Boussayen Knani & Associés

Insights

The lawyers of Boussayene Knani & Associés frequently contribute to publications in several legal journals specializing in Business Law.
In addition, members of the firm regularly host training seminars on current topics in Business Law and Arbitration, intended in particular for lawyers, businesses and management executives.

Home / Insights

JANUARY 04, 2024

Circular No. 01/2024 dated 04/01/2024 Implementing Article 13 of the 2024 Finance Act

Circular No. 01/2024 issued by the Minister of Justice on 04/01/2024 outlines the implementation of Article 13 of the 2024 Finance Act. This circular mandates the establishment of an account with the Public Treasury to fund programs aimed at improving working conditions within the courts and developing the judicial system. The account, named the “Judicial System Support and Development Fund,” will be financed by a ten-dinar tax on payment orders, ex parte orders, and oppositions. The circular comes into effect on January 1, 2024.

Summary of Decree-Law No. 2023-17 of March 11, 2023, on Cybersecurity

  1. Objective: The decree-law regulates the field of cybersecurity, defining the missions of the National Cybersecurity Agency (ANCS) and the mechanisms provided to ensure the security of the national cyberspace.
  2. Exclusions from the Decree-Law No. 2023-17: The decree-law does not apply to information systems and electronic equipment used to process data related to public security or national defense, which impact national security and the supreme interest of the State.
  3. National Cybersecurity Agency:
    • Type: Public non-administrative establishment (EPNA)
    • Headquarters: Tunis
    • Supervision: Ministry of Communication Technologies
    • Objective: Supervise the security of information and communication systems of public and private entities within the national cyberspace.
    • Missions:
      • Develop and update governance policies and security mechanisms for the national cyberspace, making them available to relevant sectors and organizations.
      • Monitor the implementation of national cybersecurity plans, focusing on proactive measures, preventive protections, detection, and immediate reporting of cyber incidents and attacks.
      • Provide urgent responses to cyber emergencies to mitigate impacts and ensure rapid recovery.
      • Conduct digital investigations to diagnose incidents and determine responsibilities related to cybersecurity.
      • Develop and implement training programs in cybersecurity, including academic and professional curricula.
      • Publish and update security standards, models, and guides for public and private entities.
      • Measure the national cybersecurity level using established indicators and periodically publish dashboards.
      • Conduct periodic cybersecurity awareness and communication campaigns, especially during cyber crises.
      • Engage in technological surveillance and monitor advancements in cybersecurity.
      • Coordinate international cooperation with foreign cybersecurity bodies according to bilateral, regional, and international agreements.
  4. Mandatory Security Audits of Information Systems:
    • Entities Subject to Mandatory Audits:
      • Public telecommunication network operators and internet service providers.
      • Companies with interconnected computer networks via telecommunications networks.
      • Cloud service and hosting providers.
      • Companies processing users’ personal data for service provision through telecommunications networks.
      • Operators of critical digital infrastructures.
    • Audit Implementation:
      • Security audits must be conducted by experts licensed under applicable legislation, at least once every twelve (12) months.
      • The National Cybersecurity Agency publishes and updates the list of authorized audit experts and organizations.
    • Audit Report:
      • The audit report must be submitted to the agency within ten (10) days after the completion of the audit.
      • Entities must implement all security recommendations contained in the report.
    • Classification of Entities:
      • The Agency classifies entities into three levels based on their digital security trustworthiness:
        • First level: Classified as First Degree.
        • Second level: Classified as Second Degree.
        • Third level: Unclassified.
      • Classifications are determined by compliance with mandatory audits, implementation of audit recommendations, use of certified equipment and solutions, and adherence to national hosting standards.
    • Compliance and Warnings:
      • The Minister of Communication Technologies may issue a formal notice to entities classified at the third level, requiring compliance with standards within one year.
      • The Agency may issue a warning to entities following a cyber incident, requiring deficiencies to be addressed within thirty (30) days.
      • In the event of a cyber incident, the Minister may order the temporary isolation of information systems and networks to protect cyberspace, based on a report from the Agency.
  5. Cyber Emergency Response:
    • Agency Responsibilities:
      • Develop and implement the National Cyber Emergency Response Plan.
      • Establish technical measures for early detection of cyber incidents and attacks.
      • Operate reporting channels for cyber incidents and attacks.
      • Minimize the impact of incidents and ensure business continuity and rapid recovery.
      • Alert institutions, manage incidents, and organize efforts to address and resolve cybersecurity weaknesses.
      • Designate a national contact point for cyber emergency response, coordinating with public, sectoral, or private emergency response centers.
  6. Critical Digital Infrastructures:
    • List of Critical Infrastructures: To be determined by decree.
    • Security Measures:
      • Use of “secure” labeled software and equipment.
      • Maintain primary and backup hosting centers with certified cloud service providers.
      • Implement necessary measures to ensure business continuity and protect sensitive databases that could affect national security during a cyber crisis.
  7. Infractions:
    • Detection of Infractions: Infractions of the decree-law are recorded by reports from the Agency, submitted to the Minister of Communication Technologies, and forwarded to the competent public prosecutor.
    • Agents Authorized to Record Infractions:
      • Judicial police officers.
      • Sworn officers of the Ministry of Communication Technologies.
      • Sworn officers of the Ministry of Interior.
  8. Administrative Sanctions:
    • Downgrading of entities classified at the first and second levels in cases of:
      • Failure to conduct mandatory security audits.
      • Failure to submit an electronic copy of the audit report within the specified time.
      • Non-implementation or partial implementation of audit recommendations within one year.
      • Non-compliance with emergency measures prescribed by the national cyber emergency response contact point.
      • Failure to address deficiencies within thirty days.
      • Failure to create or join a cyber emergency response center.
  9. Financial Sanctions:
    • Entities classified at the third level and falling under Article 6 of Decree-Law No. 2023-17 may be fined between fifty thousand (50,000) and one hundred thousand (100,000) dinars for:
      • Failure to conduct mandatory security audits.
      • Non-implementation or partial implementation of audit recommendations within one year.
      • Non-compliance with emergency measures prescribed by the national cyber emergency response contact point.
      • Failure to address deficiencies within thirty days.
      • Failure to create or join a cyber emergency response center.
Shopping Basket