Key Benefits:
Publics concerned: professionals (electronic communications operators, independent qualified organizations).
Purpose: Electronic communications, security and integrity control of operators' facilities, networks and services.
Entry into force: the text comes into force on the day after its publication.
Notice: The Order sets out the conditions under which the Minister responsible for electronic communications may require electronic communications operators to submit their facilities, networks and services to security and integrity controls pursuant to section L. 33-10 of the Post and Electronic Communications Code.
It also specifies the modalities for the empowerment of qualified independent bodies that may be responsible for carrying out this control when no State service can do so or when no national defence or public security imperative is opposed to it.
It also defines the methods for calculating the costs of control when carried out by a State service.
References: the texts amended by this decree are available on the website Légifrance (http://www.legifrance.gouv.fr).
The Prime Minister,
On the report of the Minister of Productive Recovery,
Considering Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services, as amended by Directive 2009/140/EC of the European Parliament and the Council of 25 November 2009;
Vu le Trade codeincluding article L. 233-3;
Vu le Defence codeincluding articles L. 1332-1, L. 1332-2 and R. 2311-7-1;
Considering the post and electronic communications code, including articles L. 33-1, L. 33-10, L. 47 and R. 20-50;
Considering the internal security code, including articles L. 114-1 and L. 234-1;
Vu le Decree No. 2005-1124 of 6 September 2005 taken for application ofArticle 17-1 of Act No. 95-73 of 21 January 1995 and setting out the list of administrative investigations leading to the consultation of the automated personal data processing referred to in theArticle 230-6 of the Code of Criminal Procedure ;
Vu le Decree No. 2008-1401 of 19 December 2008 relating to accreditation and conformity assessment;
Vu le Decree No. 2009-834 of 7 July 2009 amended to establish a national jurisdiction service known as the National Information System Security Agency;
Considering the opinion of the electronic communications advisory board of 22 June 2012;
Considering the opinion of the Electronic Communications and Post Regulatory Authority dated 28 July 2012;
The State Council (section of public works) heard,
Decrete:
In section 1 of chapter II of title I of Book II of Part II (Decrets in Council of State) of the Code of Posts and Electronic Communications, a paragraph III is inserted entitled: " Provisions relating to the control of the security and integrity of facilities, networks or services" and comprising articles R. 9-7 to R. 9-12 as follows:
"Art. R. 9-7.-I. ― The control provided for in Article L. 33-10 is carried out by the National Agency for Information Systems Security (ANSSI) or by another competent State service. However, in the event that no State service can do so and where there is no requirement for national defence or national security, the control may be carried out by an independent qualified body authorized by the Minister responsible for electronic communications.
"In order to be authorized to perform these controls, an organization must meet the following conditions:
« 1° Rationale for accreditation for the conduct of security and integrity checks for the facilities, networks and services of electronic communications operators issued by the French Accreditation Committee or by an organization signatory to the European multilateral agreement as part of the European coordination of accreditation bodies;
« 2° Disposal of personnel who hold the authorization referred to in theArticle R. 2311-7-1 of the Defence Code allowing access to classified information at the level " Confidential Defense” in particular to be able to carry out the controls of the operators mentioned in articles L. 1332-1 and L. 1332-2 of the same code;
« 3° Disposal of personnel authorized to exercise control under the first paragraph of this section after an administrative investigation conducted in accordance with section L. 114-1 of the Internal Security Code;
« 4° Justification of its independence from electronic communications operators by demonstrating that it is not under the control of one of them in the sense ofArticle L. 233-3 of the Commercial Code or does not provide services or equipment used in the facilities, networks or services of the facilities.
“II. ― Enquiries for empowerment are addressed to the senior defence and security officer of the Department of Electronic Communications who teaches them.
"At the end of the instruction the Minister responsible for electronic communications shall include the organization meeting the conditions referred to in I on a list of the bodies authorized to perform the controls referred to in section L. 33-10 of the Post and Electronic Communications Code. The authorized body must promptly notify the Minister of any changes to the items on which it was listed.
"The Minister responsible for electronic communications keeps this list up to date and can ensure at any time that the organization meets the conditions set out in I. If this is not the case or in the event of a failure of the organization to comply with its obligations, the Minister may withdraw the latter from the list on a final or temporary basis after he or she has made his or her submissions within fifteen days.
