Standards & Directives

CRA

The CRA regulation, adopted in 2024, standardises cybersecurity requirements for connected objects in Europe.

It aims to standardise cybersecurity requirements for products with digital components, such as connected objects, and imposes obligations on economic operators (manufacturers, importers and distributors) by creating a secure environment for users throughout the product lifecycle.

Businesses must prepare for compliance by December 2027 by assessing their risks, implementing appropriate security measures and seeking expert support.

To prepare for the CRA regulation, businesses need to assess their situation, carry out an in-depth analysis of cyber security risks, put in place the necessary security measures, strengthen their incident and vulnerability management capabilities, and seek expert advice and support.

Find out more about the CRA regulations

ISO 27001

The ISO 27001 standard is an international framework for the implementation of an information security management system (ISMS). It defines the requirements to protect information against threats and risks.

The advantages of ISO 27001 certification are numerous:

Improved information security.
Improved stakeholder trust.
Improved regulatory compliance.

The ISO 27001 standard is an important tool for organizations of all sizes and in all industries. It helps protect information against cyberattacks and data breaches.

Perform an ISO 27001 Pentest

NIS 2

The NIS 2 directive is a new European regulation that strengthens the security of information systems. It applies to operators of essential services and digital service providers, and imposes stricter requirements on risk management, incident reporting and cooperation with authorities.

In summary, NIS 2 aims to:

Protect critical infrastructure and personal data.
Strengthen the security of information systems in the EU.
Improve cooperation between the competent authorities of the Member States.

Discover the NIS 2 Directive

PCI DSS

PCI DSS is a set of data security standards that apply to organizations that store, process, or transmit payment cardholder data. It aims to protect cardholder data from cyberattacks and data breaches.

Organizations that comply with PCI DSS implement security measures such as using firewalls, encrypting sensitive data, implementing access controls, and training employees on best practices of security.

PCI DSS compliance is essential to protect cardholder data and comply with regulatory requirements.

Discover the PCI DSS Standard

MICA

The MICA standard is a European regulation that governs crypto-assets. It aims to protect investors, prevent market abuse and fight financial crime.

The main provisions of the MICA standard are as follows:

Crypto-asset service providers (PSCA) will be subject to a mandatory authorization regime.
Stablecoin issuers will have to meet strict liquidity, reserve and governance requirements.
Investors in crypto-assets will be better protected against scams and fraud.
PSCAs will have to put in place measures to combat money laundering and the financing of terrorism.

Discover the MiCA regulations

SecNumCloud

The SecNumCloud standard is a French certification which certifies the level of security of cloud services offered by a service provider.

It is based on the ISO 27001 standard and covers the following areas: security of infrastructures, applications, data, operations and human resources.

The benefits of SecNumCloud certification are numerous, including reducing the risk of cyberattacks and gaining trust from customers and partners.

In summary, the SecNumCloud standard is a cloud services security certification that is based on the ISO 27001 standard and helps reduce the risks of cyberattacks and gain the trust of customers and partners.

Discover the SecNumCloud standard

ANS obligations for ENS

Digital Health Companies (ENS) wishing to certify their teleconsultation solution must therefore go through a process of evaluating the conformity of this solution with requirements relating to the security of information systems. In particular, carrying out an intrusion test on the candidate solution is required.

This results in the auditor filling out a form which allows the scope of the test to be set and certifies the results obtained. It constitutes proof required for certification of conformity to the interoperability, security and ethics framework for teleconsultation information systems.

The intrusion test must be carried out by an audit service provider, at the request of the publisher. In order to guarantee the skills of the selected audit service provider and thus the fairness of the process, it is requested to use a qualified information systems security audit service provider, or PASSI.

Discover the obligations

ISO 19011

ISO 19011 is an international standard that provides guidelines for auditing management systems. It is published by the International Organization for Standardization (ISO).

The main objective of the ISO 19011 standard is to provide guidelines for auditing management systems in order to:

Improve the efficiency of management systems.
Provide assurance to interested parties that management systems comply with established requirements.
Provide a basis for the exchange of information between auditors.

To obtain ISO 19011 certification, an organization must have its management system audited by an accredited certification body. If the audit is successful, the certification body will issue the organization with an ISO 19011 certificate.

Discover the ISO 19011 standard

RGS

The General Security Reference (RGS) is a French standard which defines the security requirements for the information systems of administrative authorities.

The RGS aims to protect the personal data of citizens and to guarantee the proper functioning of public services. It applies to all information systems of administrative authorities, whether internal or external, central or decentralized.

The RGS is based on six fundamental principles:

Integrity: information must be accurate and complete.
Confidentiality: information must be accessible only to authorized persons.
Authenticity: information must be accessible when necessary.
Availability: guarantees that the information is accurate and complete.
Traceability: actions carried out on information must be traceable.
Resilience: information systems must be able to withstand security incidents.

Discover the RGS reference

CYBERSCORE

Cyberscore is a French measure which aims to improve the cybersecurity of digital services. Platforms that meet certain criteria must display a score of 0 to 5, reflecting their level of security. Cyberscore is expected to have several benefits, but there are also potential downsides.

Here are the main advantages of Cyberscore:

Increased cybersecurity awareness among consumers.
Improved cybersecurity for all platforms.
Reduction of the risk of cybercrime.

DORA

DORA is a European regulation that requires financial entities to implement a governance and internal control framework for managing ICT-related risks. It applies to banks, insurance companies, asset managers, payment service providers, and other financial entities designated by supervisory authorities.

DORA aims to strengthen the resilience of financial entities against cyberattacks and other ICT-related incidents. It is intended to help protect customers of financial institutions and reinforce trust in the EU financial system.

Security measures to implement: ICT risk analysis, formal security policy, tested business continuity plan, incident management processes, register of critical ICT service providers, and execution of resilience testing (including regular penetration testing).

Discover the DORA regulation

ANJ

The ANJ imposes strict information system security requirements on licensed online gambling operators. These obligations aim to ensure game integrity, player data protection, transaction transparency, and resilience against cyber threats. Any vulnerability may call the platform’s compliance into question.

Security measures to implement: an IS security policy tailored to online gambling, network segmentation, access control, logging, regular third-party penetration testing, technical audits, monitoring, and an incident response plan submitted to the ANJ.

Discover ANJ reference frameworks

CaRE

The CaRE program supports the funding of healthcare software solutions listed by the Agence du Numérique en Santé (ANS). It is part of the continuity of the Ségur numérique initiative and aims to accelerate the adoption of tools compatible with core national services (DMP, Pro Santé Connect, MSSanté). To obtain this listing and access funding, software vendors must demonstrate a high level of security.

Security requirements to implement: evidence of penetration testing (in line with ANS guidelines), a documented security policy, vulnerability management, logging and remediation procedures, and a supporting evidence package validated by the ANS.

Discover the CaRE program

Ségur V2

Ségur V2 is the new wave of France’s digital health transformation program. It strengthens cybersecurity requirements for healthcare software seeking listing by the ANS. The objective is to ensure a high level of security for tools handling health data and connected to core national services.

Security measures to implement: penetration testing by a qualified provider, formalization of the security policy, ICT risk analysis procedures, documentation of IS security controls (logging, MFA, monitoring), and compliance with ANS SSI/GEN.18 to SSI/GEN.20 requirements.

Discover Ségur V2