A cyberattack on a local authority is not just an IT incident. It means a town hall that can no longer issue civil status documents, a payroll system that has ground to a halt, a town planning department at a standstill, staff forced to revert to paper-based processes, and members of the public who are losing patience… and trust. Within a matter of hours, digital technology ceases to be an invisible tool and becomes the breaking point for public services. Why must elected representatives take this issue seriously? And how can digital resilience be strengthened? Answers from the experts at Cyberwings Academy.
For a long time, cybersecurity was treated as a matter for specialists: the responsibility of the IT manager or security manager, where such a role existed, or a budget line that was difficult to justify to the local council. Those days are over. For local authorities, cybersecurity is now a matter of governance, business continuity and the accountability of elected representatives.
Local authorities, inter-municipal bodies, departments, regions or local public bodies: all may find their services disrupted, their data compromised or their communications hijacked.
The question facing every local authority is now a simple one: will you be able to carry on operating tomorrow morning if your IT system is down or if one of your digital service providers fails and cuts off your access?
A cyber risk that brings everything to a standstill… quite literally
ANSSI’s figures for 2024 confirm the reality of the situation: 218 cyber incidents were handled by the agency in local authorities alone, an average of 18 per month.
These incidents account for 14 % of all incidents handled at national level, with 15 % of them classified as «high severity». This threat is a daily reality that jeopardises the continuity of public services, public confidence and the direct accountability of elected representatives.
According to the 2024 survey by Cybermalveillance.gouv.fr, one in ten local authorities has suffered a cyberattack over the past twelve months: disruption to public services in 37 % of cases, and theft or destruction of data in 24 % of cases.
Behind these figures lie very real situations.
In La Rochelle, a cyberattack rendered the underground car parks unusable at the height of the summer, paralysed the registry office, brought human resources to a standstill and prevented the burial of the deceased in the city’s cemeteries for a week. The local authority operated in emergency mode – that is to say, «by pen and paper» – for four weeks.
In Angers, staff had to dig out the paper telephone directories and fax machines from storage. On 31 December 2024, a denial-of-service attack claimed by the pro-Russian group NoName057(16) simultaneously took the websites of several cities offline, including Nice, Pau and Marseille.
These examples illustrate a simple point: a cyberattack could lead to a disruption of public services.
It affects civil servants, members of the public, service providers and elected representatives. It disrupts services, exposes personal data, undermines local trust and forces the local authority to respond publicly, sometimes at short notice, often under pressure.
A responsibility that can no longer be delegated
A cyberattack makes the elected representative liable, just as a water cut or a school closure would.
The management of this risk must be taken up at the highest level of the local executive, included in deliberations, budgeted for in terms of office, and incorporated into term-of-office plans on a par with major infrastructure investment projects.
Cyber risk can no longer be left solely to the IT department. Of course, technical teams play a central role. But they cannot, on their own, make decisions that fall within the remit of the local authority’s executive: budgetary trade-offs, the choice of service providers, the level of contractual requirements, crisis management, the prioritisation of essential services, and communication with the public.
The responsibility of an elected representative is not that of a technical expert. It is that of a public decision-maker.
It is not a question of expecting a mayor, an inter-municipal authority chair or a vice-chair to understand all the intricacies of encryption, firewalls or software vulnerabilities. It is a question of enabling them to ask the right questions:
- Which services must continue to operate?
- Where is our sensitive data?
- Who has access to our systems?
- Are our backups tested?
- Which service providers are critical?
- What do we do if our email system goes down?
- How long can we manage without an information system?
These issues are political rather than technical.
Practise, train, make corrections, anticipate a crisis
Resilience cannot be improvised. It must be prepared for and put to the test.
The Paris 2024 Olympic Games demonstrated this: despite 12 times as many cyber-attacks as during the Tokyo Games, no major incidents disrupted the event. This outcome is down to months of simulation exercises, business continuity tests, vulnerability assessments and crisis management training for the teams.
Local authorities can draw inspiration from this approach, on their own scale. A crisis exercise does not need to be spectacular to be useful. It can start simply: simulating the unavailability of email, the loss of access to business software, an attack on a service provider or the circulation of a fake council press release.
The aim is not to predict exactly when the next attack will take place. It is to ensure that everyone knows what to do when digital systems fail.
AI is accelerating the threat
Generative artificial intelligence is transforming the nature of the threat by making phishing attempts more credible, generating large numbers of malicious websites that appear legitimate, and facilitating attacks within a defined scope. According to a study published by ANSSI in February 2026, more than 40 state-sponsored attack methods used AI to refine their cyber offensives between 2023 and 2024. It is therefore essential to train all teams to recognise these threats.
But the urgency is not limited to phishing. Today, it centres on patching software vulnerabilities. AI is accelerating the automated detection of exploitable vulnerabilities.
In June 2025, the XBOW system submitted hundreds of reports of critical vulnerabilities to bug bounty programmes without any human intervention. Faced with this acceleration, the time taken to patch vulnerabilities – often measured in weeks or months in local authorities – has become untenable.
