French Government Considering a Draft Law Imposing New Cybersecurity Transparency Obligations for Platforms


February.24.2022

What You Need to Know

  • The draft law would impose transparency obligations relating to cybersecurity. It is still being discussed and adjusted, but it could potentially come into effect in 2023.
  • “Large-scale” online platforms and messaging and videoconferencing services providers are concerned. The threshold for application will be determined through secondary legislation.
  • If passed, targeted online platforms will be required to carry out a cybersecurity audit. The results of the audit would be disclosed to consumers in the form of a “Cyberscore” that considers the level of security of the platform or service and the location of the data hosted by the platform, directly or through a third party.
  • Foreign operators targeting the French market would need to comply.

Who Is Impacted by the Draft Law?

These potential new obligations would apply to large-scale (i) platforms as defined by Article L111-7 of the French Consumer Code (i.e., marketplaces and referencing platforms), (ii) messaging services providers and (iii) videoconferencing services providers, i.e., operators whose activity exceeds specific thresholds which will be defined by decree. The new rules could apply to a wide range of operators and would most likely apply to those located outside of France but that target their services toward French consumers. Indeed, there is no specific territorial application provision in the current version of the bill, and these new obligations would be included in a section of the French Consumer Code that applies to precontractual information obligations—those rules being applicable regardless of the country where the operator is located, provided it directs its products or services toward French consumers.

In its current version, the text is broadly drafted and refers to a decree that will define the threshold of number of visitors that will trigger the applicability of these new obligations to operators and determine the criteria that will be taken into account to calculate the Cyberscore.

If finally adopted, the Cyberscore would have to be easily legible and understandable by the average user. For instance, it could be presented as follows (this an example posted on Twitter by the senator who proposed the law):

 

Potential Effective Date in Fall 2023

The Cyberscore is scheduled to come into effect on 1 October 2023. However, the legislative process is still ongoing, and, therefore, the text can still be amended or complemented before its enactment and provide additional information on its territorial scope.