What if the Paris 2024 Olympics were just the tip of the iceberg? A year ago, the global cybersecurity community—and beyond—celebrated what was widely regarded as a successful security strategy implemented to safeguard the event. This effort was a coordinated operation involving government agencies and private sector partners, resulting in a reported total of 548 incidents and 141 identified cyber attacks. Fortunately, these threats did not significantly disrupt the Games, marking what many saw as a major achievement in event security.
However, a year later, a critical report from France’s Court of Audit highlights a far grimmer reality regarding national cybersecurity resilience. The report paints a sobering picture of the persistent vulnerabilities in France’s civilian digital infrastructure, revealing that the French government struggles to mount an effective response against ongoing cyber threats. Despite increased political engagement and expanding budgets since 2021, the country’s efforts remain fragmented and insufficient—particularly when it comes to local governments and healthcare institutions.
Since 2021, France has embarked on a strategic cybersecurity investment plan, allocating one billion euros over five years. The initiative, spanning from 2021 to 2025, aims to establish a cohesive national response to cyber threats through targeted funding. Over half a billion euros are directed toward public administrations and operators, while 200 million euros are aimed at fostering the French cybersecurity ecosystem—which includes research, startups, and specialized training programs. Additionally, Bpifrance has been entrusted with 250 million euros to support the emergence of innovative SMEs in cybersecurity.
By April 2023, France had strengthened its national cybersecurity strategy once again, culminating in a revised plan approved at the end of 2024 during a National Defense and Security Council meeting. This update incorporated European directives NIS 2 and DORA, reflecting the country’s commitment to aligning with broader European cybersecurity frameworks.
Limited Evaluation of Public Policies and Cultivating a Cybersecurity Culture
The Court of Audit criticizes the lack of clear leadership and coordination across ministries. The General Secretariat for Defense and National Security (SGDSN)—responsible for coordinating the national cybersecurity policy—lacks authority and sufficient resources to be effective. Meanwhile, the National Agency for the Security of Information Systems (ANSSI), the technical backbone of France’s cyber defense, faces an expanding mission set without a multi-year strategic plan or resources matching the scale of its responsibilities. It oversees the security of approximately 15,000 entities but operates with a budget of about 30 million euros—excluding salaries—and a team of roughly 634 staff members in 2023, marking significant growth since 2009. Still, the report states that France’s cybersecurity capabilities lag behind leading European counterparts such as the UK and Germany.
Despite some progress, local governments and healthcare providers—among the most frequently targeted sectors—show inconsistent levels of cybersecurity maturity. Even with a dedicated annual budget of around 30 million euros since 2022 aimed at securing these sectors, the Court finds that only 15% of municipalities have developed business continuity plans. Most small organizations lack regular audits or specialized training, leaving them vulnerable. The costs associated with a breach are substantial: for example, in March 2020, a metropolitan city like Aix-Marseille-Provence faced costs of nearly 960,000 euros, while another such as Bondy saw damages exceeding 1.5 million euros in November 2020. These figures do not include the indirect costs resulting from service disruptions.
The report underscores that since 2021, official cybersecurity funding has often been allocated without detailed risk assessments or mechanisms to measure effectiveness. Centralized attack statistics are also lacking, impeding efforts to adapt strategies or share best practices across regions. Moreover, cybersecurity training remains underdeveloped—only 12% of local government employees had completed a cybersecurity awareness module in 2024, despite the Court’s recommendation to triple the number of certified training sessions by 2026.
Twelve Proposed Measures for Strengthening Cybersecurity
Among the key recommendations proposed by the Court of Audit is the creation of an interministerial cyber command. This unified body would streamline operational responses to cyber threats across the government, operating under the authority of the SGDSN, ANSSI, and relevant ministries. The report calls for a broader national cybersecurity investment, targeting an expenditure equivalent to 0.3% of France’s GDP—double the current level of 0.15%—to prevent France from becoming a “digital sieve” amid heightened geopolitical tensions.
The Court also advocates for mandatory security audits for recipients of public funding, enhancing accountability and ensuring consistent levels of protection across all regions. Furthermore, it recommends that private providers working on critical information systems should be required to obtain official certification, preventing overdependence on unverified firms and ensuring high standards of intervention—an initiative involving both ANSSI and the Interministerial Digital Directorate (DINUM).
Finally, the report highlights the necessity of significantly increasing ANSSI’s workforce—by 20% by 2027—by surging its budget and staff capacity, to bolster its nationwide operational capabilities and adapt to the evolving threat landscape.
The year 2025 is poised to be decisive; successfully implementing and adapting to the NIS 2 directive, expanding sector-specific security frameworks, and effectively executing these strategic recommendations will serve as vital indicators of France’s cybersecurity maturity, according to the report.
“These findings are widely shared among experts and policymakers alike, reflecting the urgent need for evolution in France’s cybersecurity stance. They form the core of the upcoming national cybersecurity strategy and are already embedded within the agency’s strategic plan,” states Vincent Strubel, Director General of ANSSI, on his LinkedIn profile. “The path is clear, and all that remains is to walk it.”
