Can you describe your career path and your position?
G. L. – I am a lawyer at Fidal Méditerranée, in charge of the Europe division. Before that, I worked in Brussels as a legal advisor representing MEDEF (the French Business Confederation) before European institutions. In this role, I followed a number of key issues dealt with by European institutions, particularly those related to digital technology. I also completed a PhD on European law and digital regulation. Today, I lead a division that has two components: a regulatory part, where I monitor texts that are under discussion at the European level, and a part on public financing of projects (European funds), particularly in the digital field.
C. C. – I have been a lawyer for almost 20 years, first at the Paris Bar and then at the Marseille Bar since 2014. I am one of the partners at Fidal in charge of new technologies and personal data law within the Intellectual Property, Telecommunications, Media & Technology practice group. I assist Fidal's French and international clients with IT projects, cybersecurity, e-commerce, social media, innovation protection, and the use of automated data processing systems ( ADPS ), as well as with NFT, Digital Twins, and Deep Learning projects.
What led you to specialize in digital law?
G. L. – There was a turning point for me when I arrived in Brussels in 2012: we were in the midst of discussions about the GDPR. The text had been in preparation for quite some time, but we were at a key moment for its adoption. I still remember the piles of amendments we had to analyze!The stakes surrounding this regulation were very high, both because it was unique in its kind and because it affected an extremely large number of players. I realized that digital law had become a preeminent issue, regardless of the field of activity, but also a subject on which it was necessary to have real expertise—which led me to pursue a doctorate in the field.
C. C. – I have always had an appetite for technology and science. That is one of the reasons why I chose to work in areas such as patent and trade secret protection. In 1999/2000, I had the opportunity to study for my LL.M in Business Law in England. I noticed the difference inIT infrastructure between French and English universities: there were modern 12-story buildings open 24/7 to students on campus, filled with computers that were connected and accessible free of charge. At the time, we were concerned about the "Y2K bug." This motivated me to focus my education, and then my professional experience, on IT and digital topics. This allowed me to connect the technical and scientific sectors with the legal sector!
What does your job involve on a daily basis?
C. C. – The advantage of this job is that there is no typical day or typical week. We may be involved in interviews or roundtable discussions, write technical articles, attend ongoing court hearings, etc. We also have internal meetings on the firm's strategy, on operations to develop our business, and of course on assisting our clients.
G. L. – It's true that no two days are alike! However, there are a few tasks that I do every day: I always start my day by reviewing the trade press, articles, newsletters, etc. Even when you're caught up in a workflow, you always have to be alert —even more so in the sector in which we operate. You have to stay constantly informed about the economic and technological context in which our clients operate. People often think that the legal profession is limited to litigation and legal proceedings, but today we have a much broader role: advising executives, companies, and department heads. To do this, we need to understand every aspect of their business. That's the part that interests me the most: being a true strategic advisor to a client. Even though we never stray from our area of expertise, we still have the opportunity to take a strategic view, and that's exciting.
At Fidal, you regularly conduct cyber compliance audits. Can you tell us a little more about that?
G. L. – Fidal is a business law firm, so we are involved in transactions, mergers and acquisitions, etc. In these cases, audits are systematic: we analyze the overall functioning of a company from a legal perspective. And in these audits, the cyber dimension is becoming increasingly important. Ultimately, it is an additional component that we add to our general audits. But we are also seeing a growing need for structural audits, outside of transactions or operations. Faced with new regulations —notably the NIS 2 directive —more and more players need to audit their practices and operations in terms of IT security. Fidal therefore also offers this type of service.
C. C. – I would add that Fidal is a national firm with several offices in France and a wide variety of client profiles. We can work for startups, SMEs, mid-cap companies, large groups, foundations, associations, etc. This can be in very different sectors, because as you know, digital technology is everywhere today. In fact, the audit will also depend on our client's profile: we will not take the same approach with a structured industrial group, an SME, or a startup. We need to be able to adapt to the client's resources and needs and assess the risk/benefit ratio! If we tell a small business that it needs to implement state-of-the-art security measures when it doesn't have the financial and human resources to manage them, that's not pragmatic.
Is there still a framework that you apply regardless of the context?
