A stimulating discussion this morning at the Digital Innovation and Audiovisual Media Commission of the Paris Bar, focusing on the evolving European cybersecurity framework.
Olivier Iteanu, Attorney, emphasized that Directive NIS 2 (Network and Information Systems), Directive REC (Resilience of Critical Entities), and the DORA (Digital Operational Resilience Act) Regulation of December 14, 2022, mark a true paradigm shift.
Whereas under the French “loi Godfrain”, in the pre-Internet era, a judicial response to so-called “computer fraud” could still be envisaged, today’s cyber risks are of such magnitude that it is now victim companies who are responsible for securing their systems, reporting breaches to the authorities, and ultimately bearing liability.
This growing burden of compliance is accompanied by increasing uncertainty around insurance coverage, as highlighted by Nicolas Helenon, insurance broker specializing in new technologies.
Notably, a new provision introduced into the French Insurance Code by the LOPMI law (in force since April 24, 2023) makes insurance compensation conditional upon the filing of a formal complaint within 72 hours of discovering the incident.
Key issue: cyberattacks cannot currently be reported via France’s online complaint platform, meaning many companies struggle to comply with the strict deadline. The assistance of an attorney be essential to ensure timely filing.
Meanwhile, Katuiscia Benloukil, VP Communication at Tehtris, noted the rapid acceleration of the algorithmic arms race: cyberattacks are increasingly automated and sophisticated, while defensive technologies are themselves augmented by AI.
This is a fundamentally asymmetric technological race:
On one side, attackers organized in transnational networks, operating beyond legal constraints.
On the other, fragmented defenses, reliant on state capacity and subject to national and regulatory frameworks.