The operators of online platforms referred to in Article L. 111-7 of this code and persons providing non-number-based interpersonal communications services within the meaning of 6° quater of Article L. 32 of the French Post and Electronic Communications Code, whose activity exceeds one or more thresholds defined by decree, shall carry out a cybersecurity audit, the results of which shall be presented to the consumer under the conditions laid down in the last paragraph of this article, covering the security and location of the data they host, directly or via a third party, and their own security, under the conditions laid down in this article.
The audit referred to in the first paragraph shall be carried out by audit service providers qualified by the Agence nationale de la sécurité des systèmes d’information.
A joint order of the ministers responsible for digital technology and consumer affairs, issued after consultation with the Commission nationale de l’informatique et des libertés, sets the criteria to be taken into account by the audit provided for in the same first paragraph, the conditions governing its period of validity and the procedures for its presentation.
The result of the audit shall be presented to the consumer in a legible, clear and comprehensible manner and shall be accompanied by a complementary presentation or expression, by means of a colour information system.
