On March 18, 2025, Pierre-Xavier Chomiac of Sas had the pleasure of speaking again with Arnaud Dumourier on the Lex Inside program to discuss issues related to digital law. This interview follows on from the firm’s previous interviews, particularly on the topics of video game regulation and esports contracts.
Find a presentation of our previous interviews.
PCS Avocat’s presentation this time focused on the legal framework for businesses and professionals in cybersecurity, through various legal and practical issues to support companies in addressing these challenges.
What is the legal framework for cybersecurity?
The concept of cybersecurity refers to several elements that could be divided into two categories:
On the one hand, the normative aspect includes all the rules intended to ensure the best security for the digital tools used or offered. These include rules gradually being established at the national, European, and international levels.
These include the Law for Confidence in the Digital Economy, and more recently the Military Planning Laws, the Law for a Digital Republic (2016), the Cyberscore Law of 2022, the LOPMI (Ministry of the Interior’s Orientation and Planning Law), the AI Act, and more.
Consolidated at the European level, these include the now-defunct ePrivacy Directive, the GDPR regarding personal data, and the NIS and NIS2 directives imposing cybersecurity requirements on operators of essential services and digital service providers.
On the other hand, there is the repressive aspect, which includes all offenses and behaviors punishable under criminal law to combat cybercrime targeting actions carried out from computer systems: fraudulent intrusions, modification or deletion of data (ransomware), computer attacks using viruses, malware, online fraud and scams (phishing), and offenses related to personal data, including identity theft.
More generally, digital crimes such as cyberbullying, disinformation, revenge porn, etc. may also be discussed.
Cyberattacks & Criminal Law: Classification of Digital Offenses
The diversity of tools and means used to commit digital crimes cannot be captured under a single category. In this context, methods for classifying these crimes under four themes related to the purpose of the offense have been encouraged:
I. Digital property crimes include offenses causing financial harm to victims. They can take the form of fraud, swindles, misappropriation of payment methods, and offenses facilitated by the use of digital tools;
II. Digital attacks on individuals primarily refer to non-physical behaviors targeting adults and minors, such as press offenses (insults, defamation), forms of cyberbullying or mob harassment, threats, and other forms of discrimination.
III. Digital attacks on institutions refer to all public order disturbances, attacks on state security, and attacks on institutions, and include offenses involving the publication of hateful content, obstruction of justice, attacks on public order officials or state representatives, financial offenses and offenses against the Labor Code, terrorism offenses, trafficking, counterfeiting, and receiving stolen goods.
IV. Violations of specific digital laws and regulations refer to all specific directives and regulations affecting the digital sector—HADOPI regarding intellectual property, the GDPR regarding personal data, the LCEN regarding content hosting, etc.
Retrouvez les chiffres associés sur le site du ministère de l’Intérieur
What are companies’ obligations regarding cybersecurity?
Common to European directives and compliance, the obligations of companies and businesses related to cybersecurity issues can be broken down into three axioms:
Audit & risk assessment. Every company must understand and master all of its activities as well as the digital tools on which they depend on a daily basis.
This technical and legal audit identifies all associated cyber hazards and risks in order to implement appropriate control and risk management procedures.
This can result in risk analysis and information systems security policies, the implementation of technical, organizational, and operational measures adapted to cyber risks, ensuring incident management and business continuity, and securing supply chain continuity and network/IS development and maintenance processes.
Control & Documentation. Based on the identified elements, the company must be able to offer appropriate and responsible responses and protection systems to meet the imposed legal obligations.
Ensure compliance with legal and regulatory obligations, contractually manage cyber risks with the company’s suppliers and service providers, and identify the competent authorities: ANSSI, CNIL, AMF, etc.
Training. A number of legal and regulatory provisions support the awareness and training of company employees of all ranks regarding the threats of cyberattacks, professional, legal, and financial risks, as well as internal procedures to avoid or limit their effects.
Specific Obligations. Certain professional sectors—defense, healthcare, banking, justice, telecommunications, etc.—as well as certain regulated professions are subject to additional rules imposing specific and specific obligations on them.
What are the legal consequences of cyber attacks?
Steadily increasing in recent years, and exacerbated by the pandemic of 2020/2021, cyberattacks are a daily occurrence and affect all users of digital tools. Their consequences, particularly in legal matters, can be very significant.
In fact, their effects vary depending on the type of attack (ransomware, theft of confidential data, etc.), the scale of the attack, and the company’s preparedness:
In the event of company disruption, a cyberattack poses a major risk of contractual breaches with respect to customers, suppliers, and service providers;
The targeted company is liable to civil, criminal, or even administrative penalties in the event of failure, negligence, or misconduct in relation to liability standards and rules;
In certain circumstances, a cyberattack can indirectly cause damage to customers, service providers, and partners affected by the cyberattack. Under these conditions, the main company may face claims for compensation from collateral victims, particularly in the event of negligence;
The unanticipated legal and regulatory dimension associated with a cyberattack involves a number of cybersecurity due diligence processes, including contract management, criminal legal proceedings beginning with the filing of a complaint, reporting formalities and notification to the competent or supervisory authorities, and issues related to the company’s insurance coverage in the face of these very specific types of disasters.
What are the best practices for preventing legal risks related to cybersecurity?
Managing the legal issues surrounding cybersecurity risk can only be based on a comprehensive approach combining auditing, documentation, training, compliance, and incident anticipation.
The first step is to conduct a technical and legal audit of all information systems associated with the company and its business activities.
This audit identifies vulnerabilities, assesses risks, and defines appropriate corrective measures.
Once the risks have been identified, short-, medium-, and long-term solutions must be implemented to manage them. Documenting procedures and protective measures is a key element: it demonstrates the company’s integrity and can be a factor in exonerating it from liability in the event of a dispute.
PCA / PRA: Continuity plans & crisis management
Anticipating incidents is essential. Developing and regularly updating business continuity and recovery plans is essential to ensure the company’s resilience in the face of a cyberattack. These plans must detail the measures to be taken to quickly restore critical services and limit the operational and legal impact of an attack.
Legal and technological monitoring. Throughout the company’s operations, cyber crisis management procedures must be implemented and tested through regular simulations conducted by the entire company’s workforce. This enables teams to respond effectively in the event of a data breach or major attack. A rapid response that complies with legal obligations (particularly with regard to notifying authorities and stakeholders) is essential to limit the legal and financial consequences.
Threats are constantly evolving, as are regulations. It is therefore essential to maintain active monitoring to continuously adapt security measures and legal obligations. Collaborating with experts in cybersecurity and digital law allows you to stay informed and make the right strategic decisions.
