ANSSI and Critical Infrastructure in France: OIV, OSE, and Real Audits

France treats cybersecurity of critical infrastructure as an extension of national defence, and the consequence is that an industrial operator in Lyon or Dunkirk faces an inspector with more formal authority than most company boards anticipate.

This is not a soft framework built around voluntary maturity scales. The French regime, codified in the Loi de Programmation Militaire of 2013 and extended through the transposition of the NIS and NIS2 directives, rests on designation, obligation, and inspection. The operator does not opt in. The operator is named, and from that moment the operator answers to ANSSI, the Agence nationale de la sécurité des systèmes d'information, which reports to the Secretariat-General for National Defence and Security. The architecture deserves study, because it represents one of the most operationally serious applications of cybersecurity law in Europe and because manufacturers and integrators serving French sites need to understand what kind of customer they are working for. An operator under ANSSI scrutiny will not accept the same documentation, the same components, or the same delivery timelines as a non-regulated buyer. The book BOSWAU + KNAUER. From Building to Security Technology develops this point in the chapter on industry and logistics: the moment a customer becomes a regulated entity, the manufacturer becomes a regulated supplier, whether the manufacturer wishes to acknowledge that status or not.

The OIV designation and what it means in practice

An Opérateur d'Importance Vitale is an operator whose disruption would gravely threaten the war or economic potential of the nation, the security of the state, or the survival of the population. The designation is issued by the Prime Minister, on the recommendation of the relevant sectoral minister, and the list is classified. An operator knows it has been designated. Suppliers may or may not be informed, depending on the nature of the contract and the classification of the site. There are twelve activity sectors covering civil and military activities, including energy, water management, food, electronic communications, transport, finance, health, and industry. Within each sector the responsible minister identifies points of vital importance, the so-called PIV, which are the specific facilities subject to physical and cyber protection obligations.

The obligations are not negotiable. An OIV must designate a security officer with a defined chain of responsibility, produce an Operator Security Plan that maps assets, threats, and protective measures, and identify within its information systems the systèmes d'information d'importance vitale, the SIIV, which receive the highest level of protection. The operator must report security incidents affecting these systems to ANSSI without undue delay. The operator must accept ANSSI inspections. The operator must implement security rules issued by ANSSI under article L.1332-6-1 of the Defence Code, which cover detection, response, governance, and architectural separation between regulated and non-regulated environments. These rules are not advisory. They have the force of law, and non-compliance carries criminal liability, not only administrative penalty. The chief executive of a designated operator can be prosecuted personally if obligations are knowingly ignored. Few European frameworks attach personal criminal liability to cybersecurity obligations in such direct form, and that fact alone changes how French boards treat the agenda. It also changes how procurement is conducted. An OIV will not purchase a security product whose origin, supply chain, or update mechanism cannot be documented to ANSSI's satisfaction.

OSE under NIS and NIS2

The OIV regime predates the European NIS directive. When NIS arrived in 2016 France did not abandon its national framework, it layered the European regime on top. The Opérateur de Services Essentiels, OSE, is the French transposition of the NIS concept, and the two categories overlap without coinciding. Every OIV is in practice an OSE, but many OSE are not OIV. An OSE is an operator providing an essential service whose provision depends on network and information systems and whose disruption would have significant impact. The threshold is lower than for OIV. The sectoral coverage is broader. The obligations are formally lighter but materially significant: risk management measures, incident notification, and acceptance of supervisory authority.

NIS2, transposed into French law through legislation adopted in 2024 and 2025, expands the scope substantially. The directive replaces the operator-of-essential-services and digital-service-provider distinction with a categorisation of essential entities and important entities, covering far more sectors and sub-sectors than the original NIS, and lowering the threshold for inclusion. Estimates of how many French entities now fall within scope range from several thousand to fifteen thousand, depending on interpretation of the size thresholds and sectoral definitions. ANSSI has signalled that it will operationalise NIS2 with the same seriousness it brought to the OIV regime, which means proportionate but real inspection capacity, mandatory incident reporting on a tight timeline, and management accountability written into the law. NIS2 also imposes supply chain security obligations, which means that manufacturers and service providers feeding regulated entities are pulled into the perimeter through contractual cascade. A mid-sized industrial automation vendor selling to a French water utility now has visibility obligations toward that utility's ANSSI reporting that it did not have three years ago. The integration of NIS2 with the existing OIV framework creates a layered system in which the same operator may carry obligations at two levels, OIV for its most critical assets and OSE or essential-entity for its broader operations, with ANSSI as the central authority across both.

