The Île-de-France region is set to implement a pooled system for managing cyber risks tied to suppliers of local authorities, as part of the implementation of the European NIS 2 directive.
During its transposition, this directive requires communities with populations over 30,000 inhabitants to assess the security of their suppliers to safeguard their supply chain. In Île-de-France, more than 200 municipalities are affected by this obligation, out of 18,000 nationwide.
An automated and shared assessment system
The arrangement rests on the Security Rating solution from Board of Cyber, which non-intrusively, automatically, and continuously evaluates the cybersecurity of organizations.
Participating local authorities will be able to propose integrating their suppliers into the evaluated perimeter, with an objective of 500 suppliers in the first year.
According to project stakeholders, this system offers three advantages. The Île-de-France communities gain access to information about the security of their current and potential suppliers, with full funding by the regional council in the first year and then a mutualized arrangement thereafter; suppliers avoid repeating multiple evaluation procedures; and the Region gains a comprehensive view of systemic risks across its territory to help ensure compliance with NIS 2.
This pooled system, whose overall cost has not been disclosed, extends a collaboration begun in 2023 with the Observatory of Municipality Cybersecurity Performance, which enables more than 1,100 Île-de-France communities to assess their cybersecurity posture.
In 2024, ANSSI recorded 218 incidents affecting local authorities, accounting for 15% of the total incidents it handled. With an average of 18 incidents per month, local authorities are prime targets for financially motivated attacks, destabilization, or espionage.
