Cybersecurity for Operators of Vital Importance (OVIs): enhanced regime (Ministerial Order No. 2025-533 of 3 October 2025)

Ministerial Order No. 2025-533 of 3 October 2025 (JDM No. 8768 of 10 October 2025) strengthens the cybersecurity regime applicable to Operators of Vital Importance (OVIs) in Monaco to protect their information systems (SIIV), established by Ministerial Order No. 2018-1053 of 8 November 2018 implementing Article 27 of Law No. 1.435 of 8 November 2016 on the fight against technological crime: new obligations, new penalties.

L'Arrêté Ministériel n° 2025‑533 du 3 octobre 2025 (JDM n° 8768 du 10 octobre 2025) renforce le régime de cybersécurité applicable aux Opérateurs d’Importance Vitale (OIV) à Monaco pour protéger leurs système d'information (SIIV), fixé à l'Arrêté Ministériel n° 2018-1053 du 8 novembre 2018 portant application de l'article 27 de la loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique : nouvelles obligations, nouvelles sanctions.

* * *

Sectors of vital importance (designated by ministerial order) consist of activities contributing to the same objective relating to the production and distribution of goods or services essential to meeting the basic needs of the Monegasque population, the exercise of State authority, the functioning of the economy and State security.

OIVs are public or private operators:

• operating in sectors that are essential to the functioning of public institutions and services, economic activity or, more generally, life in the Principality;
• operating establishments or using facilities or structures whose unavailability could significantly affect the aforementioned interests.

The new regulatory provisions are a continuation of the amendment to Law No. 1.435 of 8 November 2016 on combating technological crime by Law No. 1.578 of 1 July 2025 amending various provisions relating to digital technology, which increased the penalties for non-compliance compliance with security rules for OIV managers and legal entities (Article 29 of Law No. 1.435).

* * *

SUMMARY

→ Formal notice in the event of non-compliance with security rules (new third paragraph of Article 1 of AM 2018-1053)

In the event of non-compliance with the obligation to apply security rules (SIIV security policy, security certification, mapping, maintenance of security conditions, logging, correlation and analysis of logs, detection, handling of distributed denial-of-service attacks, handling of security incidents, handling of alerts, crisis management, identification, authentication, access rights, administration accounts, administration IS, partitioning, filtering, remote access, installation of services and equipment, indicators), the Minister of State shall issue a formal notice setting a deadline.

Failure to comply with this deadline is punishable by the penalties provided for in Article 29 of Law No. 1.435: a fine of €150,000 for OIIV managers, and a fine equal to five times this amount for legal entities found liable for the offence.

→ Annual security level assessment (new Articles 3-1 and 3-2 AM 2018-1053)

The OIV must now submit the security level assessment tables for each of its SIIVs to the Monegasque Digital Security Agency (AMSN) once a year, no later than 31 December of the current year, using the document available for download at https://amsn.gouv.mc/oiv/. In the event of failure to comply, the Minister of State shall also issue a formal notice setting a deadline.

Failure to meet this deadline shall also be punishable by the aforementioned penalties.

→ Penalties for failure to comply with incident notifications (new Article 4-2 AM 2018-1053)

Failure to comply with the obligation to notify the Monegasque Digital Security Agency (AMSN) of any incident having a significant impact on the service provided by the SIIV, and the Public Security Department where there is reason to suspect that the incident is the result of an offence punishable under the Criminal Code, is also punishable by the aforementioned penalties.

→ Authorisation of administrators (new Article 5 AM 2018-1053)

Administrators must be individually appointed and duly authorised by the OIV following an administrative investigation in accordance with the provisions of Ministerial Order No. 2016-622 of 17 October 2016 implementing Article 3 of Law No. 1.430, as amended.

This authorisation is renewed every three years under the same conditions.

The OIV must maintain an up-to-date register of authorised persons, their privileged access and their specific rights.

* * *