International Fraud and Asset Tracing 2025

FRANCE Trends and Developments Contributed by: Samuel Sauphanor, Alexandra Szekely, Timothée de Saint Viance and Benoit Barré, Le 16 Law

licence until 1 July 2026. However, they may only do so in France and EU passporting rights are excluded. PSANs that registered in France between 1 January 2024 and 30 December 2024 were subject to a transitional “enhanced” reg - istration regime under the 2023 DDADUE Law and are already subject to additional obligations closer to those imposed under the licensing framework introduced by the MiCA Regulation, including conflict of interest policy, business continuity plan or cybersecurity requirements. All PSANs operating in France will be required to hold a licence by 1 July 2026 under the MiCA Regulation. Cybersecurity and Digital Fraud Prevention Cybercrime has taken centre stage in France’s legal response. Offences against automated data processing systems Due to the significant financial and security impli - cations, France and the EU have established preventive and punitive frameworks to address cybercrime. In France, the National Cybersecu - rity Agency (the “ANSSI” ) was created in 2009 in response to the growing threat of cyber-attacks. The primary legal basis for prosecuting cyber- related offences lies in Articles 323-1 to 323-8 of the French Criminal Code, which criminalise unauthorised access, obstruction and fraudu - lent manipulation of automated data process - ing systems. Such a system is legally defined as a structured set comprising processing units, memory, software, data, input/output devices and communication links contributing to a spe - cific result. These offences may, in certain circumstances, overlap with traditional criminal offences such as theft (Article 311-1 of the French Criminal Code)

or breach of trust (Article 314-1 of the French Criminal Code), with which they can be cumu - latively prosecuted, depending on the nature of the acts committed and the protected legal interests. Fighting cybercrime France was among the first EU member states to implement a comprehensive legal regime for the protection of critical infrastructures, with the designation and enhanced protection of critical networks and IT systems ( Systèmes d’Information d’Importance Vitale or SIIV) oper - ated by operators of vital importance ( Opéra- teurs d’Importance Vitale or OIV) under the French 2013 Military Programming Law. This national framework, grounded in national secu - rity considerations and codified in the French Defence Code (Article L1332-1 et seq) has set a high standard in terms of cybersecurity obli - gations for critical operators (whether public or private), including mandatory implementation of state-imposed security rules, incident notifica - tion requirements and oversight by the ANSSI. The legal framework for OIV is currently being updated as part of the transposition of EU Direc - tive 2022/2557 on the resilience of critical entities (the “CRE Directive” ) into French law. To date, some 300 entities have been designated as OIVs by the French authorities. The list of OIVs is clas - sified for national security reasons. It is expected that the number of designated OIVs will remain more or less unchanged once the Directive has been transposed into French law. Over time, France has gradually supplement - ed its OIV regime with additional provisions to bring French law into line with the requirements of Directive (EU) 2016/1148 (NIS1) and Directive (EU) 2022/2555 (NIS2). The French NIS1 trans - position law of 2018 added two categories of

146 CHAMBERS.COM

Powered by