In a law passed on March 3, 2022, French lawmakers decided to require major digital platforms to audit their level of digital security and publish the results for consumers in the form of a “cyberscore.”
This initiative, which will come into effect on April 1, 2024, has echoes of the nutriscore, designed to rate commercially available food and drink according to their health benefits. The cyberscore aims to respond to the challenges of cyberattacks, a real scourge that has now become a widespread form of crime, to which Internet users are the first to fall victim. In 2022, companies in France were hit by 385,000 successful cyberattacks, costing them around €2 billion.
According to the audit criteria set out in the new law, which includes best practices on governance, data protection, and incident handling, the main aim of this tool is to protect against the massive threat of cybercrime.
At a time when cybercriminals are using ever more sophisticated methods, it’s hard not to feel disappointed that the requirements are so limited. Cyber risk must be recognized for what it really means. Requirements such as end-to-end encryption for messaging systems, or a criterion linked to the number of times a company has been sanctioned by a data protection authority, would have been better measures of a platform’s commitment to protecting its users’ data.
Why exclude SMEs and government from the cyberscore?
The law limits these new requirements to platforms, networks, and messaging systems with more than 25 million monthly users in France. This restricts its scope to major social media such as Facebook, Instagram, and TikTok, transaction platforms such as Amazon, Uber, and Airbnb, videoconferencing solutions such as Teams and Zoom, and instant messaging services such as WhatsApp, Signal, and Messenger.
Surprisingly, the law doesn’t apply to small and medium-sized businesses. The cost of an audit is certainly high, but cyber threats hang over these companies as much as bigger businesses. In 2022, 40% of all ransomware attacks affected SMEs, according to the French National Cybersecurity Agency (ANSSI). And it’s by no means certain that the Chinese and American tech giants will readily comply with these new requirements, which are specific to France.
Scale of impact: France alone against cybercrime, or Europe providing backup?
It would perhaps have been better to see this initiative proposed by the European Union, as it is better placed to impose rules on a market of 450 million consumers.
It’s worth noting that the cyberscore does not apply to government agencies either, despite their being prime prey for cybercriminals. Their relationship with citizens does not fall under consumer law, but in the interests of democratic transparency, a clear picture of how the cybersecurity of our government’s digital services is faring would have been welcome. And especially when these agencies are actively pushing for the digitalization of their services.
The cyberscore is an excellent idea. However, it would have been more relevant had it been implemented across the European Union, with more stringent criteria and a wider scope. This would have made it clear to everyone that cybercrime is a major challenge in the fight to protect consumers and citizens.