Law n°1435 of 8 November 2016 on the fight against cyber-crime enshrined the status of “Operator of Vital Importance”, also referred to by the French acronym “OIV”, which is defined as any public or private operator:
- Operating in sectors essential for the functioning of institutions and public services, economic activity, or life in the Principality more generally;
- Operating establishments or using installations or buildings, the unavailability of which could substantially affect the above-mentioned interests.
In 2017, Ministerial Order n° 2017-42 listed the sectors identified as being of vital importance, including banking and financial institutions, which are required to comply with all of the security rules laid down by legislation, under the supervision and direction of the Monaco Cyber Security Agency (AMSN).
Additional legislation was expected to set out the arrangements under which the law would be implemented, and in particular the security rules to be followed by OIVs and their obligations to the AMSN.
That was done on 8 November 2018 with new Ministerial Order n° 2018-1053, which includes seven separate annexes detailing the following:
- Security rules for OIVs (security policy, mapping, security accreditation, logs, incident management, etc.);
- The list of information systems of vital importance to be sent to the ANSM and updated annually;
- The impact assessment to be carried out by OIVs, using the assessment grid for security systems of vital importance appended to the Ministerial Order;
- The procedure for reporting all security incidents to the ANSM, using a pre-defined format.
Some annexes have not been made public owing to their sensitive nature, and will be passed directly to the authorised officers at the OIVs themselves (types of information systems of vital importance, types of incidents to be reported, and deadlines for applying security rules).
Banking and financial institutions must therefore be particularly vigilant with regard to these new obligations and the associated formalities.