Cyber compliance in France
Everything about cybersecurity obligations applicable in France. Mandatory frameworks, recommended standards, competent authorities, and penalties.
Mandatory frameworks
Compliance frameworks mandated by regulation in France.
NIS2
EU / ANSSI
EU directive on network and information systems security, transposed into French law. Extended obligations for essential and important entities.
View detailsDORA
EU / ACPR
Digital Operational Resilience Act. Mandatory digital resilience for the European financial sector, applicable in France.
View detailsLPM
ANSSI
Military Programming Law. Security obligations for Operators of Vital Importance (OIV).
RGPD / GDPR
EU / CNIL
General Data Protection Regulation. Individual rights and data controller obligations.
RGS
ANSSI
General Security Framework. Mandatory for French administrations and digital public services.
Recommended standards
The most relevant international standards for the France market.
ISO 27001:2022
ISO/IEC
Information security management system. The reference certification in France, prerequisite for many public tenders.
View detailsSOC 2 Type II
AICPA
Trust Services Criteria. Essential for French SaaS vendors serving Anglo-Saxon clients.
View detailsMethodological frameworks
Complementary frameworks to structure your security approach.
EBIOS RM
ANSSI
ANSSI risk analysis methodology. The reference method in France for risk assessments.
NIST CSF 2.0
NIST
American cybersecurity framework. Complementary with European frameworks for international groups.
CIS Controls v8
CIS
Prioritized critical security controls. Good operational complement to the NIS2 approach.
France regulatory context
Competent authority
ANSSI (National Agency for Information Systems Security) for cybersecurity. CNIL (National Commission on Informatics and Liberty) for personal data.
Penalties
NIS2: up to 10M EUR or 2% of global turnover. GDPR: up to 20M EUR or 4% of global turnover. LPM: administrative and criminal sanctions.
NIS2 transposition
France has transposed the NIS2 directive into national law. ANSSI oversees implémentation and can conduct audits of essential and important entities.
ANSSI qualification
ANSSI issues security visas (qualification and certification) for products and trust service providers.