Local Authorities in Disarray Against Cyber Risks

New Year’s Eve 2024 proved challenging for numerous mayors. On December 31, 23 French municipal websites were attacked, including those of Marseille, Nice, Montpellier, and Le Havre, as well as the police prefecture’s site. The investigation, entrusted to the General Directorate for Internal Security, suggested pro-Russian hackers were responsible. While the temporary blocking of these sites had no significant consequences, that’s not always the case. Recall the attack on September 25, 2024, which completely paralyzed the IT systems of Eschau’s town hall, forcing municipal staff to revert to paper-based operations to manage residents’ administrative requests as best they could.

In its third study on the cyber maturity of local authorities, Cybermalveillance.gouv.fr reveals that one in ten local authorities reported being victims of one or more cyberattacks in the past 12 months. In 37% of cases, these attacks led to service interruptions, and in 24%, to data destruction or theft. Phishing accounted for a third of these incidents, while 12% involved virus downloads, another 12% stemmed from browsing infected sites, and 10% resulted from unpatched vulnerabilities. Notably, in 45% of cases, the initial cause couldn’t be formally identified.

A General Lack of Cyber Awareness in Small Municipalities

The vulnerability of France’s 36,000 municipalities is particularly evident among the smallest ones. The same study highlights that 73% of small and medium-sized local authorities have an annual IT budget of less than €5,000. In this period of budgetary constraints, two-thirds of them will not increase this amount in 2025.

Arnaud Martin, Administrator of CESIN (Club of Information and Digital Security Experts), points out: “There are generally two levels of cyber maturity among public sector actors. On one hand, large local authorities have a proper organization and dedicated resources for cybersecurity. We can say that they are just as effective in this area as large companies. On the other hand, small local authorities face the same difficulties in grasping the subject as very small businesses (TPE) or small SMEs.” The gap is striking: in these small municipalities, IT is sometimes managed by the town hall secretary, while major state services have highly advanced capabilities. However, according to this seasoned expert—who is also the Director of Operational, Cyber, and Control Risks at Groupe Caisse des Dépôts—the situation is evolving positively.

The government has allocated funds to help these municipalities protect themselves, particularly through the France 2030 initiative, which includes a call for expressions of interest (AMI) under the “Cybersecurity Offer Mapping” program. This initiative follows the “Cyber PME” scheme. Local authorities can also benefit from a free security audit. Cybermalveillance.fr and CNIL have published a guide outlining local governments’ cybersecurity obligations and responsibilities. The GIP Acyma and Cybermalveillance.fr assist municipalities affected by security incidents. Additionally, local law enforcement services provide crucial support when filing complaints.

The Exorbitant Cost of an Attack vs. the Price of Prevention

Targeted by a cyberattack in 2022, the municipality of Aix-les-Bains saw its entire information system completely paralyzed by a cryptominer. François Fumu-Tamuzo, Director of Information Systems at the Aix-les-Bains Town Hall, immediately set up an internal crisis unit and turned to ANSSI. “ANSSI put us in touch with a PRIS (Security Incident Response Provider) to conduct the initial diagnostics. This provider is certified and can start working immediately, as all authorizations are pre-approved.” While the IT director acknowledges that this assistance is invaluable in the first days, its cost is significant. “At €1,200 per day, it is very expensive for a municipality that may need support for 10, 20, or even 30 days, depending on the extent of the damage! And that’s without considering the ransom, if there is one! In times of budget constraints, one must also factor in the costs of lost productivity, lost revenue for the city (parking fees, fines, billing, taxes, other paid services, etc.).” For a small municipality, these remediation costs are exorbitant and should be compared to the cost of even a basic security policy that could help fend off the most common attacks.

François Fumu-Tamuzo believes that the ad-hoc approach to cybersecurity still prevalent in many local governments must give way to a more structured strategy. However, these municipalities face a major challenge: human resources. “Not every town hall has a Chief Information Security Officer (CISO) to implement a proper Information Security Policy (PSSI). Often, the IT manager has to rely on network and system administrators to ‘patch together’ cybersecurity solutions. This is a budget issue, but above all, it’s a cultural one. We need to raise awareness among decision-makers and elected officials about cybersecurity risks. The potential disruption of municipal services, ransom demands, and the impact on e-reputation from a cyberattack are very real threats.”

A Severe Shortage of Specialized Human Resources

Pascal Llopis, CISO of the Chambers of Commerce and Industry (CCI) of Nouvelle-Aquitaine, IT Director of the CCI Lot-et-Garonne, and cybersecurity advisor for companies in the region, confirms the lack of cyber resources in many small local authorities: “Many town halls do not have an in-house IT systems manager. Their IT is often managed by administrative centers, which are responsible for digital expertise within local authorities. However, these centers are overwhelmed with work.” Using the example of Lot-et-Garonne and its 319 municipalities, he highlights that the few IT staff in the department’s management center cannot simultaneously oversee administration, conduct security audits, and handle remediation for all the municipalities.

Even if a local IT director overcomes the challenges of awareness and budget, they will soon face the acute shortage of cybersecurity professionals, which is particularly severe in local governments: “The salaries offered and the employment status are not enough to attract CISOs, and a shared approach between multiple municipalities will be necessary,” says Llopis.

State Support and Regulatory Constraints

In response to this situation, the French government provides financial assistance to municipalities through programs like France 2030 and the Cybersecurity Pathway initiative. ANSSI also funds certain cybersecurity projects. The MonAideCyber program enables municipalities to conduct security audits and prioritize actions to enhance their protection. A town hall can manage up to 180 different applications within its information system, with a dedicated application for nearly every municipal function—requiring a broad range of expertise. Managing such a complex IT ecosystem remains a major challenge in terms of security.

Given the complexity and slow pace of public procurement, the French government allows municipalities to directly purchase cybersecurity services in case of an attack. Additionally, procurement platforms like UGAP, ARNIA, CANUT, or RESAH help streamline and accelerate the selection process for cybersecurity solutions.

From a regulatory perspective, new requirements will drive cybersecurity adoption in the public sector. Once the NIS2 directive is transposed into French law, thousands of local authorities will need to comply with cybersecurity measures for essential and important services. “The current discussion suggests setting the threshold at 30,000 inhabitants,” explains Arnaud Martin, CESIN Administrator. “Whatever the final decision, the compliance requirements will be proportional to the size of each municipality—a small town won’t have the same obligations as a large urban community.” With the increasing need for shared CISOs and managed security services, local IT managers will have to find innovative ways to align with the new European regulations while working within their limited resources.

A Cyber Ecosystem That Must Adapt to This Highly Specific Target

Finally, the French cybersecurity ecosystem is working on solutions tailored to these small organizations. Managed services, such as Cyber SOC offerings, are emerging to meet the security needs of very small businesses (TPE) and even individuals. These highly industrialized services can address the budget constraints and lack of internal resources typical of such organizations. However, Pascal Llopis warns: “Bulk purchasing of EDR or XDR licenses, for example, can drastically reduce costs, but it’s crucial to ensure that the implemented solution truly meets the municipality’s needs—neither oversized nor undersized. Local governments and business owners often worry that a security audit firm might prioritize selling the products it has in its catalog rather than providing the most suitable solution.”

While SMEs and mid-sized companies have come to understand that a cyberattack can force them to halt operations and threaten their survival, this message has not yet fully resonated with elected officials. A local government may not go bankrupt, but the risk of service disruptions for citizens is very real. Such incidents can erode public trust in the institution and impact municipal staff, highlighting the urgent need for stronger cybersecurity measures.