General Security Reference (RGS)

Our certifications
Standards & Directives General Security Reference (RGS)

The General Security Reference (RGS) is a reference framework which defines the security requirements applicable to the information systems of administrative authorities. It was published by the National Information Systems Security Agency (ANSSI) in 2006 and was updated in 2013 and 2022.

The five main principles of RGS

The RGS is structured around five main principles:

Security by design

Information systems must be designed from the outset to be secure. This means that security should be considered at the design stage, not added as an additional layer.

For example, an information system designed from the ground up to be secure could use strong authentication techniques, such as biometrics or multiple factors, or even encryption techniques to protect sensitive data.

Protection by default

Information systems must be configured by default to be protected. This means that default configurations must be secure, and users must be informed of the risks associated with insecure configurations.

For example, an information system configured by default to be protected could use complex passwords and advanced security protocols.

Strong authentication

User authentication must be strong and based on several factors. This means that authentication should not rely on a single factor, such as a password, but on multiple factors, such as a password, security key or fingerprint.

For example, an information system that uses strong authentication could ask the user to enter a password, present a security key and be identified by facial recognition.

Separation of functions

Sensitive functions must be separated from each other. This means that functions that require privileged access to sensitive data, such as data modification or network access, must be isolated from other functions.

For example, an information system that segregates functions could use separate user accounts for sensitive functions and non-sensitive functions.


Actions carried out on information systems must be traced. This means that information systems must be able to record the actions performed by users, the events that occur and the data that is processed.

For example, an information system that records user actions could keep a log of connections, data changes, and network access.

RGS requirements for interoperability

The RGS also defines requirements for the interoperability of information systems, including:

The use of standards and benchmarks

Information systems must use standards and benchmarks to ensure their interoperability with other information systems.

For example, an information system that uses standards and benchmarks might use standardized data formats or standardized communication protocols.

Interface documentation

Information system interfaces must be documented clearly and precisely, so that developers can create applications that interact correctly with these systems.

For example, an information system that documents its interfaces could use XML schemas or textual descriptions of the interfaces.

Metadata management

Metadata in information systems must be managed centrally and consistently, so that users can easily find and use the information they need.

For example, an information system that manages metadata could use a metadata repository to store and manage information systems metadata.

RGS data security requirements

The RGS sets out specific data security requirements, including:

Pseudonymization and encryption

Sensitive data must be pseudonymized or encrypted.

For example, an information system that pseudonymizes or encrypts sensitive data could use hash pseudonymization or block encryption techniques.

Access management

Access to data must be limited to authorized persons.

For example, an information system that limits access to data could use access control lists (ACLs) to control who can access what data.

Data backup

Data should be backed up regularly.

For example, an information system that backs up data regularly could use an automatic backup solution to save data to external media.

Security incident management

Security incidents must be handled appropriately.

For example, an information system that manages security incidents could use an incident management plan to identify, analyze and resolve security incidents.

Protection of personal data

Personal data must be protected against the risks of destruction, loss, alteration, unauthorized, accidental or illicit disclosure or access.

For example, an information system that protects personal data might use pseudonymization or encryption techniques to make the data non-identifiable.

Systems containing personal data must be audited to identify flaws and vulnerabilities that allow malicious people to gain access to the data.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09