Military Programming Law (LPM): A Key Standard for Cybersecurity in France and Europe

Military Programming Law (LPM): A Key Standard for Cybersecurity in France and Europe

May 22, 2025Cyber5 minutes
Linkedin

The Military Programming Law (LPM) constitutes a central legislative framework for defense and security policies in France. Adopted every five to seven years, it sets the main strategic orientations, financial means, and operational priorities of the French armed forces. The latest version in force, LPM 2024-2030, includes strengthened provisions for cybersecurity, a national priority in the face of the rapid evolution of digital threats. In this article, we will explore the foundations of the LPM, its main provisions, and its impact on industrial cybersecurity, a key area for critical infrastructure and national sovereignty.

Main Objectives of the Military Programming Law

The LPM is adopted by Parliament and is based on three major strategic axes:

  • Defining national defense priorities in the face of new threats (cyberattacks, espionage, terrorism, etc.).
  • Setting the necessary budgets to develop modern military capabilities.
  • Ensuring the protection of critical infrastructure, including the energy, transport, health, and communications sectors.

In terms of cybersecurity, the LPM imposes specific obligations on Operators of Vital Importance (OIVs) and Operators of Essential Services (OESs), such as the implementation of robust technical and organizational measures.

Cybersecurity and LPM: A Strategic Priority

Strengthened Integration of Cybersecurity in LPM 2024-2030

LPM 2024-2030 allocates a significant portion of its budget to cybersecurity with an overall funding of almost 413 billion euros for the period, including a portion dedicated to the modernization of digital capabilities. This strategic choice responds to several observations:

  • The resurgence of attacks targeting critical infrastructure.
  • The increased sophistication of threats (APTs, ransomware, supply chain attacks).
  • The growing interdependence of industrial and digital systems.

Industrial cybersecurity is a focal point of the LPM. OT (Operational Technology) environments are increasingly targeted by attacks aimed at disrupting production or collecting sensitive data. These threats represent a risk to business continuity and, ultimately, to national security.

Need help complying with the LPM? Our experts assist you in ensuring compliance and securing your critical infrastructure. Contact us now.

Contact

Obligations of Operators of Vital Importance (OIVs)

OIVs, defined by the Defense Code, play an essential role in implementing the security measures imposed by the LPM. These operators, from sectors such as energy, transport, or health, must comply with strict requirements:

  • Regular assessment of digital risks.
  • Deployment of minimum security measures, such as the use of segmented information systems and encryption of sensitive data.
  • Mandatory notification of security incidents to competent authorities (notably ANSSI – National Cybersecurity Agency of France).

In case of non-compliance, the penalties provided by the LPM include significant fines, or even the suspension of critical activities.

LPM non conformité

Impact on Industrial Cybersecurity

Cybersecurity of Industrial Control Systems (ICS/SCADA)

Industrial infrastructures rely on automation systems (ICS/SCADA), often designed before the emergence of modern cyber threats. The LPM imposes reinforced controls on these systems to prevent risks of intrusion, sabotage, or diversion. Recommendations include:

  • Separation of IT (Information Technology) and OT (Operational Technology) networks to limit attack vectors.
  • Regular system updates to correct vulnerabilities.
  • Integration of intrusion detection solutions specific to OT environments.

Securing Industrial Supply Chains

Supply chains are another weak point identified in the LPM. Companies working with OIVs must guarantee the security of their products and services by integrating cybersecurity requirements from the design stage (security by design).

Is your company's cybersecurity aligned with the LPM? Discover our support solutions to ensure the security and resilience of your infrastructure. Schedule an audit.

Contact

The LPM and European Collaboration

Synergies with the NIS2 Directive

The NIS2 directive, adopted by the European Union, complements the LPM by harmonizing the cybersecurity obligations of critical operators within member states. France, with its LPM, is ahead in several aspects, particularly supervision by ANSSI. However, convergence with the European directive strengthens the effectiveness of measures and facilitates cross-border cooperation in the event of a major attack.

Strategic Partnerships

The LPM also encourages partnerships between public and private actors to develop innovative solutions. The objective is to strengthen European digital sovereignty while reducing dependence on non-European technologies.

LPM and Technological Innovation

Role of Artificial Intelligence and New Technologies

LPM 2024-2030 plans investments in emerging technologies such as artificial intelligence, quantum computing, and predictive cybersecurity. These tools enable:

  • Proactive threat analysis through advanced algorithms.
  • Attack simulation to test the resilience of critical infrastructure.
  • Strengthening of rapid response capabilities in case of an incident.

Development of Cybersecurity Skills

Finally, the LPM emphasizes the training and recruitment of cybersecurity experts. The lack of skills is a major obstacle to securing critical infrastructure. Specific programs, funded by the state, aim to bridge this gap.

