ANSSI French National Cybersecurity Agency.

ANSSI is the French national cybersecurity agency, reporting to the Prime Minister since 2009. National authority for cybersecurity policy in France, qualifies products and service providers, publishes EBIOS Risk Manager, acts as competent authority for NIS 2 transposition. Their qualifications (SecNumCloud, PVID, PASSI) are the gold standard in the French public sector.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyStandards bodiesAll entries

The Cyber Academy take

ANSSI is the French national cybersecurity agency, reporting to the Prime Minister since 2009. National authority for cybersecurity policy in France, qualifies products and service providers, publishes EBIOS Risk Manager, acts as competent authority for NIS 2 transposition. Their qualifications (SecNumCloud, PVID, PASSI) are the gold standard in the French public sector.

ANSSI is France's national cybersecurity authority. Its full name is the Agence nationale de la securite des systemes d'information.

What ANSSI does

Where it sits

ANSSI reports to the Secretariat-General for National Defence and Security. That body sits under the Prime Minister.

This keeps ANSSI separate from intelligence and law-enforcement bodies. The agency is defensive by design.

That separation matters in practice. Organisations can share incident details with ANSSI freely. They need not worry that the same agency runs offensive operations or prosecution.

Its main roles

Its remit is broad. ANSSI does several things at once:

  • It sets national cybersecurity policy and doctrine.
  • It runs CERT-FR for incident response and threat intelligence.
  • It supervises operators of vital importance and essential entities.
  • It publishes guidance and methods used as reference across France.

ANSSI also maintains EBIOS Risk Manager. This is the risk-analysis method many French organisations use. It helps them build the threat scenarios behind their security programme. ANSSI maintains it, not a private standards body.

Qualifications and visas

Most practitioners deal with the qualification scheme first. ANSSI does more than write rules.

It vets products and service providers against published requirements. It then grants a qualification or a security visa.

These labels carry real weight. The public sector and regulated operators often require them by policy.

The main labels

  • SecNumCloud qualifies cloud service providers. It uses a demanding security and sovereignty baseline. It is increasingly cited as the bar for sensitive public-sector workloads.
  • PASSI qualifies security-audit providers. This covers penetration testing, configuration review, and architecture audit. A buyer then knows the auditor met a common standard.
  • PVID covers remote identity-verification providers. These run onboarding flows that must resist deepfakes and document fraud.

ANSSI versus ENISA and NIS 2

ANSSI is not ENISA

People often confuse ANSSI with ENISA. They sit at different levels.

  • ANSSI is the national authority for one member state, France.
  • ENISA is the EU agency that supports all member states. It runs the EU cybersecurity certification framework.

The two cooperate. Yet ANSSI is the body that supervises French entities. It can act as a competent authority when EU rules become French law.

The NIS 2 picture

NIS 2 is the clearest example. The directive is European. It still has to be transposed and enforced nationally.

In France, ANSSI is the competent authority for NIS 2. It does three things:

  • It defines which entities are in scope.
  • It sets expectations for risk management and incident reporting.
  • It oversees compliance.

So a French essential or important entity asks who to notify after a significant incident. The answer routes through ANSSI and CERT-FR. It does not go directly to Brussels.

Frequently asked questions

01Is ANSSI the same as ENISA?

No. ANSSI is the national cybersecurity authority for France, while ENISA is the European Union agency that supports all member states. ANSSI supervises French entities and acts as competent authority nationally; ENISA operates at EU level, including the EU certification framework.

02Does ANSSI investigate or prosecute cyberattacks?

ANSSI is a defensive authority focused on protection, guidance and incident response through CERT-FR. It is deliberately separated from intelligence and judicial bodies, so prosecution is handled by other authorities, not ANSSI itself.

03What are SecNumCloud, PASSI and PVID?

They are ANSSI qualifications. SecNumCloud covers cloud service providers, PASSI covers security-audit providers, and PVID covers remote identity-verification providers. Each signals that the provider was assessed against ANSSI requirements, and they are often required in French public-sector procurement.

04What role does ANSSI play in NIS 2?

NIS 2 is an EU directive that each country transposes into national law. In France, ANSSI is positioned as the competent authority: it helps define which entities are in scope and oversees their risk-management and incident-reporting obligations, with CERT-FR as the operational point of contact.

05Who maintains the EBIOS Risk Manager method?

EBIOS Risk Manager is published and maintained by ANSSI. It is the risk-analysis method widely used in the French public sector and by operators of vital importance to build the attack scenarios that drive their security controls.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.