THE CRITICAL INFRASTRUCTURE

PROTECTION IN FRANCE

Objectives and challenges

What is a critical activity in France? What are critical infrastructures (CI)?

Because they contribute to the production and Critical infrastructures are institutions, structures or
distribution of goods and services that are essential facilities that provide the essential goods and services
for the French State to exercise its authority, for the forming the backbone of French society and its way of
economy to function, for the continued defence of the life.
nation or for the sake of national security, some activities
are considered to be “of critical importance”. The operators themselves draw up the list of their critical
infrastructures, which may be production sites, control
The very nature of these activities means that they are centres, network nodes or data centres for example.
difficult to substitute or replace.

How are critical operators designated? What is the policy on the critical
infrastructure protection (CIP)?
Critical opertors are appointed by the sector’s minister
who selects them from among those who operate or Developed and coordinated by the General Secretariat
use facilities forming the backbone of French society for Defence and National Security (SGDSN), the
and its way of life. The designation criteria and security critical infrastructure protection (CIP) policy provides a
objectives are set by the coordinating ministry. framework in which public or private critical operators
can assist in implementing the national security strategy
The procedure involves, on the one hand, a consultation in terms of protection against malicious acts (terrorism,
with the pre-selected operators and, on the other, sabotage) and natural, technological and health risks.
cross-government talks enabling equivalent protection
between all sectors identified as critical. Critical operators As the linchpins of this system, critical operators must
are designated with account taken of any distortion of analyse the risks to which they are exposed and apply
competition and with every effort taken to avoid undue the protection measures within their remit – particularly
burdens. the VIGIPIRATE plan.

The 2013 White Paper on Defence and National Security

establishes this policy as a means of strengthening the
Nation’s resilience.
 Twelve sectors of critical importance across four key areas of responsibility
BASIC HUMAN NEED

Food
Water management
Health
SOVEREIGN

Civilian activities
Legal activities
Military activities
ECONOMIC

Energy
Finance
Transport
TECHNOLOGICAL

Communication, technologies and

broadcasting
Industry
Space & research

Stakeholders and responsibilities

Prime Minister/SGDSN Ministries Ministry of the Interior

By delegation of the Prime Minister, the Ministries are tasked with drawing up the The Ministry of the Interior oversees
General Secretariat for Defence and National Security Directive for each sector the territorial organisation of the system
National Security (SGDSN) is responsible (and subsector) by stating which challenges, so as to support the action of zone and
for the cross-government coordination and vulnerabilities and threats must be taken on département-level.
organisation of the system. It determines board and by defining the sector’s security
the scope of the CIP policy, particularly as objectives.
regards method and doctrine.
Ministries are also the operators’ main
It approves the National Security Directive. points of contact.
It also lays down the cybersecurity rules
that must be applied by critical operators.

Defence and security zone Département-level prefect Critical operators

prefect Once designated, operators must assume
For each critical infrastructure, the
France is shared in 13 defence and security département-level prefect approves the several types of responsibility: appointing a
zone (including over-sea territories). specific protection plan drawn up by the security liaison officer (who shall represent
operator. the operator to the administrative authority)
The zone prefect is the territorial stakeholder and drawing up both an operator security
in charge of coordinating the CIP system. He also drafts an external protection plan plan (OSP), which describes the operator’s
His responsibilities include organisation, setting out the intervention and vigilance security policy and organisation, and
support for préfectures and informational measures to take if this critical infrastruc- specific protection plans for each critical
liaison between the central and local levels. ture should ever find itself under threat or infrastructure identified.
He also coordinates inspections of critical attack.
infrastructure within his area of jurisdiction.
 Critical operators: stakeholders of the national security strategy

Critical operators act as the mainspring of the CIP system and, as such, they are accorded a specific status:

- appointment of the security liaison officer within the company. In this way the administrative authority has a
point of contact with security clearance to whom it shall directly communicate information on threat or any
changes in stance regarding the VIGIPIRATE plan;

- the so-called “background checks” procedure. This enables the critical operators to ask the administrative
authority to check that the characteristics of the person wishing to access his critical infrastructure are not at
odds with the security of the site;

- the external protection plan. Written under the authority of the département-level prefect, this rounds off the
critical infrastructure protection setup. It describes and plans the State human and physical resources for an
intervention at the infrastructure. It also provides for surveillance measures of surrounding areas.

