The Military Planning Law (or MPL) is becoming increasingly well known in the world of cybersecurity – but not only that. This French legislation defines all the priorities, objectives and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts and staff numbers.
However, it is the ‘cyber’ aspect of this law that interests us here. So here’s a look at what the MPL requires in terms of IT security – and how to implement it.
The Military Planning Law (MPL): a brief reminder
First promulgated in 2013 for a period of six years (2014-2019), the MPL was renewed for 2019-2025, then for 2024-2030.
With an increasing emphasis on cyber security over the years, the law includes specific provisions aimed at strengthening the security of information systems critical to national defence.
In essence, the MPL establishes a regulatory framework to protect critical infrastructures against cyber attacks. To this end, it imposes mandatory security measures on Operators of Vital Importance (or OIVs). The latter are in fact entities whose operation is essential to the nation’s survival, affecting sectors such as energy, transport, health and finance.
The LPM requires these operators to adopt enhanced security measures and comply with strict standards to ensure the resilience of their IT systems.
Legislation to strengthen national cyber security
The principle of the MPL ? Securing critical infrastructures to reduce the risk of cyber attacks, which could have serious consequences for national security and the economy.
To achieve this objective, a number of factors are being taken into account.
- Standardisation of security measures: by imposing common standards, the LPM facilitates uniform security practices among OIVs. This will improve the country’s overall resilience to cyber threats.
- Improved responsiveness: the law requires OIVs to notify security incidents to the relevant authorities. This requirement enables better coordination and a faster response in the event of a cyber attack.
- Encouraging innovation: the need to comply with the requirements of the LPM stimulates innovation in the field of cyber security, encouraging companies to develop new technologies and security solutions.
But it’s not just about imposing rules on organisations! Other measures are designed to support this effort:
- increase in the number of cyber security experts ;
- protection of weapon systems and IS from the design phase;
- strengthening the capabilities of Centre for Analysis and Computer Defence (CALID), the SOCs of the armed forces…
In this context, no less than €4 billion has been earmarked for cyber security in the latest version of the LPM, published on 1st August 2023 for 2024-2030.
How do you comply with the MPL?
Complying with the Military Planning Law from a cyber perspective is no easy task. And for good reason:
- Implementing the imposed safety measures can be costly (technology, training, human resources, etc.) and requires significant operational adjustments;
- The requirements of the LPM can be difficult to understand, especially for small businesses without a dedicated cyber team;
- the measures prescribed by the MPL are constantly evolving to remain effective in the face of new threats.
Good news: here are a few tips to help you comply with the LPM.
- Understand the requirements: take part in training courses, consult official documents, read practical guides, etc.
- Assess the risks: carry out an in-depth risk analysis to prioritise the measures to be implemented.
- Set up security governance: establish a clear security policy, defining the roles and responsibilities of everyone involved in cybersecurity. The creation of a safety committee may also be useful for supervising compliance with the LPM.
- Reinforce your protection measures: data encryption, strong authentication, data segmentation, etc. Use incident detection and response tools to identify and react quickly to threats.
- Raise awareness and train your staff: a strong security culture within the organisation is one step closer to LPM compliance!
- Collaborate with the authorities: maintain regular communication with the relevant cybersecurity authorities, such as ANSSI.
MPL compliance: some case studies
The energy sector
Let’s imagine that a company in the energy sector, classified as an OIV, has put in place a cyber security programme in line with the requirements of the LPM.
This action plan will include :
- a detailed risk analysis (identification of critical assets and potential vulnerabilities) ;
- securing control and data acquisition systems (firewalls, intrusion detection systems, strict access policies, etc.);
- ongoing training, with regular training sessions for employees on cyber threats and best practice.
The transport sector
Now it’s the turn of a railway company to adopt a number of measures to comply with the MPL:
- network segmentation to limit the spread of threats;
- the use of real-time monitoring solutions to detect and respond rapidly to security incidents;
- cross-sector collaboration (for example, sharing information and good practice with other IGOs in the transport sector).
As you will have gathered, the Military Planning Law is not just about cybersecurity, but this area is becoming increasingly important. And this trend is likely to continue in the years to come… So to help you organise your regulatory monitoring more effectively and make sure you don’t miss out on any changes in cyber regulations, download our dedicated factsheet!