Decoding the world of cybersecurity

French regulators tighten finance cyber coordination

ANSSI, ACPR, and the Banque de France have signed a new agreement covering cyber incidents, crisis management, controls, and threat led penetration testing.

French regulators tighten finance cyber coordination
Summary
  • ANSSI, ACPR, and the Banque de France have renewed and strengthened cyber coordination for France’s financial sector.
  • The agreement sits against DORA and NIS2, with roles covering technical response, supervision, financial infrastructure resilience, and threat led testing.
  • Financial cyber resilience is becoming a coordinated public authority function, not only a control obligation for individual firms.

France’s cyber agency, financial supervisor, and central bank have strengthened their cooperation on financial-sector cybersecurity, bringing incident response, regulatory supervision, crisis management, and threat led testing into a more coordinated operating model.

ANSSI, the Autorité de contrôle prudentiel et de résolution, and the Banque de France signed the agreement in Paris on 3 July. The arrangement reinforces coordination between the three institutions under the European Digital Operational Resilience Act, known as DORA, and the NIS2 Directive, both of which have created new responsibilities for authorities as well as financial entities.

The agreement defines how the institutions will exchange information on cyber-origin security incidents, cyber threats, controls, mutual assistance, cyber crisis management, and advanced intrusion tests based on threat intelligence. It also sets out institutional roles. ANSSI, as France’s national cybersecurity authority, will oversee the application of NIS2. CERT-FR will carry out technical response work for cyber incidents affecting the financial sector under the agreement. ACPR will supervise DORA compliance among the firms it oversees, while the Banque de France remains responsible for the resilience of financial infrastructure.

DORA has moved financial cyber resilience beyond internal control frameworks and into an explicitly supervisory and systemic regime. Since January 2025, regulated financial entities have faced harmonised European requirements covering ICT risk management, incident reporting, resilience testing, third party risk, and oversight of critical ICT providers. The French agreement adds institutional machinery around those requirements, reducing the risk that technical response, prudential supervision, and financial stability responsibilities operate separately during a major incident.

A cyber incident affecting a bank, insurer, payment provider, market infrastructure operator, or critical ICT supplier may raise several issues at once. Authorities may need to understand whether an attack remains active, whether data or operational integrity has been affected, whether legal reporting duties have been triggered, whether customers or counterparties are exposed, and whether disruption could spread into payment systems or other financial infrastructure.

The agreement does not disclose operational playbooks, but it identifies the areas where coordination is expected. Threat led penetration testing is especially notable because DORA pushes resilience testing closer to credible attack scenarios. When authorities coordinate around those tests, the exercise becomes more than a technical assessment of a firm’s defences. It contributes to a supervisory view of whether critical financial services can withstand realistic threat activity.

ACPR secretary general Emmanuelle Assouan linked stronger coordination to the arrival of a new generation of AI tools that increase the speed and intensity of attacks. Financial supervisors across Europe are facing the same pressure. AI can support defensive automation, but it can also accelerate fraud, phishing, vulnerability discovery, reconnaissance, and operational strain during live incidents.

The French model gives other European markets a clear example of how DORA can be supported by national institutional coordination. The regulation gives financial supervisors a common European rulebook, but each jurisdiction still has to turn that rulebook into operating practice. The quality of response during a major cyber event will depend not only on the documents a regulated firm has prepared, but on whether national authorities can share information quickly, avoid duplication, and maintain a common view of technical, prudential, and systemic risk.

Financial entities and their technology suppliers may increasingly need to produce evidence that satisfies several public authorities at once. Incident response playbooks, testing records, third party risk documentation, and crisis communication processes will be read through both technical and supervisory lenses. A control that appears adequate inside an IT risk register may be tested against whether the firm, its suppliers, and the relevant authorities can sustain essential financial services during a fast-moving cyber crisis.

The agreement also shows how NIS2 and DORA overlap in practice. DORA is sector specific, while NIS2 reaches across essential and important sectors, including digital providers that financial entities depend on. The resilience of the financial system is therefore tied not only to banks and insurers, but to cloud, software, managed service, payment, identity, and infrastructure suppliers that may sit under separate regulatory regimes.

×