The Military Programming Act 2014-2019 (especially Article 22) sets out several cybersecurity obligations applicable to “vitally important operators” (opérateurs d’importance vitale) – VIOs – as defined in Article L.1332-1 of the French Defence Code.
The Military Programming Act 2019-2025 provides with measures to strengthen the protection against cyberattacks through the use of telecommunications operators.
The Cybersecurity Act 2018 has created two new categories of operators subject to cybersecurity obligations:
Operators of essential services (OES)
The OES are defined as any public or private entity providing an essential service for the maintenance of critical societal and/or economic activities relying on networks and information systems and whose service could be seriously affected in the event of a network security incident. Pursuant to the implementing Decree No. 2018-384 of 23 May 2018 on the security of networks and information systems of essential service operators and digital service providers, the OES are designated by the Prime Minister in various sectors, such as energy, transportation, banking, financial markets infrastructure, health, digital infrastructure etc. In this respect, the Prime Minister notifies operators individually of his intention to appoint them as an OES and from this notification, the operator may submit observations within a month.
Digital service providers (DSPs)
The DSPs are defined as any legal entity providing a digital service. The services concerned are the online search engines, online marketplaces and cloud computing services.
The French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information, ANSSI) and the Prime Minister appointed the first OES on 9 November 2018.