- Digital Hub
New French law will require reporting of cybersecurity incidents within 72 hours to benefit from insurance coverage
Anna van der Leeuw-Veiksha
Professional Support Lawyer
30 March 2023
LOPMI introduces a new provision in the French Insurance Code (Article L. 12-10-1), establishing that payment under an insurance policy for losses and damage caused by certain cyberattacks will be conditional upon prompt notification to the “competent authorities”. Cyberattack victims will have 72 hours from the moment they become aware of the cyberattack, to file a complaint to the competent authorities. The law will become effective on 24 April 2023.
While the original legislative proposal only intended to cover ransom payments or ransomware, the scope of the new provisions apply to a much wider range of cyberattacks prohibited by Articles 323-1 to 323-3-1 of the French Criminal Code, which include:
- fraudulently accessing an automated data processing system, which might result in deleting or altering data held in the system or hindering the functioning of this system;
- hindering or distorting the functioning of an automated data processing system;
- fraudulently introducing data into an automated processing system, or extracting, holding, reproducing, transmitting, or modifying the data contained in the system; and
- importing, possessing, offering, transferring, or making available the means to commit these offences (without a legitimate reason).
The new law will apply to legal and natural persons acting in the course of their professional activity. In addition to reporting an incident to the police, cyberattack victims may be still required to inform other authorities. For instance, cyberattacks that involve personal data may need to be notified to the French data protection supervisory authority (CNIL), certain incidents under the NIS Directive to the National Cybersecurity Agency of France (ANSSI) or health data breaches to the regional health authorities (ARS).
The future article L. 12-10-1 of the French Insurance Code is potentially open to interpretation concerning the timeframe within which the complaint must be filed (72 hours from the moment the cyberattack victims become aware of the attack). By analogy, the criteria drawn up by the EDPB regarding Article 33 GDPR, requiring notification of personal data breaches to the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it”, might be taken up. However, disputes between insurance companies and their clients could arise in this respect.
The LOPMI is available here (only in French).