In an opinion piece published in May 2025 in the public sector-focused publication Zepros Territorial, Anca Caruntu and Julie Quatresols weigh in on the proposed “Resilience” Bill, aimed at stepping up cybersecurity in France through the transposition of three major EU directives: NIS2 (network security), CER (critical entities resilience) and DORA (financial sector). The ambition of the “Resilience” Bill – which be discussed in the National Assembly this September – is to extend cybersecurity obligations for local authorities. ANSSI (French National Cybersecurity Agency) will be given a key supervisory role.
The “Resilience” Bill distinguishes between “essential entities” (including local authorities with more than 30,000 inhabitants, metropolitan areas, SDIS Departmental Fire and Rescue Services, etc.), which are subject to enhanced supervision and stiffer penalties, and “important entities,” which are subject to similar obligations but with more flexible controls.
Its implementation will be phased in over a period of three years, with the first measures applying after six months. The technical standards, defined by decree, will take into account the size, specific risks, and capacities of local authorities.
ANSSI estimates the cost of compliance at between €100,000 and €200,000, excluding annual maintenance costs. In this context, the active participation of local authorities in future discussions will be key in adapting the system to their local circumstances.
Final passage of the bill could occur this fall.
