The Cyberscore aims to define the security level of digital platforms, messaging services, and video conferencing software for users. Established by Law No. 2022-309 "for the establishment of cybersecurity certification for digital platforms intended for the general public" on March 3, 2022, its enforcement is scheduled for October 1, 2023.

The Cyberscore will assess the security level through a cybersecurity audit focused on "securing and locating the data they host, either directly or through a third party, and on their own security." This security level will be determined using an alphabet-based system similar to the Nutriscore model. Audits will be conducted by certified auditors accredited by the National Agency for the Security of Information Systems (ANSSI).

 

Which Platforms Are Affected?

The Cyberscore applies to any individual or organization offering a public communication service, whether paid or free. The scope of the law is still being defined, but the National Assembly report mentions online platform operators whose activity exceeds five million unique visitors per month. Two primary categories are specifically mentioned:

  • The most commonly used consumer websites for simplicity and exemplary purposes (e.g., e-commerce platforms, social media).
  • The most widely used video conferencing services and messaging platforms.

Thus, the Cyberscore will first target the largest platforms/companies with high visitor volumes. Around 100 essential platforms have already been identified for this initial phase, providing more time for smaller businesses and startups to comply with the required cybersecurity measures.

Similar to Nutriscore, its application will gradually expand to include all market players. By 2025-2030, additional selection criteria may be considered, and the visitor threshold may be adjusted either upwards or downwards.

 

The Cyberscore: A Digital Nutriscore?

L’abécédaire du Cyberscore reprend le format du Nutriscore et sa graduation en couleurs lisible, claire et compréhensible, mais il diffère en pratique. Si les données alimentaires The Cyberscore grading system adopts the Nutriscore format, with its color-coded scale being readable, clear, and understandable. However, it differs in practice. While the nutritional data of food products remain stable over time, cybersecurity data, networks, and systems are not as stable.

Intrinsic data for a digital product is subject to change. For instance, zero-day vulnerabilities—security flaws that software vendors or service providers are unaware of or have not yet patched—demonstrate how quickly cybersecurity levels can drop due to discoveries or technological innovations. To address this, the concept of audit expiration is introduced, stating that the security audit is valid for one year.

 

Risks of Non-Compliance

In the event of non-compliance, fines may be imposed: up to €75,000 for individuals and €375,000 for organizations. The ANSSI (National Agency for the Security of Information Systems) will be responsible for overseeing enforcement and penalties.

Beyond financial penalties, operators also face reputational risks with their users. Users will be able to view how their personal data is handled by the platform, and a low score could lead to a decline in user trust in the platform.

 

The introduction of the Cyberscore will force platforms to strengthen the security of personal data, thereby giving a new dimension to the GDPR. Beyond the Cyberscore, RSM can assist you with managing your overall cyber risk (ISO 27001, ISAE 3402). Explore our Cybersécurité et privacy offerings for further support 

Proposition de Loi - Article L. 111-7-3 du livre Ier du code de la consommation

Author

Antoine Baranger
Antoine Baranger
Directeur Risk Advisory

Read more