EN
  • Cyber stability
  • Secops
  • Risks management
  • Digital transformation
  • Digital Sovereignty
  • Cybercrime
  • Industry and OT
  • Fraud
  • Digital identity
  • Cyber +
    • Where do French companies stand on data governance in the age of AI?
    • Home
    • Cybersecurity
    • Where do French companies stand on data governance in the age of AI?

    Where do French companies stand on data governance in the age of AI?

    Written by
    Jean Michel GALLEBY
    Technical Solution Professional
    04.01.26
    Cybersecurity
    05
    MIN
    Where do French companies stand on data governance in the age of AI?
    Where do French companies stand on data governance in the age of AI?
    Where do French companies stand on data governance in the age of AI?
    Image From theory to practice: Belgium’s experience implementing the NIS2 directive
    Cybersecurity
    03.02.26 Cybersecurity
    Next article
    From theory to practice: Belgium’s experience implementing the NIS2 directive
    Read
    08
    MIN
    Image Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Cybersecurity
    02.19.26 Cybersecurity
    Next article
    Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Read
    02
    MIN
    Image Cyber startups: 10 tips for moving from concept to commercialization
    Cyber +
    02.19.26 Cyber +
    Next article
    Cyber startups: 10 tips for moving from concept to commercialization
    Read
    08
    MIN
    Image Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Cybersecurity
    02.17.26 Cybersecurity
    Next article
    Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Read
    01
    MIN
    At a time when cyberattacks are multiplying and massive data leaks make headlines on a daily basis, data protection and governance have become major strategic issues for French companies. In 2024, the French Data Protection Authority (CNIL) recorded a record number of data breaches (notably in connection with the organization of the Olympic Games), highlighting the urgency of a structural response.

    French people today have a paradoxical relationship with their personal and professional data. On the one hand, distrust of digital technology remains strong: nearly one in two French people say they do not trust the Internet, in a context marked by the rise of generative AI and the multiplication of online scams, and even more so in the current geopolitical context (all the digital technologies that are massively used come from the United States). On the other hand, they readily share sometimes sensitive information on social networks, share critical information with generative AI tools (such as ChatGPT, Gemini, etc.), and above all they do little to protect their personal digital devices (phone, tablet, computer).

    This contrast shows that, despite a protective legal framework such as the GDPR and NIS2, and an educational framework that is trying to incorporate digital-related needs (Information and Communication Technologies for Education), citizens’ awareness of the concrete protection of their data still needs to improve, particularly regarding everyday security practices (both in private life and in professional life). For while the legal framework is very mature, users’ behavioral maturity (for example: adoption of multi-factor authentication, password management, etc.) remains a constant area for improvement in the face of increasingly sophisticated threats.

    What defines the sensitivity of data?

    The sensitivity of data depends on the impact that its disclosure, modification or loss could have. From a legal standpoint, the GDPR strictly governs certain particularly sensitive personal data, such as health-related data, political opinions, religion, or biometric data. But in business, the notion goes further (ranging from trade secrets to source code and security information): it also concerns strategic, financial, technical or security-related information. Hence the importance of classifying data according to its level of sensitivity in order to apply appropriate access rules and better protect the organization’s critical assets.

    How can employees be educated about the value of their information assets (the company’s information system)?

    A company’s information system (IS) constitutes its most valuable asset. Yet studies regularly show that the human factor is involved in the vast majority of cybersecurity incidents. In 2024, social engineering attacks (such as targeted phishing) were the initial vector of many major compromises in France (according to the CNIL).

    Educating employees must no longer be limited to a mandatory and tedious annual training session. It is about creating a true security culture:

    Awareness of information assets: employees must understand that the data they handle on a daily basis (customer files, HR databases, strategic plans) has invaluable value for the company, but also for cybercriminals.
    Simulations and practical exercises: the regular organization of fake phishing campaigns makes it possible to assess teams’ vigilance and provide immediate and educational corrective feedback without blaming the user.
    Clear and stigma-free procedures: an employee who clicks on a malicious link must have the reflex to report it immediately to the IT department, without fear of sanctions. Speed of detection is crucial to contain an attack.
    Everyday cyber hygiene: raising awareness about the importance of strong passwords, multi-factor authentication (MFA), and the risks linked to the use of tools not approved by the company (Shadow IT or, more recently, Shadow AI).

