If the citizen does not intend to become a cyber expert, he must be recognized and prepared for what he already is: a front-line shield against digital threats.
A few weeks ago, ANTS – the National Agency for Secure Titles, the one which manages your passports, your identity cards, your driving licenses – was the victim of a cyberattack affecting 11.7 million accounts. Names, first names, dates of birth, email addresses, connection identifiers: so much data now in circulation on criminal forums. A hacker calling himself “breach3d” put up for sale a database presented as coming from ANTS systems, between 18 and 19 million records. This would be one of the largest leaks of administrative data ever recorded in France. Far from being an isolated case, this attack illustrates an underlying trend that very recent news continues to confirm: Pierre & Vacances, SeLoger… so many incidents which remind us that the question is no longer whether the French’s data will be compromised, but when.
The idea is not to be alarmist but these episodes illustrate, with brutal clarity, what I have observed for years in this profession: we have collectively devoted considerable resources to protecting businesses, critical infrastructures, administrations. And during this time, despite the efforts of our institutions to stem the problem, in particular through the deployment of a national cyber strategy 2026-2030, the citizen, both the most exposed and the least armed, remains the great forgotten one of cybersecurity.
The figures from the Ministry of the Interior are clear. In 2025, 453,200 digital attacks were recorded in France, an increase of 87% in five years. Among them, 33% directly targeted individuals. It is not an abstract figure: behind it, hundreds of thousands of citizens defrauded, harassed, usurped in their digital identity. The ministry’s reporting platforms bear witness to this: more than 116,000 complaints were recorded on Thésée for online scams, nearly 207,000 reports of bank fraud on Perceval. These figures do not speak of CAC 40 companies. They speak of everyone, faced alone with a threat against which the general public is helpless.
The institutions do not lack good will. The problem is structural: for two decades, cybersecurity was thought of as a matter for professionals, for professionals. We have built security policies, PSSIs, SOCs, updating and vulnerability management processes. We have trained CISOs, legislated and imposed demanding standards. All this was necessary. None of this prepares a citizen to recognize a fraudulent SMS.
Because this is what the latest security incidents reveal in their most concrete dimension: the stolen data is more than enough to fuel phishing campaigns. With your first name, last name and email address, scammers can send very credible emails, in the name of the prefecture, taxes, to obtain bank details or demand payment. Risk is not abstract. It is in the mailboxes of millions of French people.
One might think that responsibility lies with institutions and companies, and that we cannot ask citizens to become experts in computer security. That’s correct. But this is precisely where the blind spot lies. The citizen is not intended to become a cyber expert in his own mailbox. On the other hand, it must be recognized for what it has already become: a front-line rampart, massively exposed, but still too poorly prepared.
Expecting the State to perfectly secure each public system is betting on a technical perfection that cannot exist. This is not a question of bad will: it is the nature of digital risk. The perimeter is too large, the attack vectors too numerous, the malicious actors too agile. From what we know at the moment, the flaw exploited during the ANTS attack was not a technical feat: it was enough to modify an identifier in a request to access the data of another user, without any control. Even well-funded, well-designed, auditable systems have blind spots.
We must therefore collectively apply to citizens the same level of requirements that we have imposed on businesses for ten years. Not to transfer responsibility, but because collective resilience also depends on individual resilience. An aware employee does not click on a malicious link. An informed citizen recognizes a fake, fraudulent SMS. The principle is the same. The educational effort must be a priority.
And for this, what I defend is a profound change in mentalities and the need for citizen awareness. Reporting platforms, as useful as they are, cannot replace the mass acquisition of basic digital hygiene. The question of whether a 65-year-old French person knows how to change his password and activate double authentication is a question of national security, as is the protection of vital operators. The demand is there. The urgency is there. It is not a question of opposing prevention and public action, but of recognizing that we must go beyond awareness-raising: each citizen must also know what to do when the incident occurs, who to turn to, what reflexes to adopt and how to be supported in the first hours, instead of remaining alone in a situation over which they cannot control. Because the first line of defense still too often remains a single person, faced with a threat that they must learn to recognize, and to which they must be able to respond.
