Cybersecurity: Government Sets Timelines for Action

Cybersecurity: Government Sets Timelines for Action

Not for nothing: “in a context of high threat“, the state has publicly released its new digital security roadmap.

This roadmap is mandated by a 2022 interministerial instruction. It is updated annually, and each ministry must adapt it to its own plans.

The 2026-2027 edition “takes into account the budgetary constraints that weighed on the implementation of the previous one.” It reuses the actions — most of which correspond to the general objectives set by NIS 2 in its Articles 20 and 21 — and adds preparation for the transition to post-quantum cryptography. In parallel, it “tightens certain deadlines.” Here is an overview of the schedule.

For mid-2026

By 30 June 2026, the ministries must have translated the roadmap into action and formalized an information systems audit and control policy.

Read also: Europa.eu pirated: the modus operandi is clarifying

They must also have identified their high‑stakes information systems, formalized a cloud hosting policy, implemented a supply chain security policy, and defined procedures for installing security patches.

They are also required to have defined a timeline for the generalization of ProConnect (identity federation) and established annual reviews of access rights for technical administration accounts on high‑stakes information systems.

Another instruction: to maintain the security of major directory services at ADS level 3. The plan must also include conducting a backup test of the information systems.

For the end of September 2026

Ministries must have strengthened the security of their DNS. “Notably by greater use of the interministerial DNS service.”

By the end of 2026

The information systems audit and control policy must be put into practice by this deadline. It will also involve accrediting the information systems that support essential missions.

Ministries additionally have until 31 December 2026 to ensure, on digital procurements, that contract documents properly incorporate cybersecurity requirements.

Also expected by the end of 2026: implementing the procedures for installing security patches. As well as a process for replacing obsolete components on an ongoing basis, “giving priority to security-building blocks.” And a strengthening of messaging systems.

The review of access rights applied for June 2026 to technical administration accounts should be extended to functional administration accounts. ProConnect should have been deployed on high‑stakes information systems. These systems will, moreover, have switched to automatic lifecycle management of identities and access.

Read also: [Special Forum InCyber] “Mastering our digital dependencies”

Same timing for multifactor authentication for all information system administrators. And for the deployment of dedicated administration stations for high‑stakes and national information systems (excluding systems belonging to decentralized services and systems not subject to NIS 2).

Ministries are also expected to enhance their ability to collect, centralize and analyze traces, while deploying EDR or XDR on all workstations and servers.

They must furthermore have completed the inventory of “permanently sensitive” data for which post‑quantum cryptography will be prioritized.

By the end of February 2027

By this deadline, multifactor authentication for users on high‑stakes information systems must be deployed.

By the end of 2027

The integration of cybersecurity requirements into contracts should be extended to markets with a digital component or requiring the exchange of sensitive information.

It will also involve extending automated identity and access management to a scope that remains to be defined (to be clarified in 2026 during working groups).

Other directives: generalize ProConnect deployment and extend to decentralized services’ information systems the use of dedicated administration workstations.

Read also: Forum INCYBER: the 4 winners of the Start-Up Prize

In terms of post‑quantum cryptography, ministries must have identified the technical building blocks involved.

By the end of February 2028

That is the deadline to universalize multifactor authentication for users across all information systems. And to replace obsolete components of high‑stakes information systems (the directive applicable from the end of 2026 for security equipment).

By the end of 2028

Ministries must have accredited all of their high‑stakes information systems.

By the end of 2030

The State requires that, by this deadline, all restricted-distribution information systems are covered by post‑quantum cryptography. From that point on, ministries should deploy only encryption products that incorporate post‑quantum cryptography.

* Some components may be exempted from accreditation. Broadly speaking:

  • Minor evolutions that do not increase the risk level
  • Modifications dictated by security or urgent constraints, provided they do not undermine the validity of the accreditation
  • Infrastructures and software whose creation is required by these constraints and that entail timelines incompatible with the accreditation process
  • Infrastructures and software implemented on an experimental basis, open to a limited number of users, whose exposure to a cyberattack is “negligible and easily overcome”
Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt