In the event of a cyber crisis: who to turn to?
While Cyber Month aims to raise awareness of cyber threats and the right reflexes to protect against them, it is useful to ask who to contact when a cyberattack occurs. When an organization is faced with a cyber incident, it can be supported by several public structures depending on the nature of the incident and the level of urgency: 17Cyber.gouv.fr / Cybermalveillance.gouv.fr for non-regulated victims (VSEs, SMEs, local authorities, individuals), regional CSIRTs, ANSSI for regulated operators, and the National Gendarmerie and National Police for the judicial aspect.
17Cyber, the public and professional entry point
Since December 2024, the main reflex for victims of cyberattacks has been 17Cyber.gouv.fr. Available at all times, this portal is the result of collaboration between the National Police, the National Gendarmerie, and the Cybermalveillance.gouv.fr website. It provides a diagnostic questionnaire, suggests appropriate containment measures, and, if necessary, directs victims to a registered service provider.
“17Cyber is aimed at individuals and organizations (local authorities and businesses) that are not regulated. Its primary mission is to assist victims of acts of cyber-malware. Its second mission is prevention: producing dedicated content, awareness campaigns… Finally, its third goal is to monitor threats, which feeds into the first two,” says Jérôme Notin, CEO of Cybermalveillance.gouv.fr, speaking at the InCyber des territoires forum held last May in Le Creusot.
Historically (before December 17, 2024), 17Cyber simply welcomed victims, qualified the threat via a questionnaire, gave them tailored advice, and, in some cases, put them in touch with one of the 1,200 local registered service providers (200 of which are certified). “More than 86% of companies, 24 hours a day, 7 days a week, found a service provider able to support them in under an hour,” notes Jérôme Notin.
Since December 17, 2024, thanks to the Ministry of the Interior, victims are now offered, in cases where needed, the possibility of speaking with a police officer or a gendarme for assistance with judicial proceedings. “It is essential that victims be able to file a complaint in order to potentially identify perpetrators and stop the offense. It also allows the public authorities to assess the impact of these acts of cyber-malware,” adds Jérôme Notin.
Territorial CSIRTs, local relays
Born out of ANSSI’s desire in 2021 to develop a territorial network and funded by the France Relance plan, 15 territorial CSIRTs (Computer Security Incident Response Teams) now cover all metropolitan and overseas territories. They handle assistance requests from intermediate-sized actors (SMEs, ETIs, local authorities, and associations) and connect them with local partners: incident response providers and state partners. The emergence of these territorial CSIRTs is intended to provide a free, local first-level incident response service, complementing those offered by service providers, the Cybermalveillance.gouv.fr platform, and CERT-FR (the government center for monitoring, alerting, and responding to computer attacks), which depends on ANSSI.
“In the Bourgogne Franche-Comté region, our main role is assistance with remediation and incident management. When a victim calls us, we go through a response sheet with them depending on the type of incident (compromised messaging, denial of service, etc.). The region later asked us to extend our actions through alerting. This consists of identifying vulnerabilities on the websites of local authorities or companies and notifying them. We also conduct many awareness campaigns and lead the regional cyber sector,” explains Sébastien Morey, Head of the Bourgogne Franche-Comté CSIRT.
Regulated entities: ANSSI as point of contact
As for operators of vital importance (OIVs) and operators of essential services (OSEs), they fall under ANSSI in the event of a cyber incident. “But the entry into force of NIS2 considerably broadens the scope of regulated companies, with essential entities (EE) and important entities (EI). We are moving from around 500 companies to nearly 15,000. We will therefore work very closely with Cybermalveillance.gouv.fr and 17Cyber,” says Véronique Brunet, ANSSI Delegate for the Bourgogne Franche-Comté region.
“On a daily basis, I work extensively with the Gendarmerie and the Bourgogne Franche-Comté CSIRT. We exchange a lot of information about incidents. We also ensure that each of us can help victims file complaints and make their declarations to the CSIRT or CERT-FR. Sometimes, even if the entity is not an OIV or OSE, we consider its missions to be strategic for the nation’s defense and make a declaration to CERT-FR. This provides additional assistance to that of other bodies,” explains Véronique Brunet.
As for healthcare establishments, organizations, and services involved in prevention, diagnosis, or care, as well as medico-social institutions and services, they have a dedicated relay: CERT Santé. Reachable by phone and via the ministry’s reporting portal, the center ensures permanent on-call support and publishes operational reflex sheets. A healthcare establishment must report any incident likely to affect the availability, integrity, or confidentiality of a critical information system, even if the service is provided by a subcontractor.
CNIL notification: a regulatory requirement
As soon as a violation involves personal data, CNIL must be notified within 72 hours of detection, even if not all information has yet been consolidated. The “Report a breach” teleprocedure handles the initial declaration and, if necessary, additional details. Where there is a high risk for the data subjects (health data, bank identifiers, minors), the company must also inform them individually without undue delay. Unjustified delays expose organizations to administrative fines of up to 2% of global turnover.