How ANSSI conducts inspections

ANSSI inspections of OIV are conducted under article L.1332-6-3 of the Defence Code and are unlike commercial audits. The inspectors are public officials, sworn to secrecy and acting with formal investigatory powers. They can require access to systems, documentation, personnel, and physical sites. They can examine source code, configuration files, network architectures, and incident logs. They can interview staff individually. The operator is obliged to cooperate, and obstruction is itself an offence. The scope of an inspection is defined in advance, but the depth is not. An inspection can last from several days to several weeks, depending on the complexity of the operator and the questions ANSSI is trying to answer.

What ANSSI looks for has converged over time around the protection rules issued for SIIV. These rules cover topics familiar to anyone working with IEC 62443 or NIST SP 800-53: identification and authentication, access control, logging and monitoring, segregation of duties, secure administration, vulnerability management, incident detection and response, business continuity, and physical security of the systems. ANSSI's distinctiveness lies less in the substantive content of the rules than in the seriousness of enforcement. An inspection will produce findings, the operator will receive a deadline to remediate, and a follow-up inspection will verify that remediation has occurred. Penalties for failure to comply include administrative fines and, in cases of wilful neglect, criminal proceedings. ANSSI also operates the qualification regime for security products and service providers, the PASSI and SecNumCloud labels among others, which means that a regulated operator that selects an unqualified provider for a sensitive function must justify that choice. The qualification regime acts as a market-shaping instrument: vendors that obtain ANSSI qualification gain preferential access to a captive customer base, and vendors that do not are functionally excluded from the most demanding tenders. This dynamic differs sharply from the German BSI approach, which operates more through certification of technical components than through qualification of service providers, and it differs from the more market-led American approach in which CISA exercises influence through guidance and incident response rather than through prescriptive product licensing.

Sanctions and consequences

The sanction architecture is tiered. For OIV the Defence Code provides for criminal penalties of up to 150,000 euros for legal persons that fail to implement protection rules, with personal criminal liability extending to executives in cases of wilful disregard. Failure to report a security incident is itself a separate offence. These figures are not large in absolute terms compared to the GDPR ceiling, but the criminal character changes the calculation. A fine of 150,000 euros against a multi-billion-euro utility is symbolic, the criminal record of the chief executive is not, and the reputational consequence of being publicly identified as an OIV in breach of national defence obligations exceeds any monetary figure.

Under NIS2 the sanctions are calibrated differently and are closer to the GDPR model. Essential entities face administrative fines of up to ten million euros or two percent of global turnover, whichever is higher. Important entities face up to seven million euros or 1.4 percent of global turnover. The directive also empowers competent authorities to suspend authorisations or temporarily prohibit individuals from exercising management functions in cases of repeated serious breach. The French transposition has adopted these mechanisms, and ANSSI has been given supervisory powers proportionate to the scale of the new perimeter. The directive's requirement that management bodies approve cybersecurity risk management measures and oversee their implementation places personal responsibility on board members in a manner that French corporate governance had not previously formalised at this level of detail. The practical consequence for operators is that cybersecurity is no longer a delegable technical concern. It is a governance matter with documented board involvement, and the documentation is itself subject to inspection.

What this means for suppliers

A manufacturer of physical security technology operating in France encounters this regime indirectly but consistently. Operators within the OIV perimeter or under OSE designation procure differently than unregulated buyers. They require traceability of the supply chain, clear documentation of firmware update mechanisms, transparent statements of where data is processed and stored, and the ability of the supplier to support the operator's own reporting obligations to ANSSI. A perimeter intrusion detection system installed at a designated water treatment site is not merely a security device, it is part of the SIIV if it touches the operational technology network, and its configuration, its access controls, its update path, and its incident logging are all in scope for inspection. The supplier that cannot answer these questions in writing, in French, with reference to ANSSI's published rules, will lose the tender to a supplier that can.

