The CYBER-SCORE law : a major step forward in assessing the security of websites

Cyberattacks have grown tremendously in recent years, affecting a variety of sectors, ranging from large corporations to public institutions and individuals. These attacks have had significant financial repercussions, compromised individual privacy, and undermined trust in digital services.

In 2023, the impact of cyberattacks was particularly felt in France, with a significant increase in visits to the government platform Cybermalveillance.gouv.fr.

This increase stands at 53%, bringing together nearly 3.8 million visitors, almost as much as the cumulative total of the previous four years until 2022.

These figures reflect the growing awareness of the need to protect against cyber threats, as well as the active search for solutions to strengthen digital security.

In response to the resurgence of cyber attacks, France took action in early 2022 by adopting the law entitled “CYBER-SCORE”.

This law aims to determine whether a service complies with data protection rules, such as localization, safeguards and internal safeguards, while strengthening digital security and respect for privacy.

CYBER-SCORE, which is scheduled to be implemented by the end of 2023, aims to create a label allowing users to easily and quickly check whether a service is properly secure and data-friendly, at a glance.

This measure will complement the information provided to users on data security, in addition to the GDPR (General Data Protection Regulation), with the aim of promoting safer and more transparent digital practices for all.

The « CYBER-SCORE » law

On Thursday March 3, 2022, Law No. 2022-309 aimed at establishing cybersecurity certification for digital platforms accessible to the general public was promulgated by the President of the Republic. This law was officially published in Official Journal No. 53 of March 4, 2022.

The date of entry into force of this law is scheduled for October 1, 2023, with the possibility of a possible postponement to January 1, 2024, as stipulated in the draft decree.

At present, the decrees and orders corresponding to this law are awaiting publication. Once published, these texts will supplement and specify the terms of application of this new cybersecurity measure.

The CYBER-SCORE as an indicator of computer security

The CYBER-SCORE is inspired by the NUTRI-SCORE initiative, but this time it focuses on websites and digital services used online rather than food. It is a visual safety labeling system for these platforms, designed to provide users with a better understanding of the impact of these sites on their “digital health”.

Similar to NUTRI-SCORE, which allows consumers to quickly assess the nutritional quality of food, CYBER-SCORE will provide a synthetic evaluation of the safety of websites.

Thus, users will be able to make more informed decisions regarding the protection of their personal data and their privacy online.

This system will be a practical tool for users concerned about their online security. They will be able to browse the web making informed decisions, opting for platforms that better respect their privacy and their personal data.

The CYBER-SCORE will thus be designed as a measure aimed at offering Internet users a clear and easily understandable assessment of the level of security and protection of personal data on a website, even in the absence of technical expertise.

This visual label will allow them to quickly determine if the site they are visiting provides a safe environment for their data.

Who will be affected by the CYBER-SCORE law?

Two types of operators are affected by this very similar obligation :

All online platform operators offering, on a professional basis, whether paid or not, an online public communication service based on:

1. Classification or referencing, by means of computer algorithms, of content, goods or services offered or put online by third parties.
2. Or the connection of several parties with a view to the sale of a good, the provision of a service or the exchange or sharing of content, a good or a service.

Number-independent interpersonal communications services :

Services which do not establish a connection to one or more numbers appearing in the national or international numbering plan or which do not allow communication (messaging services, videoconferencing services, etc.).

In addition, the law establishes a condition linked to the level of use of the site, where activity thresholds will be defined later by decree.

The main objective of this legislation is to prioritize the most important players in the market.

From 2024, a threshold of 25 million unique visitors per month in France should be established, but it could be lowered to 15 million unique monthly visitors by 2025.

Moreover, according to the FEVAD classification in the tourism sector for the year 2022, only the Booking.com platform currently exceeds this threshold, thus preserving it from this obligation until 2025.

A legal obligation to comply with

The CYBER-SCORE law emphasizes two essential aspects: first, the obligation to carry out a security audit for certain platforms, and then, the issuance of a security certification for sites intended for the general public.

The mandatory security audit must be defined by an order from the ministers in charge of digital and consumer affairs, in consultation with the National Commission for IT and Liberties (CNIL).

In accordance with Article L. 111-7-3 of the Consumer Code, the audit will be carried out by service providers approved by ANSSI (National Agency for the Security of Information Systems) referred to as “PASSI”.

The audit will be based on public information, freely accessible and collected in a non-intrusive manner by the PASSI service providers.

