France recently began enforcing the EU AI Act, NIS2 and other new cybersecurity and AI legislation. Organizations are feeling the pressure to comply with these new regulations while defending against cybercriminals employing increasingly advanced techniques.
The trends observed in ANSSI's 2025 Threat Overview illustrate the diverse motivations and creative methods of cybercriminals and underscore how cybersecurity governance, preparation, and effective risk management can effectively mitigate these sophisticated attacks.
Major Cyberattacks in France (2024)
Healthcare Sector Data Breach – February
In early February, two French healthcare payment service providers, Viamedis and Almerys, within 5 days of one another, reported data breaches to the French data protection authority (CNIL). The breaches affected more than 33 million people, exposing policyholder information such as civil status, date of birth, social security number, health insurer’s name, and contract details, including similar data for policyholders’ family members.
France Travail Data Breach – March
While remediation efforts were still underway for the Viamedis and Almerys incidents, France Travail, the French unemployment agency, set a record for the largest cyberattack in the country’s history. It reported a breach affecting 43 million people, with exposed data covering job seekers registered with agency over the past 20 years. The attack was attributed to the Clop ransomware group, which exploited a zero-day vulnerability in the MOVEit Transfer software tool.
Telecom Sector Cyberattacks – September & October
In September, telecom provider SFR reported a data breach affecting 3.5 million customers. In notifications sent to affected users, the company disclosed that exposed data included personal details provided during online purchases, such as SIM card identification numbers and banking information.
The following month, Free, France’s second-largest internet provider, suffered a major cyberattack targeting an internal management tool. The breach compromised the personal identifiable information (PII) of 19 million customers, including full names, email and postal addresses, phone numbers, contract details, and, for some, banking information.
Cybersecurity at the 2024 Paris Olympics
A prime example of cyber resilience in action was France’s cybersecurity strategy for the 2024 Summer Olympics in Paris. As one of the world’s most high-profile events, the Olympics presented a significant target for cybercriminals, state-sponsored hackers, and misinformation campaigns.
To counter these threats, France implemented a multi-layered cybersecurity strategy involving government agencies, private sector partners, and international cooperation.
According to ANSSI’s 2024 Cyber Threat Overview, two major ransomware attacks were detected during the Olympics. One ransomware attack targeted the central data system for the Réunion des Musées Nationaux network. The Grand Palais and the Château de Versailles are part of the network and were hosting Olympic events at the time of the attack. The second major ransomware attack was reported by Paris-Saclay University, the is home to the French Anti-Doping Laboratory.
However, neither attack was able to disrupt critical information systems or interfere with the events. ANSSI attributed the mitigation of these attacks to the segmentation of information systems and the swift remediation efforts taken once the threats were identified.
AI and the 2024 EU Parliament and French legislative elections
Consumers and voters in France are increasingly exposed to AI-generated content on social media, news sites and search engines. During the 2024 European Parliamentary elections, some French political parties posted AI-generated content on their social media pages. According to the EU’s 2024 Code of Conduct for the parliamentary elections, while the use of AI-generated content is not forbidden, it should be clearly labeled.
According to a report by the non-profit organization AI Forensics, 51 instances of AI-generated images were posted and re-posted by various political parties in France for the EU parliamentary and legislative elections that followed across Facebook, Instagram, and X. None of the AI-generated content was labeled as such, despite the EU election Code of Conduct.
The Digital Services Act, which entered into French law in August 2023, also recommends that platforms and search engines with more than 45 million active monthly users label AI-generated content. This has not yet become standard practice on platforms like Facebook, Google, TikTok, YouTube or X (formerly Twitter).
The use of AI-generated content represents a growing concern among social scientists, governments, business leaders, and security professionals as it impacts information integrity and public trust.
Threat Landscape in Numbers: ANSSI's Statistical Overview
According to ANSSI's latest data, 2024 saw a significant increase in security incidents across both public and private sectors.
In 2024, ANSSI's operational teams processed 4,386 security events, which is a 15% increase from the previous year. Of these incidents, the agency confirmed 1,361 successful malicious attacks on information systems. This upward trend underscores the persistent and evolving nature of cyber threats facing French organizations.
Ransomware: A Persistent and Evolving Threat
Ransomware attacks remain particularly problematic in the French cybersecurity landscape. ANSSI documented 144 cases of compromise by ransomware in 2024, involving 39 different ransomware strains. The most prevalent strains were Lockbit 3.0 (15%), Ransomhub (7%), and Akira (7%), with new emergent strains including Ransomhub, Monti, and Lynx making their first appearances.
