What is the ANSSI PDIS Requirements Reference Document?
The PDIS (Security Incident Detection Service Provider) reference document is a set of technical, organisational, and security requirements developed by ANSSI (The French Networks and Information Security Agency). This reference document serves as the foundation for issuing a "Security Visa", which officially recognises an organisation's capability to operate a high-level Security Operations Centre (SOC).
Compliance with this framework ensures that the service provider implements a highly secure and partitioned infrastructure to collect, analyse, and correlate security events (access logs, network flows, etc.) to detect any intrusion attempt or malicious behaviour.
What are the Key Challenges of PDIS Qualification?
Relying on a service provider evaluated against the PDIS reference document is fundamental to ensuring a proactive and sovereign cyber defence. The major challenges of this trust framework include:
- Continuous Monitoring (24/7/365): Assurance of permanent vigilance and rapid triaging capabilities when facing cyber threats.
- Advanced Technical Skills: Guarantee that SOC analysts possess the minimum knowledge level required by ANSSI to qualify security incidents.
- Strict Sovereignty and Territoriality: Protection of the commissioning entity's data and event logs, which are processed and hosted within a highly secure and controlled geographic perimeter.
- Robust Governance and Impartiality: The implementation of strictly segregated administration and operation structures, preventing any conflict of interest or compromise of information.
- Quality of Service (QoS) Commitment: The contractual formalisation of clear and proven collection, analysis, and incident notification strategies.
Who is the PDIS Qualification Intended For?
The PDIS reference document is intended for all organisations—whether digital service providers (ESNs), specialised cybersecurity firms, or public entities—that operate a security incident detection service for themselves (internal SOC) or for third-party clients (external SOC).
It primarily targets service providers supporting critical or sensitive structures, such as Operators of Critical Importance (OIV), Operators of Essential Services (OSE), and entities subject to the strict requirements of the European NIS 2 Directive.
The qualification attests that the provider complies with:
- Contractual, legislative, and regulatory requirements applicable to this activity, as well as impartiality.
- Minimum levels of knowledge and competences for staff involved in the detection service (incident management, event management, and notification management).
- Rules relating to information protection.
- Rules concerning organisation and governance.
- Quality and level of service requirements.
The qualification is issued by ANSSI based on the evaluation report produced by LSTI for a duration of three years, subject to a surveillance audit inspection carried out 18 months following the initial certification or renewal.
How does the PDIS Evaluation Process Work?
The regulatory PDIS qualification extends over a 3-year cycle. As an approved assessment centre authorised by ANSSI, LSTI acts as an independent trusted third party to conduct all evaluation operations. It is on the basis of this evaluation that ANSSI makes the final qualification decision.
The Documentary Review Stage
Once the evaluation strategy is validated with ANSSI, LSTI's auditors begin an in-depth analysis of all the service provider's documentation. They rigorously examine the information systems security policy (PSSI), standard service agreements, risk assessments (EBIOS), logical flow matrices, and the reversibility plan.
On-Site Technical and Organisational Evaluation
Following the validation of the documentation, LSTI's full evaluation team physically deploys to the provider's SOC premises. The team combines highly specialised roles:
- The Evaluation Manager (RA / Lead Auditor): Pilots global and organisational compliance, and verifies contractual commitments.
- The Architecture Technical Expert (ETA): Inspects the physical security of the premises, network configurations, and the strict partitioning of the information system infrastructures.
- The Detection Technical Expert (ETD): Audits tool configuration (SIEM), alert management, and the technical relevance of correlation rules.
What is the Validity Period of a PDIS Qualification?
The PDIS qualification granted by ANSSI is valid for a maximum duration of 3 years. To maintain their qualification, service providers must complete the following mandatory surveillance milestones conducted by the LSTI Assessment Centre:
- At 18 months (Mid-term): Execution of an intermediate on-site and desktop surveillance inspection to verify that the provider maintains the initial technical and organisational security conditions.
- In the event of a major change: Immediate notification to ANSSI and deployment of a targeted complementary evaluation if the provider significantly alters its architecture, infrastructure, or the location of data processing.
- At 3 years: Execution of a full renewal audit to initiate a new qualification cycle.
Your Questions About the PDIS Certification
-
What is the difference between a traditional managed SOC and a PDIS-certified detection service under NIS 2?
A traditional managed Security Operations Centre (SOC) relies on freely defined service level agreements, whereas a PDIS-qualified detection service strictly meets ANSSI's regulatory requirements. The PDIS framework imposes strict sovereignty criteria (data hosted in France or Europe), a hardened and partitioned infrastructure, as well as a mandatory audit of analyst competences. Within the scope of the European NIS 2 Directive and French regulations, relying on a PDIS provider evaluated by an Assessment Centre like LSTI offers the highest guarantee of compliance for monitoring Essential Entities (EE) and Operators of Critical Importance (OIV). -
What are the minimum and recommended rules regarding end-of-contract reversibility?
According to the requirements of the PDIS reference document (notably requirement IV.5.2.c/d), a provider's reversibility plan must define a minimum activity duration of three months to ensure continuous monitoring during a transition, although ANSSI formally issues a recommendation to extend this reversibility period to six months to fully secure the transfer or return of data to the commissioning entity. -
Which documents and logs relating to detection rules must the provider mandatory keep up to date?
To attest to the rigour of its monitoring, the service provider must maintain up-to-date documentation of its detection rules, a chronological record of additions, modifications, and deletions of these rules, a formalised list of security incidents feared by the client with their associated severity scale, as well as a monthly detection rule status report intended for the commissioning entity. -
What guarantees does the framework impose regarding the sovereignty and territoriality of the service?
The PDIS reference document imposes strict territoriality clauses requiring that all monitoring activities, the administration of the detection information system, and the hosting and processing of all data and event logs linked to the commissioning entity be located exclusively within the national territory or an explicitly validated and restricted geographic zone, thereby limiting subcontracting outside this trusted perimeter. -
What is the significance of the January 2025 Addendum in the evolution of the reference document?
The Addendum No. 42/ANSSI/SDE/NP introduced in January 2025 brings major evolutions to the PDIS v2.0 reference document by integrating architectural variations known as "Options A & B" to adapt to modern technologies, while aligning and standardising verification methods with ANSSI's other evaluation frameworks, such as PASSI (audit), PRIS (incident response), and PACS. -
How do the ANSSI PDIS qualification and the international ISO/IEC 27001 certification align?
ISO/IEC 27001 certification and PDIS qualification are complementary yet distinct approaches. ISO 27001 validates the global maturity of an Information Security Management System (ISMS) through an international organisational framework. Conversely, ANSSI's PDIS reference document is a much more technical and specialised French regulatory qualification that imposes strict, non-negotiable requirements for architecture partitioning, data sovereignty, and operational efficacy measurements of detection capabilities. Holding an ISO 27001 certification provides an excellent documentary foundation for tackling the PDIS documentary review (DOC), but does not exempt the provider from specific technical audits conducted on-site by an Assessment Centre like LSTI.
Find out more
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




