The governance of cybersecurity is a crucial multidimensional issue for national security. It involves coordinating players from a variety of backgrounds both nationally and internationally, something France has been advocating since President Emmanuel Macron’s Paris Appeal on November 12, 2018.⁽¹⁾ With over 1,200 supporters from every continent (80 states, companies, civil society organizations, local authorities and public authorities including the European Commission), the French doctrine is therefore likely to spread worldwide. Effective cybersecurity governance strengthens a country’s digital sovereignty and technological independence, reducing its vulnerability to foreign cyberthreats. It requires policies, procedures and technologies to prevent and respond effectively to cyberattacks. However, given the varied nature of the cyber challenges facing the country, different types of response are being structured around different categories of actors.

Typologies of Organizations’ Vulnerability to Cyber Risk

With the democratization of digital transformation, organizations within the European Union (EU) or operating within its member states have also seen their exposure to cyber risk increase.⁽²⁾ In order to collectively guarantee adequate security conditions and to raise the level of maturity with respect to cyber risk within strategic business sectors, the EU adopted the NIS 1 directive for “Network and Information Security” in 2016. This directive made it possible to designate Operators of Essentials Services (OES), i.e., the services necessary to maintain critical societal or economic activities. The provision of these services is dependent on networks and information systems, and an incident involving them would have a significant disruptive effect on service provision.⁽³⁾

With the implementation of the NIS 2 directive, which comes into force in France in October 2024, other sectors are being added to the strategic sectors within which the OES operate: the space sector including operators of terrestrial infrastructures and space devices, food, manufacturing including industrial manufacturing, infrastructure, machine tools, means of transport and electronic and optical devices, information and communication technologies including platforms, e-commerce sites, search engines and social networks that employ more than 50 people, waste and wastewater management, like drinking water management already covered by NIS 1, chemical production and distribution, which has been separated from manufacturing due to its specific regulatory framework, regional and local government, research and higher education, and services essential to public health and safety.⁽⁴⁾