The priority is clear: drastically shorten patch deployment cycles, train teams on secure development tools, conduct regular drills simulating vulnerability exploitation scenarios, and appoint crisis managers before an incident occurs. Once an incident is underway, it is too late to work out who is in charge.
Hybrid warfare: disinformation also targets regions
Digital threats now include an informational dimension that cybersecurity professionals regard as a distinct vector in its own right.
A fake account belonging to an elected representative, a fake press release from the town hall, a website imitating that of a local authority, a rumour about water quality, a false announcement of a school closure, a doctored video or an alarmist message circulated at just the right moment can be enough to trigger a local crisis.
Viginum, the service responsible for monitoring and protecting against foreign digital interference, documented a structural increase in the information threat targeting France in 2024 and 2025: pro-Russian campaigns exploiting the war in Ukraine, destabilisation operations during the riots in New Caledonia, and attempts to manipulate public debate during the European elections and the Olympic Games. The «Portal Kombat» report highlighted a coordinated disinformation network targeting French media and institutions.
In May 2023, ANSSI identified several dozen French local council websites that had been defaced with pro-Russian messages. These attacks, which are not particularly technically sophisticated, directly undermine the public’s trust in their local institutions.
The risk reaches its peak during major elections or large-scale sporting and cultural events. Information security must be integrated into the regional crisis management framework, in the same way as IT continuity.
Digital addiction is becoming a risk
Local authorities are increasingly reliant on digital tools that they do not always fully understand : software for civil registration, payroll, town planning, social services, email, collaboration tools, cloud hosting, telephony, archiving, cyber security and artificial intelligence.
This dependency is not necessarily a problem in itself. It becomes a problem when it is neither recognised, nor measured, nor set out in a contract, nor reversible.
A service provider may fall victim to a cyberattack. A software vendor may amend its terms and conditions. A service may be suspended. Data may be hosted within a legal framework that is not properly managed. A solution may become indispensable without any alternative having been identified.
Local authorities often underestimate one fact: A foreign digital service may become unavailable for economic, regulatory or geopolitical reasons. This risk is no longer just a theoretical one.
Recent events have just provided a stark illustration of this. On 12 June 2026, Anthropic (one of the world’s leading artificial intelligence companies) suspended access to its most advanced models for all non-US users, following an order from the Trump administration on the grounds of «national security». French organisations that had integrated these tools into their cybersecurity or analytics workflows found themselves deprived of these capabilities overnight, without having previously anticipated or identified credible European or open-source alternatives.
A parliamentary committee of inquiry launched in January 2026, chaired by MP Philippe Latombe, is currently working to quantify this risk. Its remit includes assessing the extent to which French public authorities rely on non-European digital solutions, identifying the resulting vulnerabilities and examining alternatives. The findings are expected in the summer of 2026.
For local authorities, the first step in addressing this risk is to to map their digital dependencies.
Every local authority must be able to answer four simple questions:
- Which business software applications are hosted outside Europe?
- Which critical processes rely on a single service provider with no alternative?
- What sensitive data passes through servers subject to extraterritorial laws such as the US Cloud Act?
- Which licence agreements bind the local authority without a reversibility clause?
This mapping forms the basis for strategic digital risk management and is the starting point for a plan for gradual self-sufficiency.
There is also a budgetary issue: too many local authorities continue, year after year, to fund recurring licences from non-European software publishers, without capitalising on long-term assets. Reducing these dependencies means gradually redirecting public spending towards sustainable investments (in-house equipment, in-house expertise and staff training, and certified solutions), rather than towards the automatic renewal of contracts that undermine the region’s operational sovereignty.
Train to lead
Training is the key factor that links all these areas: cybersecurity, business continuity, crisis management, compliance, digital sovereignty and public trust.
Training elected representatives does not mean asking them to become technical experts. It means giving them the tools to understand the risks, ask the right questions, manage budgets, organise the crisis response and demand assurances from their service providers.
Training chief executive officers and local government managers enables them to integrate cybersecurity into the day-to-day running of their departments: business continuity, procedures, responsibilities, communication, data protection and incident management.
Training technical teams means strengthening their ability to anticipate, detect, rectify and respond.
Finally, training staff through cybersecurity awareness programmes reduces the local authority’s day-to-day exposure to human error, phishing attempts and risky digital behaviour.
ORSYS and Cyberwings offer specialist training courses for public decision-makers, local government executives and technical teams: raising awareness of cyber risks amongst elected representatives, crisis management and simulation exercises, NIS 2 and GDPR compliance, mapping of digital dependencies, local resilience strategy, service provider security and preparedness for contingency operations.
No local authority will ever be completely invulnerable. But it can be prepared. It can know what to do, who to call upon, how to communicate and how to continue serving its residents when digital systems fail.
This is now what digital accountability means for elected representatives.
