The director of operational risks for the Caisse des Dépôts group, Arnaud Martin, details the method he applied to measure the digital resilience index (DRI) which assesses the degree of strategic autonomy of organizations.
JDN. What is the Digital Resilience Index (DRI)?
Arnaud Martin. It was created by Arno Pons, general delegate of the Digital New Deal think tank, computer scientist Yan Lechelle and David Djaïz, CEO of consulting firm Ascend Partners. They came together within the Digital Resilience Initiative (aDRI) association which supports the IRN. This index was presented at the Aix-en-Provence Economic Meetings in July 2025. It measures the digital dependencies of an organization on eight aspects: strategic, economic and legal, environmental, operational, technological, but also in terms of data and AI, supply chain and security.
The evaluation takes into account, for example, the interoperability of the solutions, the nationality of their suppliers, the share of the organization’s budget devoted to them, the possibility of terminating the contract easily or not, etc. Caisse des Dépôts is one of the first organizations to have measured it. We are now in the process of formatting the results to present them to top management.
Over what period did you measure it?
We started measuring it from mid-December 2025 and finalized our results at the end of April 2026. We formed a team to evaluate it, which met several times a week. This took up half of the working time of some team members. As scouts, we also communicated regularly with the aDRI to refine the model thanks to our feedback.
Which actors have you mobilized to measure it?
This is an important question because it provides a better understanding of how to measure IRN. To measure it, there are two approaches: either the organization launches a major evaluation program and mobilizes all the best players from all dimensions to be evaluated: specialists in AI, data, cybersecurity, all those responsible for all the organization’s applications, etc. Which is a lot of people. Either we bring together only a few key people in the organization, who have very transversal visions, located at a high management level, or who have 20 or 30 years of experience in the organization.
We favored the second approach because the objective of the IRN is to provide an overview of the organization’s digital dependencies and not a too precise analysis of each dimension. What is structuring is to place the score between 95 and 100 or 25 and 30, and without decimals. We therefore had less than 10 people around the table: the director of cybersecurity, the CIO, the CTO, a technical architect, etc. Then we benefited from the help of aDRI and the Ascend firm which guided us in our role as scout.
Have you evaluated the entire information system?
No, that’s not necessary. We measured IRN on approximately 10% of the IS, i.e. only critical digital assets. This represents around a hundred applications. But that’s not all. A large part of these applications are hosted in our own data centers. We therefore also measured the level of dependence of the infrastructure layers of these data centers, such as the scheduler layers, the infrastructure-as-a-service layers of our private cloud, perimeter security devices, middleware, etc. In addition to the hundred applications, around 200 technical products were evaluated, thanks to which the applications work. To my knowledge, only Caisse des Dépôts and RTE have conducted such an in-depth evaluation of the IRN.
But what criteria did you use to qualify an application as critical?
The European Central Bank and the Prudential Control and Resolution Authority already require Caisse des Dépôts to identify critical applications. The Dora regulations also ask us to do this. So, first, we took the list of these critical applications already identified. This can, for example, be the application that allows you to make transfers. If it falls, the stability of the French banking system is impacted. As for organizations that are not subject to Dora, they can find criteria in other regulations. For example, industrial organizations wish to use the 2013 military programming law which defines certain criteria specific to the information system of vital importance.
However, these regulations are not sufficient. Certain digital assets considered non-critical according to the texts are in fact critical for the organization which measures the IRN. To identify them, we sought to measure the impacts that an incident affecting them could cause on the organization.
Once critical digital assets were identified, how did you evaluate them?
Each team member evaluated the digital assets based on their skills. The technical architect evaluated the technical stacks, the cybersecurity director evaluated all cybersecurity aspects of applications and products, etc. To make these evaluations, they used questions provided by the IRN. Each of the eight dimensions has its own questions that measure each critical digital asset.
What are these questions?
For example, for the economic and legal resilience aspect, we must ask ourselves where the supplier of the asset is geographically located. For data and AI resilience, we must question the availability of data in the event of a major disruption. Concerning the technological resilience aspect, control of technological obsolescence must be assessed, etc. It is clear that if we are dependent on a SaaS solution for this or that critical function, and there is no open source or European alternative, then the score on the strategic, economic and legal, as well as technological, dimensions will be low. We met regularly to standardize the overall rating.
What were the difficulties encountered?
This index is rather balanced. We nevertheless encountered difficulties regarding the resilience dimension of the supply chain which measures the level of dependence on suppliers. It is in fact sometimes difficult to collect the necessary information for suppliers who are beyond rank 1. We are also discussing with the aDRI the implementation of weightings in the rating linked to the sector of activity. And for good reason. In the banking sector, for example, the sovereignty of data and AI is a very important criterion. In a retail company with activities all over the world, it is less so.
