Despite budget constraints and the necessary evolution of its missions, the National Agency for the Security of Information Systems (ANSSI) lacks a well-defined, practical action plan. This observation is made in a recent report by the Court of Auditors, which examines the government’s response to cyber threats affecting civilian information systems.
The report highlights that the agency’s growth has been achieved without a clear service development plan. Specifically, the long-standing annual increase of approximately 40 full-time equivalent positions (FTEs) was not based on a concerted assessment of actual needs. This lack of strategic planning raises questions about the agency’s ability to adapt effectively to the evolving cybersecurity landscape.
Absent Strategic Framework and Roadmap
The Court’s analysis notes that the expansion of ANSSI has occurred without a formal service strategy. While the agency’s staffing has grown, it has done so without detailed projections or explicit planning for future needs. For example, a recent organizational chart for early 2024 indicated a civil workforce of 786 personnel, yet the 2025 Finance Act suspended this growth trajectory.
The agency’s development story is further complicated by a 10-year anniversary manifest, issued in 2019, which outlined nine guiding principles but stopped short of providing quantitative measures of the resources required to fulfill its mission. Similarly, the strategic plan published in March 2025 remains largely conceptual, specifying broad objectives such as establishing an “appropriate organization” to ensure impartial decision-making in oversight tasks, without any concrete targets, timelines, or resource allocations.
The Need for Calibrated Technical Assistance
The Court emphasizes that ANSSI must better calibrate its technical support functions. This assistance involves helping government agencies, essential operators of vital importance (OIV), operators of essential services (OSE), and digital service providers design and implement their most critical information systems. Currently, this mission is managed by the Technical Assistance Division (DAT), which is part of the Expertise Sub-Directorate (SDE). It employs around 34 FTEs.
Support requests from government entities are managed through a “technical advice” email service. Five agents, each dedicating a maximum of eight hours per week, handle these inquiries. However, the Court points out the absence of studies to assess whether this arrangement effectively meets user needs or if customer satisfaction indicators are in place. Given the high expert skill level of SDE personnel, the Court suggests that this resource should likely focus on complex projects, making the current approach insufficient and lacking measurable performance metrics.
In 2023, more than half of the technical assistance hours were allocated to government services. The assistance process relies on a simple request flow without a formal system to track all incoming demands, making it difficult to measure the percentage of issues addressed or to prioritize when necessary. Implementing an annual programming process could help prioritize requests, possibly redirecting less complex demands to external providers when appropriate.
Reevaluating Product and Service Qualification Processes
ANSSI dedicates approximately thirty staff members to the qualification of products and services. Currently, the process operates primarily on a “request-based” timing, initiated by solution providers, which complicates aligning with actual user needs. The process is also time-consuming, raising concerns about its pace and efficiency.
To address these issues, new approaches are under consideration. One idea is to differentiate qualification levels for services, distinguishing between “high” and “substantial” levels—particularly through the PASSI and PRIS certifications. For products, the agency is working to enable qualifications to apply to future versions, such as patches, to streamline updates and maintain security assurances without repeating the entire certification process.
Strengthening Coordination Among CSIRT Teams
The Court calls for improved coordination between sector-specific and ministerial Computer Security Incident Response Teams (CSIRTs). One example provided is the Aviation CSIRT, which is legally affiliated with the Directorate General of Civil Aviation (DGAC) and maintains close ties with the Ministry of Ecological Transition. Similarly, the Defense Industry CERT operates under the Defense Intelligence and Security Directorate (DSRD).
The Social CSIRT, tasked with internal cybersecurity within organizations like the National Health Insurance Fund (CNAM), the Family Allowance Fund (CAF), and others, is still being refined in its scope and interactions. It overlaps with the Health CSIRT, especially regarding the ministries handling social sector activities. Ongoing projects aim to facilitate exchanges among these teams.
Regional CSIRTs are still relatively new, and their limited visibility results from their recent establishment. Developing trust with a sufficient number of service providers, especially in regions with fewer digital companies, remains a challenge.
The Court urges an expedited review of the long-term sustainability of CSIRTs, noting that funding from the General Secretariat for Defense and National Security (SGDSN) is limited to three years. Regions will need to assume responsibilities, or alternative sustainable economic models must be developed.
Centralized Cyber Threat Monitoring
The Court emphasizes the importance of consolidating cyber threat monitoring efforts. It notes that traditional cybercriminal activities have evolved with information and communication technologies (ICT), but the criminal classification of these activities remains dependent on the assessments of police and gendarmerie operational services. Consequently, there is uncertainty about the accuracy of threat data, underscoring the need for improved support in data collection and analysis.
Furthermore, data on cyber threats generated by actors involved in incident response or victim assistance are often limited to specific victim types or incident categories, thus constraining their usefulness. The information is often partial and mainly reflects the responder’s capacity to process what is reported.
Given these fragmentation issues, the Court recommends constructing a comprehensive threat observation system based on a scientific approach to data analysis—enhancing the legitimacy and reliability of threat intelligence. Currently, various initiatives aim to build data models, centralize information, and produce statistics; however, these efforts are fragmented and incomplete.
The ANSSI has taken steps by establishing a threat observation function in collaboration with GIP Acyma, but only preliminary studies have been conducted. It is now crucial to formalize and organize this function systematically.
Enhancing Audit Capabilities
The Court reports that the internal audit team’s capacity within the SDE cannot keep pace with the growing demand. For example, in 2019, 68 high-priority requests were raised, while only 46 audits could be performed, not counting additional demands related to major events.
An initiative to outsource some audits was launched in 2019, with a budget line of €200,000, covering approximately four to five external audits annually. However, this external scope is narrowly defined—excluding the agency’s core sovereign functions, critical infrastructure oversight, telecom audits, and audits under criminal law.
Consequently, only two audits were outsourced in 2023, with many audits postponed or canceled due to administrative delays, sometimes exceeding a year. These delays hinder the ability to reallocate resources or adjust planning effectively.
Implementing Sanctions and Strengthening Oversight
Human resources remain a sensitive issue. Auditors often face the dual challenge of working within the agency while participating in national defense operations. Recent departures in 2021 and 2022 have not been offset by equivalent recruitment, risking a talent gap.
To improve audit planning, a continuous scheduling process has been implemented, enabling more frequent adjustments based on evolving risk assessments. However, the Court stresses that this process should be better grounded in a formalized, risk-based risk mapping, which would hold management accountable and streamline the conduction of audits.
Currently, the SDE favors maintaining trustful relationships with regulated entities, which has resulted in limited use of sanctions—even though legislation from 2013 mandates enforcement measures, especially in line with the NIS Directive. This approach might weaken the overall effectiveness and visibility of audits and their role as a deterrent.
The Court advocates for a balanced approach, combining trust with the need for enforceable measures, especially given the broader scope introduced by NIS 2. This framework emphasizes the state’s capacity to impose sanctions in case of non-compliance. A graduated system of controls, possibly sector-specific, while maintaining centralized oversight through ANSSI, could offer a pragmatic solution to this challenge.
