Monaco – Special Correspondent – “The message is simple: winter is coming.”
Far from the satisfaction he displayed last year as the Olympics drew to a close, Vincent Strubel opened the 2025 Security Summit with what could be described as a decidedly pessimistic outlook. Specifically, the prospect of our armed forces engaging in a high-intensity conflict by 2030, while at the same time there would be a dramatic rise in hybrid attacks on French soil.
The director-general of ANSSI is effectively restating a hypothesis laid out in the latest National Strategic Review, published in July. He does not hesitate to affirm that this horizon “gives even more meaning to our collective work to build cyber resilience.”
This work leads to setting rules and preparing crisis management. It also involves a concept the agency has made its mantra: “scale up.” In other words, spreading cybersecurity throughout the economic fabric. In this spirit, it mobilizes, among other things, the training lever illustrated by the organization, last month, of the REMPAR25 exercise.
In the same vein, ANSSI has updated its PASSI (audit) and PRIS (incident response) frameworks to broaden their scope. At the level of “high” requirements (the historical core of the need), the “substantial” level has been added, aimed at meeting the needs of smaller players.
No, Sovereign Detection Is Not Being Challenged
In the coming months, the agency is expected to finalize work on detection solutions. These cover both service providers and products. This gives Vincent Strubel the opportunity to remind, as he did a few weeks ago, that there is no question of trimming the sovereignty requirement that applies to critical infrastructure operators. “That would be a historical misstep. We are instead looking to broaden the field of possibilities, not remain with a regulation that stiffens and ages badly in our field.” He adds that the aim is to “give ourselves the chance to achieve the best result for every type of architecture.” In particular, attention is focused on active EDRs and NDRs.
Accounting for the Effects of Our Technical Dependencies
At the European level, another project opens up: the revision of the Cybersecurity Act. After extending it to managed services (in addition to ICT products, services, and processes), the European Commission is seeking, in particular, to simplify the reporting requirements and to integrate more deeply the software supply chain aspect. The ANSSI director-general sees this as an opportunity to take into account risks deemed non-technical, tied to our technical dependencies. He points to the need to protect against data access that escapes our control and against the possibility of a service being cut off by a decision in which we have no say.
A Post-Quantum Agenda After the First Certifications
Another source of concern: the deeper currents in the digital landscape that force us to change our approaches across all fields, from certification to remediation. “We cannot dump the memory of a cloud, patch an AI, or do without the sole custodian of a key technology.” These developments, however, unfold over a timeline that allows for adjustment, cautions Strubel.
The tone shifts when discussing the quantum threat: “If we do not address this risk now, we will find ourselves in a situation where everything collapses all at once.” One hurdle is now cleared, he notes: the evaluation of post-quantum algorithms. The agency announced, a few days ago, its first two certifications, for Thales and Samsung. By 2027, it will no longer accept at the qualification stage security products that do not incorporate post-quantum-resistant cryptography. It already recommends no longer procuring such solutions, but could, when necessary in certain cases, require it by 2030.
