General Security Regulation for Information Systems (RGS V2): A Cornerstone for Cybersecurity in France

General Security Regulation for Information Systems (RGS V2): A Cornerstone for Cybersecurity in France

April 15, 2025Cyber4 minutes
Linkedin

The General Security Regulation for Information Systems (RGS) is a normative framework established to ensure a high level of security for the information systems of French public administrations. Version 2 (RGS V2), the latest update, strengthens this objective by incorporating technical and organizational evolutions tailored to current threats. This article offers a comprehensive overview of the standard, its key requirements, practical applications, and its critical role in the field of industrial cybersecurity, including within essential sectors such as industry.

Origin and Objectives of RGS V2

A French Initiative to Secure Public Information Systems

The RGS was initiated by the French National Cybersecurity Agency (ANSSI) with the aim of establishing a unified framework for protecting the information systems of public entities. In France, administrations, local authorities, and public organizations must ensure that their systems are adequately secured to protect sensitive information, especially as public services increasingly go digital.

Core Objectives

RGS V2 is built on four essential pillars of information security:

  • Confidentiality: ensuring that only authorized parties can access sensitive data.
  • Integrity: ensuring that information cannot be modified or altered without authorization.
  • Availability: ensuring that systems remain operational and accessible at all times.
  • Traceability: logging critical events to enable action analysis, especially in the event of incidents.

These principles are particularly important for critical infrastructures, including sensitive industries, which must uphold high security levels while ensuring operational continuity.

Key Updates in Version 2 (RGS V2)

RGS V2 introduces several major updates to better address evolving cybersecurity needs and threats.

Evolution of Technical Requirements

RGS V2 places greater emphasis on the use of modern encryption tools tailored to the complexity of today’s cyberattacks. ANSSI now recommends algorithms that comply with international standards, such as AES for symmetric encryption and RSA or ECC for asymmetric encryption.

Consideration of Hybrid Environments – On-premises & Cloud

With the rise of multi-cloud and hybrid environments, RGS V2 acknowledges the need to secure distributed systems while considering data sovereignty. This evolution is particularly relevant for public administrations using externally hosted solutions.

hybrid environments

Application of RGS V2 in Industrial Cybersecurity

Although RGS is primarily designed for public administrations, its principles can be effectively applied to other sectors, particularly critical industries. These sectors share similar challenges in protecting sensitive data and strategic infrastructures.

Protecting Industrial Systems Against Cyber Threats

Industrial information systems (ICS/SCADA) are at the core of critical infrastructures such as energy, transportation, or industrial production. A successful cyberattack on these systems can lead to major service interruptions, physical damage, or even threats to human safety. The principles of RGS — particularly regarding identity management, access control, and encrypted communications — are directly applicable to these environments.

Certification of Critical Equipment

Under RGS V2, equipment deployed in critical environments must be certified to ensure compliance with security requirements. This is essential for industrial systems, which often rely on legacy technologies requiring targeted security updates.

Incident Management and Traceability

Traceability, a core pillar of RGS, is vital in industrial environments where incidents must be analyzed rapidly to prevent prolonged outages. Implementing detailed audit logs and enabling real-time monitoring of information systems allows for a swift response to cyber threats.

Your industrial systems deserve security designed to last. Our DATIVE engineers transform RGS V2 requirements into concrete, robust solutions tailored to your production constraints.

Contact

RGS Implementation Approach

To comply with RGS V2, organizations must follow a structured, multi-step methodology.

Risk Assessment

The first step involves identifying the risks to which information systems are exposed. The EBIOS Risk Manager method, also promoted by ANSSI, is particularly well-suited for conducting a thorough risk assessment.

Securing Information Flows

The RGS mandates that all critical information flows be protected using robust encryption mechanisms. Public administrations and industrial organizations must ensure their communication protocols, stored data, and remote access systems are compliant with these security requirements.

Awareness and Training

Another key aspect of the RGS is the emphasis on user awareness and training. Since human error accounts for a large share of security incidents, it is essential that employees are educated on cybersecurity best practices.

Awareness and training

Limitations and Challenges

Adaptability to Industrial Environments

Although RGS V2 is a powerful framework, it is not specifically designed for industrial settings, which present unique constraints such as:

  • Heterogeneous technologies (legacy and modern systems).
  • The need for uninterrupted availability.
  • The coexistence of industry-specific standards, such as ISO/IEC 62443.

Compliance Costs

Implementing RGS requirements can involve significant costs, particularly for upgrading legacy systems or certifying equipment. This financial barrier may be a deterrent for some organizations.

Rapid Evolution of Threats

Cyberattacks are evolving at a rapid pace. While the RGS provides a solid foundation, it requires regular updates to remain relevant against emerging threats.

Our experts help you design architectures tailored to your specific challenges.

Contact

RGS V2 and Other Standards: A Strategic Complement

RGS V2 integrates well with other widely adopted cybersecurity standards, such as:

  • ISO/IEC 27001: Information security management.
  • ISO/IEC 62443: Security for industrial control systems.
  • NIS Directive: Security of network and information systems.

