Key Takeaways on the General Security Framework (RGS):
- The RGS is a key regulatory framework for French administrative authorities, requiring them to protect their sensitive information and ensure trust in the use of their digital services.
- Compliance with the RGS represents an adva
Public administrations are increasingly implementing electronic services to interact with each other, as well as with citizens and businesses. These electronic exchanges often involve sensitive data and, therefore, require reinforced security measures.
Since 2005, the provisions of Ordinance No. 2005-1516, known as the ‘RGS,’ have been in place to ensure trust in the electronic services offered by French administrative authorities while limiting the risks of fraud.
This article provides an overview of the requirements of the General Security Framework: who it is intended for, its different levels of security, and how it aligns with the eIDAS regulation.
What is the RGS and Who Is It For?
The RGS, or General Security Framework, is a regulatory framework (2005) aimed at limiting fraud related to the use of digital services within the administration and establishing digital trust in electronic exchanges. This trust applies both to relations between individuals, businesses, and administrative authorities, as well as between different administrations.
As explained by the ANSSI, which manages the framework, it applies to the following administrative authorities:
- State administrations,
- Local authorities,
- Public establishments of an administrative nature,
- Organizations managing social security schemes,
- Other bodies responsible for the management of public administrative services,
- Commissions coordinating eviction prevention actions.
The General Security Framework also applies to public and private entities providing trust products or services, as well as to entities responsible for the qualification of these products and services.
Public administrations and entities using electronic signature or seals within the scope of an online service must obtain an RGS certificate (valid for 1 to 3 years, issued by a certification authority), whose security level is defined following a risk analysis.
The ANSSI plays a key role in updating and enforcing the General Security Framework, particularly by assisting administrative authorities in understanding the requirements of the text. It also accredits service providers issuing RGS certificates. These certificates can be of two types:
- Personal certificates, used to identify and authenticate individuals.
- Corporate certificates, intended for organizations to secure servers and applications.
1, 2, or 3 Stars: The Different Levels of Security in the RGS
The General Security Framework provides for three increasing levels of qualification (RGS*, RGS**, RGS***), each adapted to the sensitivity of the data processed and the associated risks. These different levels address distinct security challenges.
| RGS 1 star | RGS 2 stars | RGS 3 stars | |
| Security Level | First security level (lowest) | Enhanced security level | Highest security level |
| Usage Context | Processing of less sensitive data | Management of sensitive data | Administrative contexts requiring maximum protection of sensitive data |
| Examples | Access to the Sylaé portal | Public contracts, Vehicle Registration System, Procedures with the INPI Single Window, ACTES Application | State agencies related to national security, government agencies (e.g., Medicines Agency), Public Sector Agent Card |
| Certification Process | Simplified process | More rigorous process | Stricter procedures |
How Does the RGS Relate to the eIDAS Regulation?
The General Security Framework (2005) and the eIDAS regulation (2014) are two distinct regulatory frameworks. While both address digital security and trust in electronic services, they differ in their geographical scope and context of application.
The RGS applies solely in France, between French public entities or for exchanges with them. In contrast, the eIDAS regulation applies to all EU Member States across all sectors. It establishes common standards to facilitate exchanges between Member States with a high level of security and trust.
These two frameworks are not legally equivalent, but they complement each other and are sometimes closely aligned. The RGS 1-star level is comparable to the requirements of advanced electronic signatures. The RGS 2-star and 3-star levels are closer to the requirements of qualified electronic signatures.
A qualification under the RGS does not imply compliance with the eIDAS regulation, and vice versa. Organizations concerned must therefore comply with the requirements of both frameworks to ensure particularly secure digital exchanges. In the case of a French administration signing documents that require recognition at the European level, both the eIDAS regulation and the RGS apply jointly.
What is the Link Between RGS Certificates and Electronic Signatures?
RGS certificates serve to ensure the authenticity, confidentiality, and integrity of data exchanged as part of the activities of the French administration. They allow electronic documents to be signed and authenticated, combining both functions.
An electronic signature made with an RGS certificate ensures that the document has not been modified after signing (document integrity is guaranteed). The authentication system in place is particularly relevant when handling sensitive or critical information.
