Military Programming Law 2024-2030 (LPM) — Cybersecurity Provisions

France's Military Programming Law 2024-2030 (Loi de programmation militaire, LPM) includes significant cybersecurity provisions that extend beyond defense to critical infrastructure operators. Article 35 of the LPM grants ANSSI (Agence nationale de la sécurité des systèmes d'information) enhanced powers to detect cyberattacks on French territory, including the authority to require internet service providers to implement technical measures to detect malicious traffic. The LPM introduces obligations for operators of vital importance (OIV) and operators of essential services (OSE) to implement security detection systems and cooperate with ANSSI during incident response. The Law also strengthens ANSSI's authority to conduct security audits of critical infrastructure operators and to issue binding security recommendations. For the cybersecurity legal community, the LPM represents a significant expansion of state cybersecurity powers and creates new compliance obligations for operators in 12 critical sectors including energy, transport, health, water, banking, financial market infrastructure, and digital infrastructure.