The lawyer in a cyber crisis unit
The lawyer present in the cyber crisis unit must be trained in it, in particular to integrate all the complexities mentioned in the first article of this series, dedicated to the strategic role of the lawyer in this body.
In any case, here are some rules of legal qualification in the event of a digital incident.
In the event of malicious acts, there is a great temptation to want to draw up a specific typology of cyberattacks – which would make it even easier to qualify the law. The challenge for the lawyer is to be able to go beyond this idea to adapt to the particular temporality of cyberspace.
To do this, it is necessary to operate according to the classic legal reasoning, by integrating the specificities of cyber : the facts, and the application to the law to extract the legal qualification and thus advise the organization.
1/ Facts – Actively participate in the investigations and analyze the evidence collected
The lawyer must collaborate with the technical teams to analyze and preserve the evidence that will lead to the legal qualification of the incident. It should be noted here that the collection of such evidence must be scrupulously carried out to ensure its admissibility.
He must also take a real proactive approach: solicit the elements that will support his analysis – and this for the entire duration of the investigations – and not reason solely on the basis of the information made available to him (availability bias).
2/ The law – Legally qualifying
The legal arsenal is complete on the criminal level with about ten existing offences. The first five offences correspond, for example, to five types of offences involving automated data processing systems (STAD) occurring at different times in the criminal action, from the preparation of the offence to its completion (Articles 323-1 to 323-4 of the Criminal Code).
The lawyer must therefore compose according to the evidence that will have been collected during the technical investigation phase.
3/ The actions to be brought – The different possibilities
Digital criminal law has seen a strengthening of criminal offences and an extension of administrative obligations (obligation to report a security incident, obligation to notify a personal data breach).
Often, organizations tend to focus solely on administrative obligations.
However, there are also possible criminal actions in the event of a cyberattack (filing a complaint, initiating litigation).
Even if the attribution of malicious acts remains complex to establish, this should not be an obstacle to the filing of complaints and the initiation of litigation procedures.
Are you a lawyer and want to train in crisis management? Are you a training manager and would like to discuss a specific need?
Read the article
When cognitive psychology sheds light on cyber crisis management
6 November 2025Read the article
Ransomware, Confusion, and Critical Decisions: A Cyber Crisis Simulation Autopsy - Alliancy
1 September 2025Read the article