LPM competence cyber

Upcoming Challenges and Issues

The implementation of LPM 2024-2030 raises several challenges:

  • Complexity of industrial systems: OT environments remain difficult to secure due to their diversity and increasing interconnection with IT networks.
  • High investment costs: Small structures, subcontractors of OIVs, may experience difficulties in meeting the requirements of the LPM.
  • Rapid evolution of threats: The LPM must remain flexible enough to adapt to unforeseen threats, such as cyber weapons exploiting zero-day vulnerabilities.

References

Conclusion

The Military Programming Law 2024-2030 marks a significant step forward in the protection of critical infrastructure and industrial cybersecurity. By imposing strict obligations on OIVs and encouraging technological innovation, it plays a central role in securing France's strategic interests.


For industrial companies, this law represents both a constraint and an opportunity. It requires a technological and organizational upgrade, while offering prospects for collaboration and innovation.


By being part of a European dynamic, the LPM contributes to building a resilient ecosystem in the face of modern cyber threats. For players in the sector, compliance with its requirements is imperative to ensure business continuity and guarantee national security.

FAQ

Question 1: What is the Military Programming Law (LPM)?

The LPM is a law defining the strategic and budgetary priorities of the French armed forces for a period of several years. It specifically covers the cybersecurity of critical infrastructure.

Question 2: Who are the stakeholders concerned by the LPM in terms of cybersecurity?

Operators of Vital Importance (OIVs), Operators of Essential Services (OESs), industrial subcontractors, and public administrations must comply with the LPM's cybersecurity requirements.

Question 3: What obligations does the LPM impose on industrial companies?

Companies must strengthen the protection of their OT/ICS systems, secure their supply chains, and report any major cyber incidents to the competent authorities, particularly ANSSI.

Question 4: How does the LPM interact with the NIS2 Directive?

The NIS2 directive harmonizes cybersecurity obligations at the European level. The LPM integrates these requirements while imposing specific rules for France, particularly for OIVs.

The main challenges include the complexity of industrial systems to secure, the cost of compliance, the shortage of cybersecurity experts, and adaptation to new emerging threats.

News

News

European Cyber Resilience Act: A Security Framework for Europe
Cybersecurity
European Cyber Resilience Act: A Security Framework for Europe

The Cyber Resilience Act (CRA), recently adopted by the European Union on March 12, 2024, marks a decisive turning point in the fight against cyber threats facing our increasingly digital society. This regulation aims to establish a robust framework to ensure the cybersecurity of digital products and services by imposing strict requirements on manufacturers, importers, and distributors. By integrating security standards from the design stage of products, the CRA aims to protect not only businesses but also consumers, thereby strengthening trust in the digital economy.

Know more
France officially condemns Russia for cyberattacks
Cybersecurity
France Officially Condemns Russia for Cyberattacks

In a historic move, France has formally accused Russia of orchestrating cyberattacks against its strategic interests between 2015 and 2017, publicly pointing to the GRU and the hacker group APT28.

Know more
General Security Regulation for Information Systems (RGS V2): A Cornerstone for Cybersecurity in France
Cybersecurity
General Security Regulation for Information Systems (RGS V2): A Cornerstone for Cybersecurity in France

The General Security Regulation for Information Systems (RGS) is a normative framework established to ensure a high level of security for the information systems of French public administrations. Version 2 (RGS V2), the latest update, strengthens this objective by incorporating technical and organizational evolutions tailored to current threats. This article offers a comprehensive overview of the standard, its key requirements, practical applications, and its critical role in the field of industrial cybersecurity, including within essential sectors such as industry.

Know more
Understanding Industrial Cybersecurity Challenges
Cybersecurity
Understanding Industrial Cybersecurity Challenges

Industry 4.0 is transforming production processes through connected technologies. This evolution enhances the efficiency and flexibility of industrial chains. However, industrial systems are exposed to new threats, highlighting the challenges of industrial cybersecurity. In 2024, 43% of French organizations experienced at least one successful cyberattack. These attacks aim to disrupt operations, steal data, or compromise the security of critical infrastructures. In the face of these growing risks, implementing appropriate cybersecurity strategies becomes essential. This article outlines the main industrial cybersecurity challenges. It presents the risks, impacts, and solutions to strengthen the security of industrial infrastructures.

Know more
How does industrial cyber security protect critical infrastructure?
Cybersecurity
How does industrial cyber security protect critical infrastructure?

Critical infrastructures are essential to the smooth running of our modern societies. A failure or targeted attack against these systems could have disastrous consequences. From major economic disruption to threats to public safety. Given the increase in cyber-attacks targeting these infrastructures, industrial cyber-security plays a central role in protecting them. It is based on a set of strict standards and regulations. These aim to strengthen the resilience of industrial systems in the face of digital threats. This report describes the cybersecurity challenges facing critical infrastructures and the main threats they face. It also describes the technical solutions put in place to ensure their protection.

Know more
View all our news