1. Why a France Cybersecurity Label ?
The France Cybersecurity Label answers to several needs and objectives
- Raise awareness among users and international ordering parties regarding the importance of the French origin of a Cybersecurity offer and its intrinsic qualities
- Certify to users and ordering parties the quality and functionalities of labelled products and services
- Promote French cybersecurity solutions and increase their domestic and international exposure (export market)
- Increase their overall use and the security level of users
This label is governed by a tripartite structure consisting of users representatives, industrials representatives and relevant State services which defines the specification requirements as well as awarding and withdrawal principles (implementation of an awarding committee for example).
2. Which guaranties are provided by the France Cybersecurity Label to labelled products and services users?
The France Cybersecurity Label is the guarantee for end users – mainly companies and administrations – that the certified products and services are made in France and possess clear and well-defined functionalities, with a level of quality established by an independent panel which bases its decisions on prior certifications, a third-party independent expert investigation and feedbacks from other end users.
This guarantee is provided by the verification of the label’s specifications proper observance and the scrutiny of factual elements brought by the solution provider on the quality and performance of its products and services.
This guarantee is particularly supported by, when they do exist, prior cybersecurity certifications, qualifications and labelling and by a relevant third-party evaluation.
3. To whom can the France Cybersecurity label be awarded?
The France Cybersecurity Label is awarded, on explicit application of suppliers, editors and service providers who operate commercially and technically in France, to a range of products and services within three areas of activity:
- Hardware and/or software products,
- Managed services in cybersecurity,
- Consulting, Engineering and Services in cybersecurity.
The attribution principles mainly rely on the following criteria:
- Products and services are provided and/or delivered by a French company
- Products are conceived and developed in France
- Services are provided from France or hosted in France when appropriate
- The quality and performance of products and services are assessed by certifications
Products or services category’s specific criteria might be disclosed in the requirement specifications.
4. How to Get the Label France Cybersecurity?
Each applicant company to the label use, for one or several of its offers, must notify its application and its adherence to the regulation of use of the label by sending a request to the secretariat of the France Cybersecurity label.
Once the applicant’s file is transferred to the secretariat of the France Cybersecurity Label, the applicant company must provide the following elements:
- Economic and administrative information
- A certificate of incorporation
- A detailed fact sheet about the offer submitted for labelling
- A payment commitment for processing fee
The applicant’s file is then transferred – in a confidential and protected manner – to an independent third-party instructor mandated by the governance of the France Cybersecurity Label. During the instruction phase, the third-party instructor might, after acquainting himself with the whole file of the applicant company, contact the latter for inquiries that will stay within the scope of mission given to the instructor.
Once the instruction is over, an appraisal report is submitted to the France Cybersecurity label awarding committee which adjudicates based on the expert’s recommendations and based on its own criteria.
A formal answer (label awarded, denied or deferment of the file) is then issued by the label secretariat.
In case of attribution, the applicant company becomes a label operator and possesses on it a right of usage defined below.
5. What is the duration of the procedure?
The France Cybersecurity label structure commits itself so that the whole procedure, from the initial request of the applicant company to the notification of the final decision, must not exceed three months (90 days).
6. What is the cost of the procedure?
The cost of the procedure, especially the part dedicated to the file instruction by an independent third-party, amounts to 1500€ for a SME or a micro-company and to 3000€ for large companies (following the INSEE’s benchmark).
7. Who are the contacts within the France Cybersecurity label?
AOn an administrative level, the contacts are the persons in charge of the label secretariat.
For all technical matters, prior to the instruction phase, the award committee representatives, consisting of industrials, users and State officials, will provide an answer to any request within one week.
During the instruction phase, the contact of the applicant company will be the third-party instructor in charge of the file.
8. Can a open source product be labelled?
The initial criteria of the label needing to be respected, the applicant product / service / consulting / managed service must have been developed in France.
9. What is the usage of the France Cybersecurity label?
The usage of the label is reserved to companies disposing of a labeled offer, in accordance with the criteria stated in this regulation.
According to the right of usage, the operator can use the label for a labeled offer on all institutional and promotional communication supports, and as well for its general terms and conditions of sale.
This logotype is available in digital format on the label website: http://www.francecybersecurity.fr the use of the logotype must respect the label graphic set of rules.
10. What is the period of validity of the France Cybersecurity Label?
Specifically, each labeled offer is so for a period of two years. Once this deadline has expired, a new procedure must be launched from the start.
The operator allowed to use the label for one of its offers commits to inform the France Cybersecurity Label structure prior to any modifications of the characteristics or of the general terms and conditions of sale of its offer, since this modification might affect the respect of this regulation.
The collective right of usage of the label is strictly specific to the operator, holder of said label, and cannot be transferred to a third party (company, institution, federation).
In general, the right of usage of the label for a labeled offer remains in place until:
- the next amendment of the specific requirements, in case where the offer does not meet the new conditions anymore;
- a modification of the operator offer conditions, if they imply the violation of the regulation of use.