What is the RGS, General Security Reference ?

The General Security Reference, or RGS, provides a framework for security in electronic administration, or e-administration. Applying these rules means that individuals and businesses alike can exchange information electronically with the administrations’ online services in complete confidence and security (thanks to processes set up internally or through an EDI partner).

In this article, we look at the objectives, the different levels of security and the implications for the implementation of secure electronic exchanges between users and public authorities.

What is the definition of a general safety reference system ?

This is a guide to rules and best practices for information systems security.

According to ANSII (Agence Nationale de la Sécurité des Systèmes d’Information), the body that drafted the RGS : “The general security reference framework (RGS) is the regulatory framework for establishing confidence in exchanges within the administration and with citizens”.

The RGS is kept up to date by ANSII. Its first version, published in 2010, was considered useful but complex to understand and implement. It was replaced by the more accessible V2 version published in July 2014. This second version has, among other things, added a chapter on the qualification of information systems security audit providers.

RGS objectives

Its main objective is to establish confidence in e-administration, to enable its deployment.

The main mission of the RGS is to set out the security rules and best practices with which public administration information systems must comply, in order to :

1. Guarantee the security of information exchanged.
   2. Ensure the confidentiality and integrity of user data.
   3. Authenticate user identity.
   4. Trace user connections and electronic exchanges.
   5. Ensure the availability and integrity of information systems.

Who is concerned by the RGS ?

The RGS is aimed at :

• public authorities and their IT service providers.
• information systems used by administrations in their electronic exchanges with each other and in their relations with users, private individuals and businesses.
• activities linked to the deployment of e-administration, such as ANTS (Agence Nationale des Titres Sécurisés).
• all service providers used by public authorities to implement their information systems and user services.

More generally, the RGS is aimed at any public or private organization seeking to organize the security management of its information systems and electronic exchanges. The RGS is therefore a guide to best practices.

How is RGS applied ?

RGS certification

Decree no. 2010-112 of February 2, 2010 makes RGS certification mandatory for all government agencies that exchange electronic information with the public or with government departments.

The aim is to provide a global vision for identifying threats, analyzing risks and defining an action plan.

Certificates for authentication and signature

The RGS offers three levels of electronic certificates: basic RGS*, standard RGS** and reinforced RGS***. These are based on the four pillars of IT security: authentication, electronic signature, confidentiality and time-stamping.

Elementary level : RGS*

This first level of authentication is awarded on application. Once the application has been validated, the RGS* certificate enables users to authenticate themselves on public platforms, time-stamp and sign documents.

This certificate enables documents to be sent in a tamper-proof electronic envelope, certifying the authenticity of the sender. It is an application downloaded onto the user’s terminal, but can also be delivered on a cryptographic USB key.

Standard level: RGS**

The RGS** certificate is issued exclusively on a hand-delivered cryptographic USB key. It enables time stamping, signing and access to specific portals such as :

• The public procurement portal for private companies.
• The vehicle registration and driving license portal for municipal police forces.

This certificate is linked to an individual.

Reinforced level : RGS***

All documents used to prepare the RGS*** certificate application must be signed by hand and sent by post. They are rigorously checked before the certificate is issued.

The USB key containing the electronic signature is strictly personal. It may only be used on the owner’s computer.

It is accepted that the RGS** and RGS*** levels correspond respectively to the advanced and qualified signatures defined by the eIDAS regulation.

eIDAS and RGS regulations

The equivalent of RGS at European level is the eIDAS regulation, Electronic Identification Authentication and trust Services, which has applied since July 2014.

The fres administrations accept authentication and signature means that do not comply with RGS if they meet the specifications of the eIDAS regulation.

In fact, dual RGS and eIDAS certification is strongly recommended. However, work is underway on a V3 version of the RGS to simplify the compatibility of RGS rules with eIDAS rules.

Tenor has been an expert in data flow exchanges for over 30 years, supporting you in your EDI, EAI and e-invoicing projects. Contact our experts and let’s see how we can help you perform even better.