However, if information that is not freely accessible or collected intrusively alters the CYBER-SCORE, the responsibility of the PASSI provider could be engaged.

This assessment will be valid for 18 months, beyond which a reassessment will be necessary, based on the results of a new audit.

Like the NUTRI-SCORE, the result of the audit must be presented in a clear and understandable manner, accompanied by an additional expression in the form of a color information system intended for Internet users. In accordance with the draft decree, the CYBER-SCORE will be valid for a period of 12 months and must be renewed every 3 months.

Companies affected by the CYBER-SCORE law will also be required to present a certification on their website to attest that they have been subjected to this audit.

This certification will be presented in the form of an energy label or a NUTRI-SCORE, with the aim of easily attracting the attention of visitors.

The draft decree also includes criteria defining the CYBER-SCORE rating.

CYBER-SCORE evaluation criteria

The sites of operators will be evaluated according to several criteria, defined by a ministerial decree, which will emphasize two essential aspects: the security of the tool used by the platform and the location of the data it collects and hosts, as well as the global security of the platforms themselves.

Tool safety

Regarding the security of the tool, the CYBER-SCORE will assess the robustness of the protection measures put in place by the platform in order to guard against cyberattacks and the risk of violation of users’ personal data.

This will likely include things like the encryption systems used, firewalls, security protocols, and password management.

Data localization

Regarding the location of data, CYBER-SCORE will pay particular attention to where the information collected by the platform is stored. Indeed, the location of storage centers can raise legal issues regarding data protection.

Some countries have stricter data protection laws, while others may have more lax regulations.

It is essential to realize that each time visitors connect to an online platform, they unwittingly provide data to the owners of this platform.

The objective of CYBER-SCORE is to make users aware of the importance of the security and protection of their personal data by providing them with a clear assessment of the level of security and localization of their information on the sites they visit.

The potential impact of the “CYBER-SCORE” law

The potential impact of CYBER-SCORE comes from several key perspectives: legal, financial, commercial and marketing.

On the legal level, this law provides for substantial fines for companies and individuals in the event of non-compliance with the obligations related to CYBER-SCORE.

Although these penalties are less severe than those of the GDPR, they nevertheless highlight the importance of data security compliance.

In the event of non-compliance, individuals are liable to a fine of up to 75,000 euros, while for companies, the amount can climb up to 375,000 euros.

The implementation of this law therefore aims to strengthen the security and protection of users personal data by encouraging operators to improve their cybersecurity measures.

On the financial level, the CYBER-SCORE will be integrated into the standards of corporate social responsibility (CSR), which will make it a major criterion for comparing companies from a financial and commercial point of view.

Companies will need to devote additional resources to securing their tools in order to comply with the CYBER-SCORE criteria, and those that meet these requirements could gain a competitive advantage.

From a commercial and marketing point of view, the CYBER-SCORE will become a key indicator for economic actors and consumers.

Individuals will have a better understanding of the level of security offered by online operators, which will influence their purchasing and partnering decisions.

In addition, B to B companies will also be impacted by this reform, as they will have to choose suppliers and partners that respect data protection.

This reform will require adaptation on the part of the companies concerned, because it involves a binding standard and requires a significant investment in the safety of the tools.

However, it is a measure that reflects a collective desire to protect the privacy of individuals and to ensure that companies respect personal data.

During the period of implementation of the law, it will be essential for companies to implement a monitoring unit and anticipate audits, as well as find solutions to be compliant with CYBER-SCORE by October 1, 2023.

As was the case with the GDPR, companies that are slow to comply with CYBER-SCORE risk losing a crucial commercial and marketing argument, as this reform will be widely promoted and economic players will seek reassurance from their partners regarding this essential data protection issue.

Tips to improve your CYBER-SCORE

The CYBER-SCORE is an essential indicator of the security of companies operating online. Indeed, it testifies to the quality of the protection they enjoy against the multiple cyber threats that threaten their integrity.

In order to increase this valuable index and establish the security of any online business, it is worth paying particular attention to several essential tips:

• Educate users : provide training to employees and users on good online security practices and on the management of sensitive information.
• Ensure that all sites and all software used are regularly updated with the latest versions to benefit from security patches.
• Install security software on all company devices, including computers, cell phones and tablets.
• Perform vulnerability scans on a regular basis to strengthen the security of websites.
• Avoid phishing emails and suspicious links or attachments from unknown senders.
• Implement solutions to be alerted in the event of malicious changes made to the site.
• Perform a continuous analysis of the performance of the sites to avoid any interruption of service (Down…).