"Art. R. 9-8.-The control provided for in Article L. 33-10 is to assess the measures taken by the operator pursuant to the provisions of Article L. 33-1, paragraph I, and in particular those taken to ensure the safety of its network and services at a level appropriate to the existing risk, to ensure the integrity of its network and to ensure continuity of the services provided.
"A single control may be initiated by calendar year for the same network or service. However, the Minister responsible for electronic communications may initiate other controls where the operator's networks or services are subject to, during that same year, a breach of their security or a loss of integrity that has a significant impact on their operation or where deficiencies or vulnerabilities in the measures taken to ensure the safety and integrity of the operator's facilities, networks or services have been identified in the previous year.
"Art. R. 9-9.-I. ― When the Minister responsible for electronic communications requires an operator to control the safety and integrity of its facilities, networks or services, the Minister shall notify the operator of the control objectives and the deadline for completion of the control, which may not exceed six months. It also specifies whether control must be carried out by the National Agency for Information Systems Security or by another State service or by an independent qualified body. In the latter case, the operator chooses the body on the list referred to in R. 9-7 and the cost of the control is fixed by contract between the operator and the agency.
“II. ― The operator shall make the necessary arrangements for the enforcement of the control by the State service designated by the Minister or by the agency that he has chosen and communicates the control within two months of the notification referred to in this article to the Minister responsible for electronic communications, who shall ensure that these provisions meet the control objectives.
"The operator shall promptly report any difficulties to the Minister responsible for electronic communications.
"III. ― Where control occurs as a result of a security breach or loss of integrity that has a significant impact on the operation of the operator's networks or services, or where deficiencies or vulnerabilities in the measures taken to ensure the safety and integrity of its facilities, networks or services have been identified in the course of a previous audit during the same calendar year, the Minister responsible for electronic communications may require that the time limit identified in the two months
"Art. R. 9-10.-The Minister responsible for electronic communications informs the Authority of the regulation of electronic communications and of the checkpoints it decides.
"Art. R. 9-11.-The service or agency that has conducted control under the conditions set out in sections R. 9-7 to R. 9-9 shall establish a report with its findings and an assessment of the effectiveness of the measures taken by the operator to ensure the safety and integrity of the controlled facilities, networks and services. When faults or vulnerabilities in the measures taken to ensure the safety and integrity of the operator's facilities, networks or services were found during the control, the operator makes recommendations to be addressed.
"The report, including, where appropriate, the operator's observations, shall be submitted by the operator to the Minister responsible for electronic communications no later than the time limit set for carrying out the control.
"The Minister responsible for electronic communications may audition the service or agency that has performed the control, in the presence of the operator who is also heard, in the month following the report being delivered.
"The Minister responsible for electronic communications informs the Autorité de régulation des communications électronique et des postes of the main conclusions of the control.
"Art. R. 9-12.-The cost of the controls carried out by a state service pursuant to Article L. 33-10 is calculated according to the time necessary for the realization of the control and the number of agents assigned to it.
"A Prime Minister's order sets out the overall unit cost of a control mobilising an agent for a day. »
At 1° of Article 1 of the above-mentioned Decree of 6 September 2005, the following paragraph is added:
“(k) Physical persons employed by qualified independent organizations authorized by the Minister for Electronic Communications to perform the controls provided for in section L. 33-10 of the Post and Electronic Communications Code; "
In R. 20-50 of the Post and Electronic Communications Code, the words "third paragraph of Article L. 47" are replaced by the words "fifth paragraph of Article L. 47".
The Minister of Productive Recovery and the Minister Delegate to the Minister of Productive Recovery, responsible for small and medium-sized enterprises, innovation and the digital economy, are responsible, each with respect to it, for the execution of this Order, which will be published in the Official Journal of the French Republic.
Done on 15 November 2012.
Jean-Marc Ayrault
By the Prime Minister:
Minister Delegate
to the Minister of Productive Recovery
small and medium-sized enterprises,
innovation and the digital economy,
Flower Pellerin
Minister of Productive Recovery
Arnaud Montebourg
