OIV and cybersecurity: the defense of activities vital to the nation

The cybersecurity of Operators of Vital Importance (OIV), a major strategic issue for France, is based on the Military Programming Law (LPM). Today, it must be brought into line with the NIS European cybersecurity directive and its development NIS2, about which we have written an article (the date of implementation is approaching but NIS2 has not yet been transposed into national law). Let's decipher the role of the OIVs, their regulatory framework, and their link with the Operators of Essential Services (OES), while shedding light on the new standards set by the critical (CE) and important (IE) entities.

 

From a SAIV to an OIV: a brief historical overview

The concept of an Operator of Vital Importance (OIV) stems from the SAIV (Sectors of Activities of Vital Importance) system, established in 2006. This framework was initially aimed at protecting critical infrastructure against natural, technological, health and malicious risks, in particular terrorism and cyberattacks. In 2013, in the face of intensifying cyberthreats, the Military Planning Act (LPM) strengthened this mechanism. It has introduced specific obligations for OIVs to secure their Systems of Vital Importance (SVI), making them essential for national resilience. In concrete terms, the aforementioned regulations require the declaration of SIIVs, incident reporting and the application of 20 security rules defined by the French National Cybersecurity Agency (ANSSI).

 

What are the cybersecurity obligations of OIVs?

The OIVs are subject to strict regulatory requirements to protect its SSIVs. The main pillars of their compliance are as follows:

SIIVs declaration

Each OIV must identify its critical systems, the failure or attack of which would seriously compromise national security. In addition, these systems must be declared to ANSSI, which exercises enhanced supervision at this level.

Incident reporting

Any incident affecting a SIIV must be reported to ANSSI, which allows for rapid and effective coordination in the face of cyberattacks.

Implementation of safety rules

The 20 LPM rules, drawn up by ANSSI, govern the management, risk control and protection of systems. Among other things, these rules include requirements such as data encryption, network compartmentalization, and the use of approved products.

Security checks

ANSSI, or qualified service providers, carry out audits to assess the level of security of OIVs. In the event of a major crisis, the State may impose exceptional measures.

 

OSE and NIS, an extension of the OIV model

The European NIS (Network and Information Security) directive, adopted in 2016, was inspired by the French OIV model, which introduced Essential Service Operators (OSE). The latter concern similar sectors, but with a broader scope, including public and private companies deemed essential for the continuity of services in Europe. In 2018, France had 122 OSEs, a figure that has since increased with the broadening of the identification criteria. The NIS Directive imposes cybersecurity obligations on OSEs that are comparable to those of OIVs, including incident notification and the implementation of appropriate security measures.

 

NIS 2: towards more inclusive cybersecurity

Implemented in 2024, the NIS 2 Directive marks a turning point by expanding the sectors concerned from 19 to 35 sectors. It also introduces two new categories, Essential Entities and Important Entities:

Essential Entities (EE)

These organizations, which are strategic for the economy and society, will have to comply with strict cybersecurity obligations, similar to those of the OIVs.

Important Entities (EI)

Although they will have less of an impact than the EE, the EI will also be required to increase their level of security, the aim being to strengthen overall resilience.

With NIS 2, the number of entities subject to cybersecurity obligations in France should increase tenfold. This now includes subcontractors and service providers of the EE and EI, making the supply chain itself more secure.