Organizations can adopt a combined approach to leverage the strengths of each standard while fulfilling RGS V2-specific requirements.

RGS, ISO 27001, 62443, NIS... What if your cybersecurity strategy became a lever for industrial performance? DATIVE guides you through an integrated, coherent, and sustainable approach.

Contact

Conclusion

The General Security Regulation for Information Systems (RGS V2) represents a robust and essential framework for enhancing the cybersecurity posture of French public administrations. While primarily designed for public services, it also offers valuable insights for other sectors, especially critical industries.


By adopting RGS V2 principles, organizations can improve their security posture, ensure regulatory compliance, and reduce cyber risk exposure. Despite challenges such as cost and adaptability, RGS remains a key reference to secure information systems against increasingly sophisticated threats.

FAQ

Question 1: Is RGS V2 mandatory for industrial organizations?

No, RGS V2 primarily applies to French public administrations. However, its core principles—confidentiality, integrity, availability, and traceability—are perfectly transposable to critical industrial environments. Many industrial companies adopt all or part of the RGS as a complementary framework to sector-specific standards like ISO/IEC 62443.

Question 2: What benefits can an industrial organization gain from implementing RGS V2?

Integrating RGS V2 raises cybersecurity maturity by aligning with ANSSI requirements. This translates to enhanced access governance, secure information flows, improved traceability, and greater resilience to cyber threats. Ultimately, it is a strategic lever for operational safety.

Question 3: Is RGS V2 compatible with ISO/IEC 27001 or 62443?

Absolutely. RGS V2 can be embedded within a multi-standard strategy. It complements ISO/IEC 27001 (information security management) and aligns with ISO/IEC 62443 (industrial control system cybersecurity). A combined approach helps optimize compliance efforts while addressing the specific needs of each environment.

Question 4: How can RGS V2 be implemented in an existing industrial system?

The process begins with a risk assessment using tools like EBIOS RM, followed by mapping of sensitive flows, securing access, and establishing detailed traceability. The involvement of industrial cybersecurity experts is crucial to adapt RGS requirements to the specific operational constraints of OT (Operational Technology).

News

News

Vulnerability Management in Industrial Systems (OT): From Theory to Real-World Practice
Cybersecurity
Vulnerability Management in Industrial Systems (OT): From Theory to Real-World Practice

Managing security vulnerabilities in industrial systems has become a key challenge — but one that’s rarely straightforward. With legacy equipment, unpatchable systems, and often incomplete inventories, field teams must navigate significant technical and operational constraints. While standards and frameworks provide valuable guidance, applying them in real industrial environments remains complex. This article explores the real-world obstacles and presents a pragmatic approach to effectively securing existing systems without disrupting operations.

Know more
DATIVE & FORTINET at Lyon Cyber Expo 2025: OT cybersecurity, an industrial priority
Cybersecurity
DATIVE & FORTINET at Lyon Cyber Expo 2025: OT cybersecurity, an industrial priority

On September 17 and 18, we will be participating in the Lyon Cyber Expo 2025 to defend a cause that is close to our hearts: industrial cybersecurity. Alongside us, FORTINET, a leading technology partner with whom we share the same ambition: to sustainably protect OT environments.

Know more
4 Examples of Industrial Cybersecurity Attacks
Cybersecurity
4 Examples of Industrial Cybersecurity Attacks

Industrial cybersecurity attacks are no longer fiction or rare exceptions. From attempted poisoning to power outages, safety system overrides, and global ransomware paralysis, real-world OT attacks are on the rise. These incidents expose critical vulnerabilities in industrial environments and underscore a crucial reality: operational systems have become high-value strategic targets.

Know more
Trends and tools in industrial cyber security - 2025
Cybersecurity
Trends and tools in industrial cyber security - 2025

Cyber attacks on industrial infrastructures have increased dramatically in recent years. For example, 420 million attacks against critical infrastructures (energy, transport, telecoms) took place between January 2023 and January 2024. This trend can be explained by the emergence of new attack techniques and vulnerabilities in architectures. To remedy this, manufacturers are using trends and tools to help them protect their IoT networks.

Know more
Military Programming Law (LPM): A Key Standard for Cybersecurity in France and Europe
Cybersecurity
Military Programming Law (LPM): A Key Standard for Cybersecurity in France and Europe

The Military Programming Law (LPM) constitutes a central legislative framework for defense and security policies in France. Adopted every five to seven years, it sets the main strategic orientations, financial means, and operational priorities of the French armed forces. The latest version in force, LPM 2024-2030, includes strengthened provisions for cybersecurity, a national priority in the face of the rapid evolution of digital threats. In this article, we will explore the foundations of the LPM, its main provisions, and its impact on industrial cybersecurity, a key area for critical infrastructure and national sovereignty.

Know more
View all our news