforcement of a cyber incident could preclude an indemnity payment
When handling or managing global cyber incidents and claims, it is important that all parties are alive to the potential impact of specific points of local law in certain jurisdictions.
One such example, which has particular relevance to cyber insurance and those responsible for managing cyber incidents, is in France. As outlined below, a recently enacted law means that if an insured entity fails to inform local law enforcement of a cyber incident impacting its system within a certain timeframe, they could be prohibited from obtaining cover under their cyber insurance policy.
In this article we consider the law and relevant guidance issued on behalf of the French legislature and conclude with a comment on what this means for cyber insurers.
The Relevant Law
In April 2023, Law No. 2023-22 (known as LOPMI), which has since been codified in Chapter X (dedicated to the insurance of cyber risks) of Article L. 12-10-1 of the Insurance Code (“Article L. 12-10-1”), came into force to introduce a strict cyber notification requirement for legal entities (businesses) and natural persons acting in a professional capacity.
This obligation makes the payment of an indemnity under a cyber insurance policy contingent on the victim filing a complaint with the competent authority (i.e. local law enforcement or the prosecutor) within 72 hours of becoming aware of the incident.
Failing this, the impacted entity is not entitled to claim compensation for its losses and damages from the cyber insurer, even if the insurance policy would otherwise have responded to the incident.
This is a matter of “ordre-public”, as such both insurers and policy holders must comply. Consequently, contractual waivers are not permitted and there is no requirement for this to be included in policy wordings.
Reasoning
Alongside many of the other recent global cyber regulatory changes, this aims to encourage the prompt reporting of cyber incidents to assist investigation and improve the fight against the growing risk of cyber-attacks.
While the French legislator initially considered focusing solely on ransom demands made during ransomware attacks, as is being considered in the UK and other countries, the measure was eventually extended to any act punishable under Articles 323-1 to 323-3-1 of the French Criminal Code.
Consequently, any intrusion or fraudulent activity in a system, any theft or alteration of electronic data, or any impairment of the system's functioning (whether intentional or malicious) must be notified to the competent authority if the victim intends to seek an indemnity under their current cyber insurance policy.
This goes beyond the notification requirements under Article 33 GDPR as there is no requirement for any impact to personal data. Article L. 12-10-1 is therefore much wider reaching.
Timing
Unlike the relatively clear notification wording of Article 33 GDPR (i.e. to notify the relevant regulator not later than 72 hours after having become aware of a personal data breach), the starting point for the 72-hour period under Article L. 12-10-1 is a source of uncertainty.
In this respect, impacted entities often discover the presence of a cyber-attack progressively and it is not uncommon for only an initial suspicion to arise at first, sometimes without certainty of an intrusion or actual damage. It is therefore difficult to determine when the 72-hour timeframe for becoming aware of an incident, as required by Article L. 12-10-1, starts to run.
To assist, the Directorate General of the Treasury (Direction générale du Trésor), whose role includes advising the French government on policy, has provided some guidance on when an entity should be considered as being “aware” of a cyber incident.
In this respect, it considers that the 72-hour period starts at the “discovery of the damages [caused by the incident]” (Direction générale du Trésor, FAQ dated 23 April 2023). This interpretation however still leaves room for ambiguity given it is not clear who must make the discovery, it can often take time for the full impact of a cyber incident to emerge, and there remains room for different interpretations of what constitutes “damage” in this context.
Another issue facing affected entities is what to focus on at the outset of a cyber incident. Most prioritise remediating the technical and commercial impacts of the incident alongside complying with their wider notification requirements. Informing law enforcement, if done at all, has generally not been a priority. The timing requirements of Article L. 12-10-1 however change this and will likely make entities reconsider their initial priorities, especially if they wish to rely on their cyber insurance.
As a consequence, the lack of certainty around what should be notified and when, coupled with the fear of losing the benefit of insurance cover, may prompt affected entities to file precautionary complaints with the competent authorities as soon as possible, whether they need to or not. This potentially risks an administrative burden on the competent authorities and adds a layer of procedure for impacted entities.
Multi-Jurisdictional Incidents
Another key issue is around the relevant law where a cyber incident impacts multiple jurisdictions, not only France.
For example, we recently supported a Moroccan business, who operated in several countries, including the UK and France, in responding to a cyber breach. This is not an uncommon fact pattern as cyber incidents often involve multi-national businesses with integrated IT systems.
These companies often subscribe to a global insurance policy which, in this context, gives rise to legal issues around the law applying to the cyber incident and, with that, the relevant coverage and/or public order provisions.
To assist, the Direction générale du Trésor has also provided some guidance on the application of Article L. 12-10-1 in an international context.
Following this, it considers that where the insurance contract is subject to French Law, Article L. 12-10-1 will apply and the entity must file a complaint with the competent authority within 72 hours. This is whether or not the operation that has suffered damage is located in France.
It is however accepted that where the damage occurs in a foreign country, a complaint made to the authority in that country will be sufficient to fulfil the requirements of Article L. 12-10-1.
Conversely, even if the entity has suffered damage caused by a cyber incident in France, where the insurance contract is subject to foreign law, Article L. 12-10-1 will not apply and there is no requirement to file a complaint. This was the case with the Moroccan example referred to above.
Summary and Considerations for Insurers
The key point for Insurers is that when a cyber incident occurs in France, or has a connection to a French entity, they should consider the governing law of the cyber insurance policy.
Following legislative guidance, where the cyber policy is governed by French law, irrespective of the location of the incident, the provisions of Article L. 12-10-1 will apply, meaning there will be no insurance cover for losses arising from the incident unless the policy holder has notified local law enforcement or the prosecutor within 72 hours of discovery.
Although the legislation specifically relates to cyber insurance, there is some commentary in France which suggests that Article L. 12-10-1 could also apply to cyber incidents notified to other insurance policies, i.e. where there is “silent cyber” cover.
Whilst relatively new law, it is clear this has been taken seriously by leading French insurance brokers. In this respect they have been proactive in making their clients aware of the legislative changes, updating their cyber wordings and actively encouraging prompt notification of incidents. For cyber policies placed outside of France which are stated to be subject to French Law all participants and professional advisors involved in responding to cyber incidents should be aware of the new law.
What is less clear however is the approach from the French authorities, especially how they may respond should an insurer elect to indemnify a policy holder who is in breach of their Article L. 12-10-1 requirements. We will of course continue to monitor this, and all other relevant aspects, as the law matures and will provide an update as soon as there are any developments.
Cyber Space – More to come…
This article is part of our Cyber Space series. These monthly articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions.
*Click here to view the Cyber Space content hub.*
*Click here to sign up to CMS LAW-NOW to receive future articles directly to your inbox*
As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.
