On November 28, 2016, four sector-specific orders were adopted by France's Secretary General for Defense and National Security, on behalf of the Prime Minister. These orders (document in French) aim to complete the information systems security plan applicable to the Operators of Critical Infrastructures ("OCI") in the finance, audiovisual and information, industry, and electronic communications and internet sectors.
The four sector-specific orders set forth: (i) technical and organizational security measures; (ii) the obligation for OCIs to carry out an impact assessment so as to identify the critical importance information systems among their information systems; and (iii) the obligation to set up a notification and a resolution procedure for security incidents. These four new orders follow three previous orders in force since July 1, 2016, related to the health care products, water management, and food supply sectors.
Pursuant to the Defense Code (Articles L. 1332-6-1 and R. 1332-41-1), the Prime Minister has authority to adopt security measures proposed by ANSSI, the French national cybersecurity agency, in relation to the cybersecurity of OCIs. The implementation of such measures is compulsory, and failing to comply with such legal requirements is a criminal offense that may trigger fines of up to EUR 750,000 for businesses.