What is a PRIS provider?
This baseline formalises the organisational, physical, technical, and human requirements necessary to successfully carry out management, containment, and eradication activities against cyber threats following their detection. The evaluation conducted by LSTI against this baseline verifies a provider's compliance before ANSSI makes the final qualification decision.
This official recognition is essential for entities—such as Operators of Critical National Infrastructure (OIV), Operators of Essential Services (OSE), and administrations—requiring a reliable partner for their operational cybersecurity.
Scopes of Qualification
PRIS qualification is not global; it is granted specifically for one or more security incident response activities defined by ANSSI. During the evaluation led by LSTI, the provider must demonstrate compliance and showcase the technical and human competence of its team for each targeted activity:
- Search for Indicators of Compromise (REC): This activity consists in looking for traces of a compromise within an information system. It can be carried out on its own, in conjunction with a malicious code analysis activity, or integrated into a digital investigation.
- Digital Investigation (INV): It consists in collecting and analysing information and media collected from an information system in order to confirm (or deny) a compromise. It helps identify the scope, chronology, and the attacker's modus operandi, as well as characterising their objectives and attack potential. It involves in-depth system and/or network analyses.
- Malicious Code Analysis (CODE): This activity consists in analysing discovered malicious code to understand its behaviour, how it works, and its impact on the infrastructure.
- Investigation Management and Coordination (PCI): Essential in serious or complex situations, this activity consists in coordinating and directing the simultaneous execution of several other technical activities (REC, INV, and/or CODE) to ensure a structured response.
- Crisis Management of Cyber Origin (CRISE): This activity provides assistance and support—both organisational and strategic—to the beneficiary facing exceptional, serious, or complex situations impacting their business operations. The provider acts as an expert advisor and capacity support, without ever substituting themselves for the beneficiary's responsibilities and decision-making bodies (legal representative, legal department, or communications).
The baseline specifies that the fully automated performance of an activity is not considered an activity within the meaning of PRIS. Furthermore, depending on the level of complexity or how the security incident evolves, the qualified provider possesses the necessary flexibility to adapt or omit certain stages of the service (stages 3 to 7 of section VI of the baseline).
Qualification Levels of the PRIS Baseline
The PRIS baseline is divided into two distinct qualification levels, depending on the sensitivity of the environments and data processed during incident response services:
The Substantial Level
- Target: Designed to protect the information systems of companies and administrations against common and advanced threats, without handling information bearing a specific protection marking.
- Requirements: It imposes a robust security foundation, including information systems security governance, secure access management, documented response processes, and validation of key skills.
- Evaluation Information System (IS): The provider must operate on a dedicated and secure information system scrupulously respecting the confidentiality and isolation requirements of this level, in order to safely process their clients' incident data.
The High Level
- Target: Intended for interventions on highly critical infrastructures (Operators of Critical National Infrastructure - OIV, sovereign administrations) and against state-sponsored or extremely sophisticated threats.
- Restricted Distribution Accreditation: To achieve the High level, the provider must possess an information system approved for the protection of information and media bearing the "Restricted Distribution" (diffusion restreinte) mark.
- Strict Use of the IS: During a High-level service, the provider is obligated to use its approved Restricted Distribution information system, regardless of the initial marking of the information provided by the client.
- Flexibility Note: A provider qualified at the High level can also perform Substantial-level services. For the latter, they may choose to use either their approved Restricted Distribution IS or a separate second IS complying with Substantial-level requirements for data not marked as Restricted Distribution.
What are the Strategic Issues of PRIS Qualification?
Choosing a PRIS-qualified provider or obtaining this qualification through an assessment centre like LSTI represents major strategic issues:
- Optimal Resilience and Responsiveness: Ensuring the implementation of standardised, rapid, and effective intervention processes to contain cyberattacks and reduce information system downtime.
- Guarantee of High-Level Human Expertise: Ensuring that investigations are led by analysts whose sharp skills (coordination, system, network, malicious code) have been impartially validated.
- Protection of Highly Sensitive Data: Guaranteeing that the provider handles and protects security incident information with the highest level of confidentiality, in compliance with national security rules.
- Regulatory Compliance: Allowing critical clients to align their practices with state requirements regarding information systems security.
