France ranks among the top ten countries most frequently targeted by cybercriminals. Reasons for this include its status as a strong Western economy and EU and NATO member, as well as its position as a key opponent of Russia.

Investors in France should understand the key digital risks they face from cybercriminals, particularly in infrastructure and healthcare, two of the most targeted industries in the world.

Healthcare disruption

In France’s healthcare sector, the security of patient personal data – and consequently the quality of care – is increasingly at risk. In 2023, the French Digital Health Agency (ANS) reported 581 security incidents within the health and medico-social sectors.

A significant example occurred in April 2024, when the Simone Veil Hospital in Cannes was targeted in a ransomware attack from the LockBit group. The attack encrypted the hospital’s data, disrupting access to medical records, medication prescription systems and radiology services. The consequences of such attacks are severe. In 2023, on average, 32% of healthcare facilities affected by ransomware attacks in France were forced to reduce their operations and function in a degraded mode.

Infrastructure disruption

Cyberattacks to critical sectors, like transport, energy, telecommunications and aerospace, have risen notably since 2021, a year that saw a 74% increase. As these sectors become increasingly complex and dependent on interconnected device networks, their vulnerability to cyberattacks will grow significantly.

The primary cyber risks for the infrastructure sector stem from operational disruption, often orchestrated by “hacktivists” – hackers with a political or social motive. A 2020 ransomware attack by hacktivists on the Marseille Port Authority caused notable operational disruption and highlighted the susceptibility of French critical infrastructure to cyber threats.

Another significant risk is supply chain compromise, where unauthorised access to data across a target’s supply chain can cause widespread disruption. In France, the interconnected nature of infrastructure sectors makes them particularly vulnerable to such attacks, necessitating robust cybersecurity measures to protect against potential breaches.

Portfolio companies under threat

Unknown cyber breaches in a target company can lead to severe financial, reputational, regulatory and legal impacts. In 2021, the average ransom paid by mid-sized companies exceeded USD 1m, and 68% of private equity clients reported an increase in cyber incidents during the month of a deal closure. These breaches can lead to fines from regulators, legal action from affected customers and clients, loss of trust and reputational damage. All these factors can have long-term impacts on the financial value and market position of the target company.

The French National Cybersecurity Agency (ANSSI) has noted that ransomware threat actors often target portfolio companies of private equity firms because they are seen as easier targets with more financial resources to pay ransom demands. This trend is corroborated by ANSSI's reports indicating that ransomware attacks have increasingly shifted from regulated operators to more vulnerable entities, making it crucial for investors to assess the cybersecurity posture of potential investments. Vulnerabilities can pose significant risks not only to the individual companies but also to the broader portfolio. This highlights the importance of robust cybersecurity measures and due diligence in safeguarding investments.

Finally, the adoption of the European NIS2 Directive in January 2023 – aimed at enhancing cybersecurity across member states – has significantly raised the stakes for private equity and infrastructure investment. NIS2, which builds on the original Network and Information Systems Directive, expands the scope of cybersecurity requirements to include more sectors, such as healthcare, energy and transport, and imposes stricter obligations on essential and important entities.

For private equity firms investing in infrastructure, this means that a heightened focus on cybersecurity due diligence and compliance is critical. Non-compliance with NIS2 can lead to severe penalties, operational disruption and reputational damage. Investors must ensure that target companies have robust cyber security measures in place. The directive underscores the importance of ongoing monitoring and risk management post-acquisition, as the interconnectedness of infrastructure sectors increases vulnerability to cascading cyberattacks. As such, NIS2 not only impacts the immediate financial considerations of a deal but also the long-term resilience and value of infrastructure investments.

Identifying sensitive exposures for a French consultancy active across critical sectors

Recently, we conducted pre-investment due diligence on a French IT consultancy active in the infrastructure sector, with operations spanning Europe, South America, Africa and the Middle East. Our cyber experts assessed the organisation’s tactical exposure and external vulnerabilities to identify any sensitive exposures that could have material, reputational, legal or financial impacts on our client if the acquisition proceeded.

We found that the consultancy faced a higher likelihood of being targeted by cyber threats and data leaks than other, similar companies in the sector. This was largely due to the consultancy servicing vulnerable critical sectors like those mentioned above.

The consultancy’s global operations added complexity, as global companies have an increased attack surface. IT infrastructures in particular span multiple countries and regions, with more third-party vendors and partners integrated into their systems. Global companies are also exposed to different and sometimes sensitive geopolitical environments, as well as varying cybersecurity regulations and compliance requirements across different jurisdictions.

Cybersecurity must be comprehensive

France faces significant and evolving cyber threats across critical sectors, particularly healthcare and infrastructure. As attacks grow in sophistication and frequency, organisations must prioritise comprehensive cybersecurity strategies, including robust incident response plans, employee training, and compliance with expanding regulations like NIS2.

Get in touch

Can our experts help you?