Not a week goes by without a cyberattack. While hospitals and town halls seemed more affected, very mainstream companies, like Free or Picard, are now targeted. Has the threat evolved?
I often take the image of trawling: today, cybercriminals attack any target in an indeterminate way. As the most critical entities protect themselves, the threat increasingly shifts to the general public.
So the risk is more diffuse?
Yes, and cyberattacks are becoming the norm. Brittany remembers, for example, the incidents which affected the Rennes University Hospital and, more recently, the Sagesse clinic.
Is awareness of the subject evolving?
It is progressing but remains insufficient. It must be strengthened and everyone must ensure that they take the right measures. It's an effort, that's for sure, you have to invest in tools, adapt your organization, train your employees. But it will still be less expensive than facing an attack, which can cost up to several million euros.
On October 15, you presented, in the Council of Ministers, a bill which transposes the European directive NIS 2, in order to strengthen cyber protection obligations. What will it change?
Until now, around 300 public and private entities were obliged to protect themselves, there will be more than 15,000 in the future. Companies, communities, hospitals, etc. We also go from six targeted sectors of activity – energy, finance, health, transport, etc. – to 18. Areas such as public administration, space, postal services, waste management, chemistry, research, digital suppliers or the agri-food industry.
Is everyone notified of upcoming changes?
This is a point of vigilance. The National Information Systems Security Agency (Anssi) has already done a lot of work and conducted 70 consultations to bring forward needs in the field and raise awareness. In order to guide the entities concerned, the “My NIS 2 space” portal has been put online in a beta version and will be gradually enriched. We will ensure that we continue to strengthen communication on this tool.
Are checks and sanctions planned?
We are committed to supporting the entities concerned. But so that awareness can be raised and the rules produce their effects, the directive that we are transposing provides for sanctions. The bill draws the consequences accordingly, without over-transposition.
Each year that passes means taking the risk of being attacked.
The measures in the bill must come into force as soon as it is adopted, but businesses and communities believe that the deadline is too short. What do you answer them?
We are aware that we need to give them time to become compliant. What is important is that we do not say “We still have three years” and that in the end, we do not take up the subject. At the beginning, there will therefore be blank checks carried out by Anssi, in its support logic. This must start as soon as possible. Each year that passes means taking the risk of being attacked.
Can we expect any developments?
The text is balanced and faithful to the directive, but we remain attentive to the field and the government will have the opportunity to comment on the developments that could be proposed during the debates in Parliament. We will ensure that implementation is proportionate and very gradual.
What is the timetable for the bill in Parliament?
The text was transmitted to the Senate, which created its special committee last week. It should be examined in session at the start of the year, then in the Assembly, for final adoption in spring 2025, subject to any developments that may occur in the parliamentary calendar between now and then.
