France’s ‘Cyberscore’ law impacts online platforms

It is the latest development in a market in which cybersecurity has become a marketing asset, playing an important role in promoting an image of trust.

What does the law require?

Law n° 2022-309 of 3 March 2022 introduced cybersecurity certification for digital platforms aimed at the public. The law amends the French Consumer Code to impose new cybersecurity obligations.

A new article, L. 111-7-3, of the French Consumer Code, came into force on 1 October 2023 and requires certain online platforms to have a cybersecurity audit carried out and the results to be presented to consumers in the form of a Cyberscore. More specifically, the audit result must be presented "in a legible, clear and comprehensible manner” and be “accompanied by a complementary presentation or expression, using a colourful information system". The Cyberscore is therefore similar to the Nutriscore, an existing metric used to provide consumers with information on the nutritional quality of food products.

The audit must be carried out by service providers qualified by the National Cybersecurity Agency of France (ANSSI), and operators must inform consumers on the security of their site or service, as well as the security and location of the data they host, either directly or via a third party.

The protection of personal data and information systems has become a real marketing factor. One score can have a negative impact on a company's image, with far-reaching repercussions. Indeed, it is undeniable that a poor score awarded to an online platform could influence the decisions of consumers or companies, and dissuade them from using the service.

The law’s obligations apply to the operators of online platforms referred to in article L. 111-7 of the French Consumer Code, such as social networks or search engines. They also apply to persons providing non-number-based interpersonal communications services within the meaning of 6° quarter of article L. 32 of the French Postal and Electronic Communications Code, such as instant messaging services.

A new decree is to be issued by French government ministers to set out relevant thresholds for determining which specific businesses will fall into scope of the new requirements. A new order will also specify more detail on the new law and, more specifically, the criteria considered by the audit. The order will be issued after the French data protection authority, Commission nationale de l’informatique et des libertés – CNIL, issues an opinion. This will enable factors relating to compliance with regulations on the protection of personal data to be taken into account.

What has been proposed to-date?

The Ministry of the Economy, Finance and Industrial and Digital Sovereignty has published the draft decree and order.

The draft decree sets the threshold for application of the law at 25 million unique visitors per month from French territory for the year 2024. The threshold is lowered to 15 million unique visitors per month from French territory for 2025 and subsequent years. These thresholds are calculated based on the last calendar year.

The draft order sets out the criteria, presentation methods, and rating system applicable to services for calculating the Cyberscore. It stipulates that the audits carried out to award a Cyberscore will be valid for 12 months and must be renewed within three months of the expiry of the previous audit, provided that the platform remains within scope of the obligation to obtain a Cyberscore.

According to the draft order, the Cyberscore assessment will be based on an audit grid comprising nine audit sections, including organisation and governance, protection of personal data, level of outsourcing and level of exposure on the internet. On the basis of these nine themes, there are 36 criteria which can themselves be broken down into different checkpoints. The rating will range from A+ to F. This score will enable platforms to enhance the reputation of their services and improve the protection of their systems.

As the conditions of application are still unknown, the application of law n° 2022-309 has been delayed. However, the draft order provides for the text to come into force on 1 January 2024. Platforms subject to the new obligations should therefore anticipate future obligations.

It is essential that online platforms monitor for developments on Cyberscore implementation. By informing consumers about the level of security of services and raising awareness of cybersecurity, such a measure will enable service providers to reinforce their IT security systems, with the aim of improving trust with customers and partners.

Co-written by Cristiana Finzi of Pinsent Masons.