Ségur V2

Our certifications
Standards & Directives Ségur V2

Ségur Numérique V2 – Cybersecurity and ANS validation: what you need to know

The Ségur du numérique en santé program continues its transformation with a new phase of requirements: Ségur V2. This second wave raises the expected security level for listed software, with a strong focus on cybersecurity, system resilience, and the ability of vendors to detect and prevent threats.

In this new framework, penetration testing, IS security documentation, and the implementation of a security governance model become mandatory.

Who is affected by Ségur V2?

Ségur V2 targets all healthcare software vendors seeking listing by the Agence du Numérique en Santé (ANS), a prerequisite for integration into the CARE program funding pathways. This notably includes:

  • Electronic Health Record (EHR) software
  • Integrated Care Pathway Records
  • Practice Management Software
  • Medical Imaging Solutions (RIS/DRIMbox)
  • e-Health proxy software
  • Business solutions connected to Pro Santé Connect or MSSanté messaging

For these software products, moving to V2 means complying with new cybersecurity requirements, as defined in the business reference frameworks published and updated by the ANS (April–May 2025).

What Ségur V2 requires from a cybersecurity perspective

The Agence du Numérique en Santé now integrates, into each business reference framework, a dedicated IS security section. It is systematically structured around three cross-cutting requirements identified as SSI/GEN.18, SSI/GEN.19, and SSI/GEN.20:

  • SSI/GEN.18 – Mandatory penetration testing
    Each software solution must undergo an external penetration test, carried out by a qualified third-party provider (preferably PASSI-certified). This test covers exposed services, open APIs (notably Pro Santé Connect), and critical network flows. It must be documented in a report including a remediation plan.
Have your PASSI penetration test performed
  • SSI/GEN.19 – Security policy documentation
    The vendor must produce an Information System Security Policy (ISSP) and associated procedures. This policy must describe access management rules, protection mechanisms, update practices, and commitments in the event of an incident.
Contact our experts
  • SSI/GEN.20 – Governance and traceability
    he organization must demonstrate the existence of a structured IS security governance, an incident management policy, a completed or ongoing risk analysis, and appropriate logging and monitoring measures.
ZIWIT Virtual CISO: support for your IS security governance

New ANS technical guidelines to validate compliance

ANS now provides, for each listing track, dedicated penetration testing guides:

  • EHR / Care Pathway Software (update April 2025)
  • Practice Management / RIS / DRIMbox / e-health software (May 2025)

These documents specify test targets, expected scopes (network exposure, portals, API services), accepted methodologies, and required report formats. Particular attention is given to production or pre-production environments, Pro Santé Connect authentication, and resistance to user session attacks.

Note: failure to comply with IS security requirements means the software cannot be validated under Ségur V2 by ANS, and therefore will not be eligible for public funding schemes (CARE, SONS, etc.).

Steps to successfully achieve Ségur V2 cybersecurity validation

  1. Analyze the IS security requirements of the ANS framework applicable to your software
  2. Have a penetration test carried out by a PASSI-qualified provider
  3. Produce or update your IS security policy (ISSP)
  4. Document your risk analysis, vulnerability management, and incident handling procedures
  5. Build a complete file to submit to ANS as part of the V2 listing request
  6. Implement recommendations from the penetration test to demonstrate remediation of critical vulnerabilities

What we offer at ZIWIT

We are an ANSSI PASSI-certified provider and have been supporting healthcare software vendors with Ségur compliance for several years. Our services include:

  • ANS / Ségur V2-compliant penetration testing
    Our pentests are conducted in accordance with ANS technical frameworks, with structured reporting, completion of the ANS penetration test document (Excel file), remediation plans, and validation of fixes.
  • Audit and support for formalizing your IS security policy
    We help you draft or structure your ISSP, define key procedures, and meet IS security governance requirements (risk analysis, incident management, etc.).
  • Regulatory monitoring and preparation for ANS submission
    We support you in understanding requirements, compiling the file, and managing interactions with ANS if needed.
  • Deployment of complementary cybersecurity solutions
    Need supervision (SOC), endpoint protection (EDR), or remediation plans? Our technical teams intervene to concretely strengthen your security posture.
Set up a Cybersecurity Operations Center

Do you need to comply with Ségur V2?

We can act quickly, remotely or on-site, to secure your solution and help you obtain ANS validation. Contact us to receive a tailored proposal or to schedule a penetration test as part of your Ségur initiative.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
*required