A decree on the digital security of the State IS

If it goes without saying that the State has always ensured the security of its IT, a decree of April 8, 2022 published in the official journal of April 10 formalizes certain provisions and choices. Most of these decisions are already applied or strongly recommended, in particular by the ANSSI (National Agency for the Security of Information Systems). What used to be more or less implemented best practices will now therefore be strictly mandatory and therefore normally systematic. It should be remembered that, since 2015, the State considers that it has only one information system which concerns all the ministries, State administrations and public establishments under ministerial supervision. The political responsibility for the computer security of the State is therefore placed in the hands of the Prime Minister.

Each ministry must have, if it has not already done so, an information systems security official, a ministerial CISO, and a qualified authority competent in matters of ISS. This qualified authority is responsible for the security accreditation of the entire part of the State’s IS for which it is responsible. This approval becomes strictly mandatory. It includes a detailed analysis of the risks and responses to the identified risks.

The formal provisions will be binding with a six-month deadline, i.e. October 10, 2022, with homologations to be completed within two years of that date, i.e. before October 10, 2024.