Business continuity planning

In 2013, the SGDSN launched a process for revising the

national security directive. One of its objectives is to adopt
an all-hazards approach so as to encourage operators to
make preparations for every critical eventuality that may
affect their staff, premises, networks and production
facilities by drawing up a business continuity plan (BCP).

These documents are a requirement on the part of

critical infrastructure. The SGDSN has produced a
methodological guide to drawing up BCPs, which the
general public has been able to access since 2013.

Cybersecurity
As early as 2008, the White Paper on Defence and
National Security identified cyber-attacks as one of the
main threats to our defence and security. To tackle those
new threats, Article 22 of the 2013 Military Programming
Law now requires critical operators to reinforce the
security of their information systems.

These requirements apply to critical information systems

identified by operators and involve reporting incidents,
SAIV and VIGIPIRATE implementing a core set of security rules and making use
of qualified detection service providers and products.
The critical infrastructure protection system has been
set up to facilitate application of the VIGIPIRATE plan by The National Cybersecurity Agency (ANSSI) is in charge
involving the operators concerned in all efforts bearing of implementing these provisions within the SGDSN and
on vigilance, prevention and protection against terrorism. has worked closely with the ministries and operators to
define rules that are at once effective, appropriate and
Critical operators need to incorporate into their plans sustainable for operators.
the measures of the VIGIPIRATE plan that concern them
and, as such, they must be able to take action in response
to stances adopted by the Government depending on Find out more at: www.ssi.gouv.fr
the situation on the threat or vulnerability front.
 CIP
FACTS & FIGURES

8
MINISTRIES
IN CHARGE

12
SECTORS OF ACTIVITY

The European dimension

22
In the EU’s single market where companies are becoming increasingly NATIONAL SECURITY
dependent on one another, the impacts of an attack on one operator can DIRECTIVES
extend beyond the borders of a single State. France has therefore supported
and strongly contributed to the EU’s efforts to develop the European 253
Programme for Critical Infrastructure Protection. CRITICAL
OPERATORS
As a key element of this programme, the Council Directive of 8 December
2008 on the designation and protection of European critical infrastructures
introduces a mechanism aimed at identifying European critical infrastructures 1,381
in the energy and transport sectors. CRITICAL
INFRASTRUCTURES
Not only does this directive provide a framework for improving the security
of major infrastructure with transnational implications, but it also encourages
the development and improvement of national security systems bearing 300
on critical activities in each Member State so as to avoid distortions of PUBLIC SECTOR EMPLOYEES
competition and contribute towards better protection of economic activities WORKING DAILY ON MATTERS
and citizens – i.e. towards Europe-wide resilience. TO DO WITH THE CIP
Breakdown of critical operators per sector

Breakdown of critical operators per sector

13 11 5
Civil activity of the State
41
Legal activity
68
Military activity
6 Food
15 Communications, NICT
Finance
13 Industry
Health
31 8
Water management
24
18 Energy
Transport
Space & research

About the SGDSN Reference texts

SReporting to the Prime Minister and working in close liaison with the • Defence Code – Articles L. 1332-1 to L. 1332-7, L. 2151-1 to L. 2151-5 and
President of the Republic’s office, the General Secretariat for Defence and R. 1332-1 to R. 1332-42.
National Security (SGDSN) assists the Head of Government in fulfilling his/her • Instruction générale interministérielle n° 6600 relative à la sécurité des
responsibilities in matters of national defence and security. It is responsible for activités d’importance vitale du 7 janvier 2014.
the cross-government coordination and organisation of Government matters. • Council Directive 2008/114/EC of 8 December 2008 on the identification and
designation of European critical infrastructures and the assessment of the need
Find out more at: www.sgdsn.gouv.fr to improve their protection.

Update: January 2017