    It should also be understood that the sensitivity of data can evolve over time. A piece of data may, when it is created, be almost public and become completely sensitive for various reasons, hence the labeling methods.

    A few examples:

    An internal organizational chart, which can become sensitive in a context of crisis or cyberattack.
    A product or project roadmap, which becomes sensitive as soon as it reveals a strategic decision.
    A customer or partner list, which may seem like “standard” business data. Yet if the company is preparing a new offer, a major commercial negotiation or a change in positioning, that same list can become extremely sensitive.

    How can a security baseline for data leakage in France be defined? (see NIS2 and DORA)

    The year 2024 was described by the CNIL as a black year in terms of data breaches. The authority was notified of nearly 6,000 breaches (an increase of 20% compared with 2023), with a doubling of large-scale attacks affecting more than one million people (for example: third-party payment operators, France Travail, schools, hospitals, etc.). In light of this, the deployment of “defense in depth” measures is imperative, and the new European regulatory frameworks are now imposing this pace.

    Faced with this multiplication of attacks and massive data leaks, companies must now rely on a more robust security foundation. New European frameworks, such as NIS2 and DORA, reinforce this requirement by imposing better cyber risk management, increased oversight of service providers, and stricter obligations in terms of resilience and incident notification. Beyond regulatory compliance, these texts reflect a deeper shift: the protection of data and information systems is becoming a strategic issue for all exposed organizations.

    Whether a company falls under NIS2, DORA, or simply the GDPR, the CNIL recommends a baseline of essential measures to prevent massive data leaks:

    Segmentation of systems and strict enforcement of authorization policies.
    Generalized multi-factor authentication (MFA), particularly for remote access and privileged accounts.
    Active monitoring of atypical queries and limitation of data export volumes.
    Encryption of data at rest and in transit.
    Rigorous management of subcontractors, often identified as the weak link in recent attacks.

    Data protection and governance in France are going through a pivotal period. While citizens are increasingly aware of the value of their information, companies are facing threats of unprecedented scale, particularly with the increasingly widespread adoption of Artificial Intelligence. The response can no longer be purely technical; it must be organizational, regulatory and human. By relying on structuring frameworks such as the GDPR, NIS2 and DORA, and by investing massively in the education of their employees, French organizations have an opportunity to turn the security constraint into a genuine competitive advantage based on digital trust.

    Jean Michel GALLEBY
    01.04.26

    Jean Michel GALLEBY
    04.01.26
    Continue reading
    1
    12.11.23 Secops
    Thales closes Imperva deal early
    Read
    01
    MIN
    2
    03.04.25 Cyber stability
    The U.S. Military Suspends Cyber Operations Against Russia
    Read
    01
    MIN
    3
    05.26.25 Cybercrime
    Pro-Russian Cyberespionage Campaign Targets Tajikistan
    Read
    01
    MIN
    4
    01.28.22 Digital transformation
    Digital Europe: real actions beyond good words
    Read
    06
    MIN
    Image From theory to practice: Belgium’s experience implementing the NIS2 directive
    Cybersecurity
    03.02.26 Cybersecurity
    Next article
    From theory to practice: Belgium’s experience implementing the NIS2 directive
    Read
    08
    MIN
    Image Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Cybersecurity
    02.19.26 Cybersecurity
    Next article
    Chinese Cyber-Espionage Group Exploits Critical 0-Day in Dell RecoverPoint
    Read
    02
    MIN
    Image Cyber startups: 10 tips for moving from concept to commercialization
    Cyber +
    02.19.26 Cyber +
    Next article
    Cyber startups: 10 tips for moving from concept to commercialization
    Read
    08
    MIN
    Image Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Cybersecurity
    02.17.26 Cybersecurity
    Next article
    Cyberattacks Targeting the Defense Industrial Base Are Increasing
    Read
    01
    MIN
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
    Stay tuned in real time
    Subscribe to
    the newsletter
    By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.