France to introduce Cyberscore, a data security rating system

Writer Cameron Jones

Presented back in 2020, Cyberscore – an upcoming rating system – will come into effect by the end of 2023; but the major platforms are scrambling to push back its implementation date. Let’s dive into the topic to understand why this new legislation is discussed. 

Assessing data security

In simple terms, Cyberscore can be compared to a rating system that works like the nutriscore for food products. The idea is to help out Internet users to assess the security of their data on sites and social networks they frequent, which keep increasing consequently increasing various risks. 

Companies represent a high risk of acts of privacy meaning that they are the most vulnerable, whether big or small as well as healthcare establishments. The 2022 barometer on corporate cybersecurity from CESIN (Club of Experts in Security and Digital Computing) identifies the state of the situation at national level each year:

  • 54% of companies declaring to have suffered at least one cyberattack, or several in 2021
  • 30% of cyberattacks led to the theft of personal, strategic or technical data, or innovation data
  • 978 Million people each year worldwide are affected by a cyberattack
  • 51% of companies consider raising awareness of cybersecurity issues as a priority, but some managers continue to ignore such situations
What does the law say, although it is not yet into force

Adopted in early March 2022, the French legislation No. 2022-309 changes the Consumer Code by imposing additional cybersecurity requirements on significant digital platforms, instant messaging services, and the most popular video conferencing sites.

The affected websites and networks must hence use a color information system to display their score in a way that is accessible, intelligible, and clear. The operators in question will be required to conduct a security audit of the security of the data they host with service providers certified by the National Agency for Information Systems Security (ANSSI).

As the system is supposed to take effect from next October 1 on, there are still some details that need to be addressed.

Concrete applications for platforms and other networks

A decree will list all the platforms, social networks and video conferencing sites concerned and an order that specifies the criteria taken into account by the security audit, although the application is ready to go, the text is not yet. 

On the one hand, FEVAD has had close discussions with the relevant ministries on the text in question so as to raise many of the concerns identified by experts in the relevant fields, and will be considered in the final version of the text. On the other hand, GAFAM is also very much concerned about these new regulations and obligations, which represent constraints to them. 

Besides, the time restraint on the use of Cyberscore means that companies will have to renew audits regularly. This is quite understandable as this is meant to help companies maintain a certain level of security. Its requirements might also evolve as time goes by to better adapt to its clients. 

In spite of these contests, a tool such as Cyberscore might be necessary to optimize overall data protection, to secure both companies and private individuals, as well as to prevent companies from taking advantage of consumers’ data. Although this applies to France only so far, what about deploying it at European scale? 

As there is of course room for discussion, it would yet be another means to strengthen EU cybersecurity and drive present digital policies further.