After the NutriScore for food, here is the CyberScore for site security

Social networks like other large digital platforms will soon have to submit to the equivalent of the NutriScore to assess their level in terms of computer security. This is the principle of CyberScore, under debate in Parliament.

The NutriScore, the DigiScore and now the CyberScore. The rating of products and services by color coding is on the rise and is now entering the world of computer security. A bill must be examined in the National Assembly from November 26. It could give rise to a scale similar to what we now see on food products.

The text should lead to the implementation of cybersecurity certification for digital platforms intended for the general public. This score would thus make it possible at a glance to have simple and understandable information on the security of a particular site or service. The text has already been adopted by the Senate, during a debate which ended on October 22, 2020.

If the bill does not explicitly mention the term CyberScore, the elected official who is at the origin, Senator Laurent Lafon, member of the UDI, called it that on the day of its examination in the upper house of Parliament. He then justified his approach by the fact that ” the French need clear and readable information on the level of protection of their personal data online ».

In front of his colleagues, the parliamentarian observed that this kind of regulation by data, with notes, can have much more impact than a regulatory review, because these scores can influence the behavior of individuals and, consequently, their choice. in the purchase of such or such product, the use of such or such service. Consequently, companies are being pushed to adapt.

« The NutriScore has shown it: when the political power gives clear and readable information to consumers, it can initiate major changes without waiting for a big regulatory night. », Commented Laurent Lafon. ” With CyberScore, we will push operators to change their practices », He added, anticipating that a bad mark could dissuade Internet users from registering.

The cyber world already has specific certifications, such as that validating the correct hosting of health data (HDS) or meeting the criteria to ensure a remote IT service, that is to say in the cloud (SecNumCloud) . However, these are certifications aimed at very specific segments, which do not necessarily cover platforms frequented by the general public.

A CyberScore whose criteria remain to be established

As it stands, the law is very general and refers the establishment of a certain number of criteria to decrees and orders that will have to be taken subsequently. This is the case, for example, with the scope of CyberScore: only platforms ” whose activity exceeds one or more thresholds ”, Including that of affluence, will have to submit to it. Large social networks like Facebook or Twitter should be concerned.

Several amendments were tabled by the deputies to complete the text. In particular, there is the issue of certification: who will do it? Parliamentarians want to avoid a scenario consisting of a self-assessment: this audit work will have to be carried out by external service providers, ” qualified by the National Information Systems Security Authority », Which is authoritative in France.

Google Cloud
Large cloud providers that target audiences will be affected by this rating. // Source: Google Cloud

Other amendments propose to include in the criteria the question of the location of the accommodation, with legal issues of access to data which are stored on servers which may be located, depending on the case, outside of France. or from Europe. The nationality of the platforms could also be part of the debate, given the effects of certain foreign legislation.

The CyberScore parameters therefore remain to be established, as do the final scope of the system (what types of sites or services concerned?) And the eligibility criteria (from how many visitors, and on what basis?). However, the platforms could have a long time to adapt, if only to have time to conduct the audits: elected officials are considering the entry into force of the law on October 1, 2023.

Leave a Comment