C. C. – Yes, we are required to have a defined global process, a methodology. We rely in particular on a questionnaire drawn up by our National Technical Department, which varies in length and level of detail depending on the type and size of the organization. We then analyze our clients' responses to determine their level of cyber maturity and potential risks with regard to the relevant regulations. These responses are explored in depth during individual interviews with management and sometimes during visits to the client's premises, as we know that cybersecurity is also linked to the physical security of the company's site. We can then draft an audit report, which may be more or less comprehensive depending on the client's request. It can either be very comprehensive or simply consist of a "red flag audit": we point out the gaps identified between regulatory requirements and the current security posture without going into too much detail. In all cases, the report is tailored to priorities: some issues need to be resolved and funded quickly, while others can be dealt with later. The final phase is maintenance: the client may request regular follow-up in the form of ad hoc interventions, so that internal teams (CISO, DPO, CFO, etc.) have a dedicated contact person for these issues.
In particular, we take into account the customer's TRL (Technology Readiness Level), i.e., their degree of maturity with regard to a technology or innovation. We also study the extent to which digital technology impacts their organization and strategy: some use digital technology only for the Internet and office automation, while others have entire teams of data scientists who exploit and manage data. It is therefore important to understand data flows: what is stored? How? Why? How is storage valued? Is it hot storage or cold storage? Is business being done on the data collected?
G. L. – The idea is to have the most comprehensive view possible of the organization, its activities, and its practices. We know that attacks come from where we least expect them, especially as the attack surface is expanding enormously with the growing interconnection of players in a given activity. In all cases, our legal expertise is accompanied by technical expertise: the aim is to leave no blind spots in our analysis!
How do you mobilize this technical expertise?
C. C. – It all depends on the client context. If there is no technical contact person in the company, we will adjust our approach and try to simplify our message. On the other hand, if we are dealing with a CISO or CIO, we need to understand the very technical language of the contact person. At the same time, if digital technology is a key part of the customer's strategy and revenue, we tryto help the technical teams take a step back to clearly identify the risks. We can then suggest one of our technical partners, for example to carry out attack simulations ("Red Team Assessment"). We also rely on our CIO at Fidal, who assists us with reporting, provides training, and sometimes works with us on certain strategic contracts or very important audits.
In your opinion, what role does supplier management play in cyber risk prevention and management?
G. L. – We know that cyber risk often materializes through third parties. However, the increase in interconnections with third parties considerably broadens the potential attack surface for a company. We therefore always keep in mind the issue of supplier relationships, with two main focuses. On the one hand, ensuring that this relationship is as secure as possible, by making sure that the third party implements the necessary measures to guarantee a certain level of security for our customers' data; on the other hand, being ableto hold the supplier liable in the event of a security incident occurring through their actions. In addition, there are practices in terms of third-party management whose implementation must be demonstrable in order to justify compliance. Once again, the legal dimension is crucial, since it is through contracts that these relationships with third parties are established and secured.
What challenges do you encounter during these audits?
G. L. – The challenge of any audit is first and foremost the collection and analysis of information. If our client has internal legal documents that provide for organizational measures, we then have to dig deeper to verify that what exists on paper also exists in practice. This means visiting the premises and engaging in in-depth discussions with the company's stakeholders. Another challenge is raising awareness, which comes into play when we identify a gap between theory and practice and need to explain to employees why this is the case.
C. C. – The main challenge is sometimes getting the company to understand that the various departments (HR, IT, legal, etc.) and "technical" employees must work together toward the same goal. A common denominator must be found so that they can move forward together with real cohesion. The other challenge isto stay abreast of technical issues and developments: if you propose a solution for a technical situation at T0, by T+2 months that technology may already be obsolete... In this context, it is useful to talk to CIOs and service providers, because they also monitor and anticipate technology, new tools, and systems.
Do you use certain new technologies, such as AI and blockchain, in your daily work?
C. C. – Blockchain and AI do indeed help us with data mining and setting up data rooms: they allow us to quickly access specific information within a large mass of documents. We remain very vigilant. As lawyers, we are bound by professional secrecy and therefore cannot use just any tools. Above all, we are very careful about how we draft our prompts so as not to reveal our clients' sensitive data!
How do you think your profession and your work will evolve in the coming years?
G. L. – Regulatory changes, driven mainly by the European Union, will certainly impact our work: we will see new regulatory frameworks emerge, while others that already exist will change... There will therefore be major legal challenges, and our goal will be to seek out information as quickly as possible so that stakeholders can adapt their business models. In general, regulatory considerations are becoming increasingly central to a company's business model. Anticipating these changes is therefore more strategic than ever.
C. C. – Cyber compliance audits have already evolved considerably over the past 20 years: they are much more structured, and the tools we use to carry them out are more sophisticated and precise. I think that over the next 10 years, there will be a certain degree of automation in the legal aspects of audits. Fidal will therefore offer added value that will be more strategic or preventive in nature.
Many thanks to Cyril and Gaël for their answers!
.png)