- Impact Minimisation: Drastically limiting financial, legal, and reputational losses through a methodical analysis and definitive eradication of the threat.
Who is This PRIS Qualification Intended For?
PRIS qualification is intended for cybersecurity service providers, and notably incident response teams (CSIRTs / CERTs) adjoined or not to a SOC (Security Operations Center), wishing to officially demonstrate the compliance of their services.
It primarily targets structures supporting entities subject to enhanced security obligations by ANSSI, such as:
- Administrative authorities.
- Operators of Critical National Infrastructure (OIV).
- Any company wishing to provide an absolute pledge of trust and transparency to its clients in managing their cyber crises.
How does the PRIS Evaluation Process Work?
The provider initiates their request with LSTI (either before or after submitting their J0 milestone application file to ANSSI).
LSTI's auditors and technical experts are seasoned cybersecurity professionals. They possess an in-depth mastery of ANSSI requirements baselines, information security management practices, and digital trust frameworks.
The compliance evaluation process is divided into several key phases, conducted by LSTI auditors bound by the strictest professional secrecy:
The Provider Evaluation (in two stages)
- The Documentary Review Stage: An in-depth analysis of the provider's documentation, legal structure, and organisation (Information Systems Security Policy [PSSI], risk assessment, IS architecture). A documentary review report is delivered within 30 days to validate readiness for the subsequent audit steps. The maximum timeframe between this review and the on-site audit is 6 months.
- The Process, Premises, and IS Audit (On-Site): Field verification of compliance with internal policies, physical security, network protection, and system reliability (cryptographic tools, etc.). At the conclusion of the investigations, a closing meeting is held to validate and orally present the non-compliance sheets.
Evaluation of Analyst Competences (High Level)
In parallel, each analyst for whom recognition is sought must pass rigorous examinations organised by LSTI:
- Written Exam: Anonymous written examinations covering technical specialities (coordination, system, network, or malicious code) where the candidate must score at least 28 out of 50 points.
- Oral Exam: An interview before a jury of experts aimed at assessing behaviour, expression, and confirming the candidate's professional skills.
Finalisation and Decision
The lead auditor transmits the final report, the qualified baseline grid, and the non-compliance table to LSTI within 3 months. Following validation and agreement, these elements are forwarded to ANSSI. A summary slide deck is presented to ANSSI for the acceptance milestone (J2), with ANSSI remaining the sole deciding authority for the qualification.
Your Questions About the PRIS Qualification
-
To which incident response activities do the requirements apply when no specific mention is indicated in the baseline?
An ANSSI baseline requirement that is not preceded by any mention or acronym in square brackets applies universally and mandatorily by default to all five activities covered by the baseline (namely: search for indicators of compromise [REC], digital investigation [INV], malicious code analysis [CODE], investigation management and coordination [PCI], and crisis management of cyber origin [CRISE]). -
Can a fully automated incident response technical solution be PRIS-qualified by ANSSI?
The ANSSI baseline explicitly excludes purely software-based solutions from the qualification process: the fully automated performance of an activity is not considered a qualifiable activity within the meaning of the PRIS baseline. Qualification strictly requires an expert human component capable of analysing, interpreting, and steering remediation steps based on the complexity of the incident. -
What is the fundamental distinction between the Digital Investigation (INV) activity and the Search for Indicators of Compromise (REC) activity according to ANSSI?
The Search for Indicators of Compromise [REC] activity is limited to looking for traces and known technical markers of intrusion within the information system. In contrast, Digital Investigation [INV] goes much further: it consists in collecting and deeply analysing digital media in order to define the exact chronology of the attack, map the entire scope of the compromise, decrypt the attacker's precise modus operandi, and characterise their level of threat and objectives. -
What is the difference between a PRIS-qualified provider and a PDIS-qualified provider?
The fundamental difference lies in their respective roles within the cyber defence chain: the PDIS (Security Incident Detection Service Provider) operates upstream to ensure continuous monitoring and threat detection via a SOC (Security Operations Centre), whereas the PRIS (Cyber Security Incident Response Service Provider) is activated immediately after detection to manage the crisis, investigate the origin of the attack, contain the threat, and definitively eradicate the compromise. These two Security Visas issued by ANSSI are perfectly complementary and essential for the resilience of critical infrastructures.
Find out more
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




