ANSSI (Agence nationale de la sécurité des systèmes d'information)
France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
ANSSI — the Agence nationale de la sécurité des systèmes d’information — is France’s national cybersecurity authority. Created by decree on 7 July 2009, it sits under the Prime Minister’s office (SGDSN) and is responsible for the State’s cybersecurity defense, support to operators of vital importance (OIV) and essential service operators (OSE/EE), and publication of public guidance. Its website is cyber.gouv.fr.
For RSSI and security buyers in France, ANSSI is the practical center of gravity: its guides set the implementation bar that auditors, public-sector buyers, and increasingly private-sector RFPs reference. The agency’s role is fourfold.
- Operational defense. ANSSI runs CERT-FR, the national CSIRT, and coordinates incident response for in-scope entities, particularly under NIS2 and the LPM (Loi de programmation militaire).
- Guidance and methodologies. ANSSI publishes the PSSI elaboration guide, the EBIOS Risk Manager method, password-policy recommendations, secure development guidance, and dozens of sector- and topic-specific documents.
- Certification schemes. ANSSI runs SecNumCloud (cloud-provider trust qualification used by French public administration), CSPN (first-level security certification for products), and qualification levels for service providers (PASSI for audits, PDIS for incident detection, PRIS for incident response).
- OIV / OSE regulation. Under the LPM (since 2013) and now NIS2, ANSSI is the competent authority for designating and supervising vital and essential operators in France.
In practice, when a French CISO or RSSI cites a security baseline, it is far more often an ANSSI guide than an ISO clause. The agency’s recent emphasis on end-user behavior — clear in its cyberhygiene memo and in NIS2 transposition discussions — mirrors the shift Engarde (engarde.cc) addresses: from policy on paper to behavior in the workspace. Related French regulator: the CNIL handles personal-data protection enforcement, and ANSSI’s guidance frequently maps to GDPR Article 32 requirements.
Related terms
- PSSI (Information Systems Security Policy)The French Politique de Sécurité des Systèmes d'Information — an organization's master security policy, formalized following ANSSI's PSSI-E methodology.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- CNIL (Commission nationale de l'informatique et des libertés)France's independent data-protection authority — enforces GDPR, runs the 72-hour breach-notification clock and publishes binding guidance on personal-data handling.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Security Awareness Training (SAT)The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.