France's General Security Framework mandating ANSSI-accredited certificates for public administration information systems, with specific requirements for electronic signatures, authentication, and encryption.
The RGS (Référentiel Général de Sécurité) is France's regulatory framework for securing public administration information systems. Issued by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), it defines security levels and requirements for electronic exchanges with public services.
The RGS mandates the use of ANSSI-qualified certificates for authentication, electronic signatures, and encryption — creating a direct need for qualified PKI infrastructure and rigorous certificate lifecycle management. Organizations interacting with French public services must ensure their certificates meet RGS-defined profiles and are issued by qualified authorities.
With three security levels (RGS *, **, ***), the framework provides a graduated approach to certificate requirements, allowing organizations to match their security posture to the sensitivity of their exchanges. The highest level (***) requires hardware-protected keys and the most stringent CA qualification criteria.
All certificates used in public administration exchanges must be issued by ANSSI-qualified Certificate Authorities, meeting strict operational and security requirements.
Three security levels define increasing requirements for electronic signatures, from basic (*) to advanced (**) to qualified (***), each with specific certificate and key management constraints.
Authentication certificates must meet RGS-defined profiles for server and client authentication, with specific requirements for key usage, algorithm strength, and validity periods.
Data encryption in public administration systems must use ANSSI-approved algorithms and key lengths, with certificates managed through qualified infrastructure.
CAs issuing RGS-compliant certificates must undergo ANSSI qualification audits, demonstrating compliance with operational security, key management, and governance requirements.
Organizations must maintain audit trails, undergo periodic conformity assessments, and demonstrate ongoing compliance with RGS certificate management requirements.
The first version of the Référentiel Général de Sécurité is published, establishing the foundational security framework for French public administration information systems.
Major revision updating security requirements, aligning with evolving cryptographic standards, and strengthening certificate qualification criteria.
The RGS framework is aligned with the European eIDAS regulation, ensuring cross-recognition of qualified certificates between France and other EU member states.
ANSSI continues to enforce RGS requirements and publishes updated guidance on cryptographic algorithms, key lengths, and certificate management practices.
A new version of the RGS is expected to align with eIDAS 2.0, incorporating requirements for digital identity wallets and updated trust service standards.
The RGS creates specific and demanding requirements for PKI infrastructure serving French public administration. Here are the critical areas:
All certificates used in public administration exchanges must come from ANSSI-qualified CAs, requiring rigorous qualification audits and ongoing conformity assessments.
Each security level imposes increasing PKI requirements — from software-based key storage (*) to qualified hardware security modules (***) — with corresponding certificate profile constraints.
Government agencies must maintain rigorous certificate lifecycle processes including timely renewal, revocation management, and comprehensive audit trails for all RGS-compliant certificates.
RGS-qualified certificates must align with eIDAS standards for cross-border recognition, requiring PKI infrastructure that satisfies both national and European regulatory frameworks.
Stream is ANSSI-certified — directly issues RGS-compliant certificates — Our sovereign PKI platform holds ANSSI certification, enabling it to serve as a qualified Certificate Authority for issuing RGS *, **, and *** level certificates.
Horizon manages certificate inventory across government agencies — Discover and centralize all certificates deployed across public administration systems, providing complete visibility and governance for RGS compliance.
Automated lifecycle management for RGS *, **, *** levels — Automate certificate issuance, renewal, and revocation workflows tailored to each RGS security level, ensuring continuous compliance without manual intervention.
Audit-ready reporting for ANSSI conformity assessments — Generate comprehensive compliance reports and audit trails that demonstrate adherence to RGS requirements, streamlining ANSSI qualification and conformity assessment processes.
