French LPM 2024-2030 Law: How it Impacts Software Companies

The recent French 2024-2030 military programming law (LPM) sets forth new defense-related provisions applicable to the private sector, including the obligation for software companies to notify the French National Information Systems Security Authority (ANSSI) of any vulnerabilities or incidents, as well as their causes and consequences. 

Guarding the Digital Frontier: France's Answer to Escalating Cyber Dangers

Cyberattacks have become a stark reality of our times. Such attacks have paralyzed IT systems and exposed sensitive data. Geopolitical tensions have also manifested in the cyber realm; a prime example being Russia's 2022 disruption of the ViaSat network, leading to internet outages in Ukraine and parts of Europe. ANSSI's warning of increased cyber-espionage threats in 2022 further underscores the urgency. However, these attacks often exploit correctable security gaps, notably unaddressed software vulnerabilities. As cyber threats burgeon into a matter of national defense, it comes as no surprise that France’s military planning law has taken up the subject by introducing new cybersecurity provisions, with some specifically targeting software companies.

The LPM 2024-2030: Unpacking its Cybersecurity Mandates for Software Companies

Deciphering the LPM 2024-2030 

Often misconstrued as purely a military directive, the LPM now casts its net far wider. While the military programming law traditionally focuses on national defense matters, its latest iteration has brought the civilian digital world, especially software vendors, under its ambit.

The LPM, or Loi de Programmation Militaire, unveiled in the Journal Officiel on August 1, 2023, dictates the defense course for France from 2024 to 2030. This law, accessible via Légifrance, isn't merely about defense spendings but pivots crucially towards cybersecurity.

Key Obligations for Software Companies

The LPM 2024-2030 introduces significant mandates, centered around enhancing cybersecurity and ensuring transparency. Let's unpack the two principal obligations for software companies:

1. Notification of Vulnerabilities to ANSSI:

Under the new directives, software companies have an important responsibility to address vulnerabilities:

Article 66 of the LPM 2023 includes a new clause, termed as L. 2321-4-1, which mandates:

“In the event of a significant vulnerability affecting one of their products, or in the event of an IT incident compromising the security of their information systems and likely to significantly affect one of their products, software companies shall notify the national information systems security authority of this vulnerability or incident, together with an analysis of its causes and consequences.” (paraphrased from French)

This means that software companies are obligated to (1) alert ANSSI when a significant vulnerability arises in their products or if there's been a notable IT incident related to security. An incident is defined here as "any event compromising the availability, authenticity, integrity or confidentiality of data". Furthermore, the notification should also (2) encompass a thorough analysis of the vulnerability's origins and its potential fallout.

2. Transparent Communication with End-users:

Beyond liaising with regulatory bodies, software companies also need to maintain open communication lines with their user base, particularly in the wake of security threats:

“Software companies shall inform users of this [vulnerable] product, within a time limit set by the national information systems security authority and determined on the basis of urgency, risks to national defense and security, and the time required for companies to take corrective measures.” (paraphrased from French)

Thus, this directive imposes a dual notification obligation.  Beyond notifying ANSII of a vulnerability, software companies must also inform their users about product vulnerabilities. The timeframe for such notifications will be determined by ANSSI, taking into account factors like the severity of the threat, its implications on national security, and the time needed by the companies to implement corrective measures.

Ensuring Compliance: The Stakes are High For Software Companies

Ignoring these new mandates isn’t an option. ANSSI holds significant power in ensuring adherence. For software companies disregarding their notification duties, ANSSI can not only make vulnerabilities public but can also highlight the company's lapse, as per:

“Failing this, the national information systems security authority can order software companies to provide this information. It may also inform users or publicize the vulnerability or incident and its injunction to software companies if this has not been implemented.” (paraphrased from French)

The challenge for software companies is determining whether to proactively inform their customers of a vulnerability or risk regulatory repercussions for not meeting security disclosure obligations.

Who’s Impacted by The LMP2024-2030 Regulation?

The reach of this legislation is extensive. Every software company operating within the French domain, irrespective of their size, location, or software distribution model, fall under this mandate. This includes:

• Companies operating within France.
• Companies headquartered in France.
• Companies controlled, within the meaning of article L. 233-3 of the French Commercial Code, by companies whose head offices are located in France.

Simply put, any software company that develops or distributes software products (or has them developed or distributed) with a presence in France must comply, ranging from large international tech giants to local businesses.

The Timeline and Future Directives For Software Companies

The LPM became official in mid-July 2023 and was formally enacted on August 1st, 2023. However, the specific deadlines for notifying ANSSI in accordance with the directive are yet to be determined. The law points to an impending decree from the Conseil d'Etat to specify the deadlines. However, given the tight notification timelines previously set by the European NIS2 directive for entities with sensitive profiles, companies would be wise to act promptly.

Beyond Notification: The Underlying Objective of the LMP 2024-2030

The LPM 2024-2030, while not explicitly mandating vulnerability remediation,undeniably promotes swift corrective actions. Merely informing ANSSI and end-users of a vulnerability doesn't absolve software companies of their broader responsibility. Indeed, when a significant vulnerability is identified, it's in a company's best interest—both for user protection and commercial reputation—to promptly issue a patch. Broadcasting a product's vulnerability without addressing it not only hurts business credibility but also invites exploitation by malicious actors.

How Vaultinum Can Support Your Compliance Journey

Navigating the intricate mandates of the LPM 2024-2030 can seem daunting for many software companies. This is where Vaultinum steps in, offering a holistic cybersecurity audit service tailored to today's evolving IT security landscape. Our comprehensive approach dives deep into an organization's IT infrastructure, ensuring that every nook and cranny of security is rigorously scrutinized. One of the standout features is the inventory management, which enables software companies to swiftly update ANSSI on significant vulnerabilities—a critical component of the LPM.  Furthermore, Vaultinum's source code scanner detects vulnerabilities in both commercial and open-source software, ensuring a full-spectrum analysis.

But Vaultinum doesn't stop at mere identification. Our team of Cyber Security Experts meticulously tailors their findings to fit the unique context of each company. This ensures that security strategies align seamlessly with business objectives and that potential risks are not only identified but also countered with robust remedies. Notably, Vaultinum can present a comprehensive risk report in just three weeks, offering a swift and detailed understanding of one's cybersecurity posture. This report provides companies with a clear benchmark of their cybersecurity standing compared to the industry, coupled with an actionable roadmap to fortify their defenses.

In conclusion, as software companies grapple with the mandates of LPM 2024-2030, Vaultinum emerges as an invaluable ally. With our all-encompassing cybersecurity audit services, companies are not only equipped to understand their vulnerabilities but are also empowered to enact robust measures against them. In the dynamic world of IT security, having a partner like Vaultinum can make all the difference.

Disclaimer

The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.

The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.