France’s domestic intelligence service, the DGSI, the country’s FBI-meets-counterintelligence shop, has a blunt message for corporate France: stop treating foreign apps like harmless office glue.
The agency is warning companies that everyday tools, video calls, chat apps, file-sharing, can double as pipelines for industrial espionage and data compromise. And in a world where economic warfare doesn’t need tanks, your “free” software can be the cheapest spy on the payroll.
France says 70% of critical systems rely on foreign software, and that’s the problem
France’s cybersecurity authority, ANSSI, estimates that70% of the country’s critical infrastructureuses at least one foreign-developed software product for daily operations. That dependency, French officials argue, creates a menu of ugly options: data extraction, hidden backdoors, or systems being crippled if a “mystery feature” gets flipped on.
Energy, defense, and telecom are at the top of the worry list. The article citesEDF(France’s electric utility giant) replacing several Chinese-made industrial monitoring tools last year after discovering undocumented communications modules. The cleanup reportedly took six months and cost€45 million, about$49 millionat current rough conversion.
DGSI is especially focused on the stuff employees actually use all day: videoconferencing, instant messaging, and file-sharing. These tools exploded during the pandemic, and France’s spies say they also create convenient leakage channels to servers sitting in third countries. Names getting extra scrutiny:TikTok,WeChat, and certain versions ofZoom.
And the problem isn’t theoretical. The biggest French companies, the CAC 40, think “France’s Dow 30-ish”, were given tailored guidance to audit their digital environments. According to sources close to the matter,32 of the 40found at least one “problematic” app somewhere in their systems.
Europe’s new cyber rules (Jan. 2026) come with teeth: up to 4% of global revenue
The timing isn’t accidental. A new EU regulation on cybersecurity for digital products took effect onJanuary 15, 2026, and it forces software vendors into more transparency. Companies that deploy non-compliant solutions can face fines up to4% of worldwide revenue. That’s not a slap on the wrist; that’s a boardroom panic button.
The regulation demands things many vendors hate: disclosure for critical components (including source-code publication for certain critical pieces, per the article), clear identification of where data-processing servers are located, and end-to-end encryption mechanisms. The piece argues these requirements collide head-on with the business models of many Asian and American software publishers.
Even Big Tech is adjusting. The article saysMicrosoftcreated a European subsidiary dedicated to hosting French government data, investing€2 billion, around$2.2 billion, in “sovereign” data centers inMarseilleandParis.GoogleandAWSreportedly followed, because when regulators start writing checks with penalties, companies start reading the fine print.
On enforcement, the European Commission has already issued12 usage banstargeting industrial surveillance apps developed inRussiaandChina, according to the article. Companies using them getsix monthsto migrate.
French and European alternatives exist, but they don’t cover everything yet
So what are companies supposed to do, just rip out half their tool stack and pray? France is pushing firms toward European options, but the article admits the bench is thin. Players likeOVHcloud,Atos, andThalesoffer alternatives, yet their catalogs don’t fully match what big organizations need across every business function.
Paris is trying to brute-force a domestic software pipeline. TheFrance 2030plan has earmarked€500 million(about$540 million) to build “sovereign” software capacity, but the first products aren’t expected until2027. That leaves a gap where companies are forced to choose between operational convenience and security compliance, with regulators watching.
Consulting firms smell money. The article saysCapgeminicreated a unit focused on compliance audits for foreign software, hiring150 cybersecurity expertssince September. Demand is so heavy the backlog is already18 months.
Small and mid-sized businesses, usually the ones without a legal army and a CISO with a war room, are getting targeted help throughFrance Num, a government-backed program offering free audits and training to spot risky software. The article says3,200 companieshave used the service since launch.
France’s cybersecurity market is reshuffling, and it’s getting expensive
This isn’t just a compliance story; it’s a market story. European cybersecurity vendors are cashing in. The article claimsStormshieldsaw revenue jump340%in a year, driven by demand for locally controlled encryption tools.
Consultancies are hiring like it’s a gold rush.PwC Cybersecurityplans to add200 consultantsby the end of 2026 to keep up with audit work, and specialists in international regulation are commanding pay increases of about25%, according to the piece.
Training programs are also pivoting. Schools likeÉcole 42andEpitechhave launched tracks focused on “digital sovereignty”, a very French phrase that means “we’d like our data to stop taking international vacations without permission.”
But none of this is cheap. The article says French companies now spend12%of their IT budgetson cybersecurity compliance, up from6%two years ago. That’s a doubling in a short window, because once governments decide software is a national security issue, “move fast and break things” turns into “move carefully and document everything.”
