Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
The Act on Military Programming 2014-2019 (2013-1168) of 18 December 2013 reinforced the IT security of ‘operators of vital importance’ (OIVs) – that is, operators of systems for which a breach of safety or operation could significantly reduce France’s military or economic potential, safety or survivability. Relevant sectors include civil, military and judicial activities, health and energy.
The Act on the Security of Networks and Information Systems (2018-133) of 26 February 2018 made it possible to extend obligations to categories of operators other than OIVs, and created two new categories of actors: ‘essential service operators’ (OSEs) and ‘digital service providers’ (FSNs).
OSEs are providers of services that are essential for the maintenance of critical societal and/or economic activities which depend on networks and information systems, and which would be likely to be seriously affected in the event of a network security incident. They are designated in various sectors, such as transport, banking, health and digital infrastructure. They must take technical measures to manage risks that threaten network security upstream and ensure that the ANSSI is notified of incidents that may have a significant impact on network security.
FSNs are providers of online search engines, online marketplaces and cloud computing services. FSNs with at least 50 employees and an annual turnover of more than €10 million must ensure that the security of their information systems remains at a satisfactory level by identifying risks in order to avoid incidents and implementing preventive measures, and are also subject to notification obligations to the ANSSI.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The personal data protection framework is set out in the Data Protection Act.
Health data: The act defines ‘health data’ as ‘sensitive data’ and provides for higher standards of protection for this type of data (eg, a prohibition on collection except in restricted cases; specific approved hosts).
Section L1111-8 of the Public Health Code, modified by Act 2016-41 of 26 January 2016, provides that health data must be hosted in accordance with security conditions that are tailored to its criticality. In particular, health data hosted on digital media (apart from electronic archiving services) must be certified.
Confidential information: The Act on Business Secrecy Protection (2018-670) of 30 July 2018 transposed the EU Trade Secrets Directive of 8 June 2016 into national law. It introduced a new general regime for the protection of trade secrets to the Commercial Code (Sections L151-1 to L154-1). The holders of trade secrets are accountable for the measures they take to protect their secrecy and the timeframe within which they respond to an infringement of such secrets. The act sets out the information that may be protected, what constitutes illicit conduct in this regard and the preventive measures that may be requested in court.