The distribution of ransomware incidents across different sectors reveals significant vulnerabilities in the French business landscape. Small and medium-sized enterprises (SMEs), very small enterprises (VSEs), and mid-caps continue to bear the brunt of these attacks, accounting for 37% of all ransomware incidents reported to ANSSI. This disproportionate targeting reflects a critical security gap, as these organizations often lack dedicated cybersecurity personnel, adequate security budgets, and the technical expertise necessary to implement robust defenses.
Take Control of your GenAI Risks
Our risk management experts leverage state-of-the-art standards and frameworks to help organizations scope, assess, and manage GenAI risks. Schedule a call with our team to get started.
France's Evolving Regulatory Response
NIS2 and DORA Implementation
On March 12, 2025, France completed the transposition of both the EU directive NIS2 and the DORA regulation into national law. NIS2 significantly expands cybersecurity obligations across key sectors, with the National Cybersecurity Agency of France (ANSSI) serving as the supervisory authority responsible for conducting compliance checks and issuing orders in cases of non-compliance.
Simultaneously, the Digital Operational Resilience Act (DORA) establishes a comprehensive framework specifically for the financial sector, requiring financial entities to implement robust ICT risk management practices, incident reporting procedures, and digital resilience testing. This dual implementation is a major step forward in establishing a consistent security baseline across critical industries, with particular attention to the financial system's digital infrastructure.
AI Regulation Takes Shape
The EU AI Act, which came into force on August 1, 2024, has established a common regulatory framework for artificial intelligence within the European Union. While most provisions will become fully applicable by August 2, 2026, certain aspects, such as the ban on AI systems posing unacceptable risks, became applicable on February 2, 2025.
These new regulations have sparked important conversations about balancing innovation with security. At the Paris AI Summit in February 2025, differing perspectives emerged on the appropriate level of regulation. U.S. Vice President JD Vance criticized Europe's regulatory approach, suggesting it could stifle innovation. The US stance contrasts with Europe's efforts to implement comprehensive AI safeguards through the EU AI Act.
Actions for Compliance
For organizations operating in France, these regulatory changes demand a strategic response. Boards along with risk and security leaders should collaborate to conduct comprehensive compliance and risk assessments, update their risk management strategies, and prepare for increased reporting obligations.
Organizations using or developing AI systems should pay particular attention to the risk classification system established by the EU AI Act and ensure appropriate safeguards are in place. Rather than treating compliance as a checklist exercise, forward-thinking organizations will use these regulatory requirements as an opportunity to strengthen their overall security posture and build resilience against the evolving threat landscape.
Best Practices and Security Recommendations for 2025
Drawing lessons from the major cyber incidents of 2024 and ANSSI's recommendations, organizations in France should implement the following security measures to strengthen their cyber resilience.
Authentication and Access Controls
- Implement strong multi-factor authentication methods using certificates or security keys rather than relying solely on TOTP or third-party applications that can be circumvented
- Regularly rotate passwords for privileged accounts (ANSSI found many organizations using the same high-privilege passwords for 15-25 years)
- Implement the principle of least privilege across all systems
Network Segmentation
- Implement internal network segmentation as a critical defense-in-depth measure to contain threats and limit attacker mobility within your environment
Edge Device Protection
- Implement strict access controls for administration interfaces of firewalls, VPN gateways and other security devices
System and Software Updates
- Prioritize timely patching of internet-exposed systems (VPNs, firewalls) which are prime targets for attackers
- Establish a systematic update management process
Incident Detection and Response
- Developing robust detection capabilities, particularly for security edge devices
- Creating an incident response plan with clearly defined roles and procedures
- Maintaining offline backups to ensure business continuity in case of ransomware attacks
- Investigating potentially vulnerable devices immediately after vulnerability disclosures, rather than waiting for signs of compromise
Navigate France's Cybersecurity Challenges with Data-Driven Risk Management
As France's cybersecurity landscape continues to evolve in complexity, organizations must continually adapt. The incidents of 2024-2025 demonstrate the need for enhanced risk management capabilities to address increasingly sophisticated threats. From the record-breaking France Travail breach affecting 43 million people to the targeted attacks during the Paris Olympics, the stakes have never been higher, requiring organizations to evolve their approach to risk.
To effectively address these challenges, forward-thinking organizations are re-thinking their risk management to implement more strategic, data-driven methodologies.
- Understand their unique risk context by mapping critical digital assets to business processes and identifying what truly matters to operations
- Quantify potential impacts in financial terms, creating a common language that resonates with executives and board members
- Prioritize security investments based on actual risk exposure rather than perceived threats
- Develop targeted control strategies that address the most significant vulnerabilities specific to their value chain
Re-think Risk Management
If you would like to discuss your cybersecurity and compliance challenges, schedule a call with a C-Risk expert.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.