This has implications for product architecture and for commercial practice. Cloud-dependent systems whose data flows transit jurisdictions outside the European Union face a higher evidentiary burden than systems that can be operated within a French or European boundary. SecNumCloud-qualified hosting providers have become the default reference for sensitive workloads, and suppliers that integrate with such providers gain a credibility advantage. On the commercial side, contracts with regulated operators routinely include clauses that flow ANSSI obligations down to the supplier, including cooperation with inspections, incident notification within defined timeframes, and the right of the operator to terminate without penalty in the event that the supplier becomes a security risk. A supplier that signs such a clause without internal preparation will find itself unable to comply when the moment comes.

What holds

The French model is severe, coherent, and operationally tested. It rests on the principle that critical infrastructure is a matter of national sovereignty and that cybersecurity protection of such infrastructure is therefore a state function, not a market function. ANSSI's authority, the OIV designation, the SIIV concept, and the integration of NIS2 obligations into the existing national framework together produce a regime that few other European countries match in depth or in enforcement intensity. The regime is not perfect. The classified character of OIV designations creates friction in supplier markets, the inspection capacity of ANSSI is finite relative to the expanded NIS2 perimeter, and the qualification regime has been criticised by some market participants as protectionist. These are real limitations. They do not change the central fact that an operator named under the French regime operates under obligations that are written into criminal law and that are inspected by an agency with the resources and the political backing to act.

For operators, the practical question is not whether the regime applies but whether the internal organisation is prepared for the inspection that will eventually arrive. For suppliers, the question is whether the products and services delivered to French sites can withstand the scrutiny that the operator will pass through. In both cases, the answer rarely emerges from a document review. It emerges from a structured assessment of how the existing systems would perform if examined by an external authority tomorrow morning. The Path II audit described in the closing pages of BOSWAU + KNAUER. From Building to Security Technology is designed for exactly this kind of standpoint determination. Three to five days on site, a written report, a defined set of deliverables, and no obligation to continue. For an operator that suspects it falls within the expanded NIS2 perimeter, or for a supplier that needs to understand whether its products meet the standard a French customer will demand, this is the appropriate first step. The conversation that precedes it, Path I, takes sixty minutes and commits to nothing further.

Frequently asked questions

What is OIV?

Opérateur d'Importance Vitale designates an operator whose disruption would gravely threaten national defence, economic potential, or population safety. The designation is issued by the Prime Minister on sectoral ministerial recommendation, and the list of designated operators is classified. Twelve activity sectors are covered. An OIV must appoint a security officer, produce an Operator Security Plan, identify its systèmes d'information d'importance vitale, report incidents to ANSSI, accept inspections, and implement protection rules issued under article L.1332-6-1 of the Defence Code. Obligations carry criminal liability, including for executives in cases of wilful disregard.

How does NIS2 introduce OSE?

NIS2, transposed into French law in 2024 and 2025, replaces the original NIS categories with essential entities and important entities, expanding sectoral coverage and lowering inclusion thresholds. France retains its national OIV framework and layers NIS2 obligations on top. Estimates place several thousand to fifteen thousand French entities within scope. Obligations include risk management measures, incident notification within strict timeframes, management body accountability, and supply chain security. ANSSI supervises both regimes. Suppliers to regulated entities inherit obligations through contractual cascade. The integration produces a tiered system in which one operator may carry obligations at multiple levels simultaneously.

How does ANSSI audit?

ANSSI inspectors are sworn public officials with formal investigatory powers under the Defence Code. They access systems, documentation, personnel, and physical sites, examining source code, configurations, network architectures, and incident logs. Inspections last from several days to several weeks. Scope is defined in advance, depth is not. The substantive content tracks IEC 62443 and NIST SP 800-53 in topics covered, including access control, logging, vulnerability management, incident response, and physical security. Findings produce remediation deadlines and follow-up inspections. ANSSI also operates the PASSI and SecNumCloud qualification regimes, which shape supplier selection by regulated operators.

What sanctions apply?

The Defence Code provides criminal penalties of up to 150,000 euros for legal persons failing to implement OIV protection rules, with personal criminal liability extending to executives in cases of wilful disregard. Failure to report incidents is a separate offence. Under NIS2, essential entities face administrative fines of up to ten million euros or two percent of global turnover, important entities up to seven million euros or 1.4 percent. Authorities may suspend authorisations or temporarily prohibit individuals from management functions. The combination of criminal liability under OIV and large administrative fines under NIS2 produces an enforcement architecture without close European parallel.