Cybersecurity FAQ: AUMANS AVOCATS (cyber risk prevention, IT contracts and incident response)

For cyber risk prevention, AUMANS AVOCATS provides end-to-end legal support: risk assessment and audits, processing mapping, GDPR or NIS2 compliance programmes, drafting/updating internal policies (information security policy, IT charter), crisis management and staff training. The firm advises and represents clients in litigation as well, notably in relation to IT contracts (IT services, outsourcing, cloud, SaaS, subcontracting and security clauses).

To anticipate cyberattacks, our lawyers help you define a cybersecurity and compliance strategy: identifying information system (IS) vulnerabilities, reviewing supplier contracts and obligations, implementing internal procedures and an incident response plan (business continuity and disaster recovery, access management, preservation of evidence).

In cybersecurity and compliance, the first step is to determine which legal framework actually applies to your organisation and activities (sector, countries of operation, type of services, role in the value chain). Depending on the situation, this may include the GDPR, the NIS2 Directive, the DORA Regulation (financial sector), the Cyber Resilience Act (CRA) for certain digital products, or the AI Act for AI systems. AUMANS AVOCATS helps you assess your status, map obligations (governance, risk management, security, incident notification, documentation) and build a prioritised compliance roadmap.

In the event of a cyberattack or a personal data breach, AUMANS AVOCATS can intervene on an urgent basis: legal assessment, coordination with technical providers, preparation of notifications (GDPR) and communications with the CNIL (French data protection authority), support for internal/external communications, and assistance with next steps (contractual claims, filing a complaint and litigation, liaising with competent authorities).

In a ransomware incident, the priority is to contain the attack and secure business continuity: activate the crisis team, coordinate with IT/security teams and vendors, preserve evidence (logs, images, communications), assess impact (encrypted and/or exfiltrated data) and review contractual obligations. We also assist with relevant legal steps under French law, including GDPR/CNIL notifications when required, filing a complaint, and pursuing third parties where appropriate.

To reduce cyber risk and manage incidents effectively, an IT contract should include tailored cybersecurity clauses: security and confidentiality requirements (technical and organisational measures), access management, logging, audits and right to review, subcontractor management, incident alerting and handling procedures (timelines, information to provide, cooperation), backups, continuity, reversibility/portability, service levels (SLAs) and liability/indemnities. AUMANS AVOCATS supports you in negotiating and drafting these clauses in line with your GDPR/NIS2 obligations and vendor chain.

Whether a personal data breach must be notified depends in particular on the nature of the incident, the data involved and the risks for individuals. We help you assess the situation, document the decision (accountability principle) and, when notification is required, prepare communications with the CNIL and, where applicable, inform the affected individuals. For further detail (timelines, required content, traceability, crisis communications), see the dedicated question on crisis communications and notifications.

As soon as a cyber incident is detected (e.g., ransomware, data leak), we help you implement clear and controlled crisis communications: governance (crisis team), internal and external messaging, coordination with IT/security teams, vendors and insurers, and securing evidence. We also support you on notification requirements to competent authorities, including the CNIL in the event of a personal data breach: assessing whether notification is required, meeting deadlines, drafting the required content and ensuring decision traceability, as well as, where necessary, informing affected individuals.

Yes. We offer cybersecurity awareness training and workshops (phishing, ransomware, passwords, data protection) for operational teams, executives, the DPO and support functions. The objective is to promote best practices and strengthen your organisation’s security culture.

Choosing AUMANS AVOCATS means working with a cybersecurity and digital law firm able to support you end-to-end: prevention, compliance, crisis management and litigation. Our legal and operational approach is designed to protect your business, your IT contracts and your sensitive data over the long term. The firm relies on strategic partnerships within the cybersecurity ecosystem (technical experts, security providers, insurers and institutional stakeholders) to facilitate coordination and accelerate incident handling. AUMANS AVOCATS is a partner of the INCYBER Forum 2026 and considers it an essential mission to remain actively engaged on the fight against cybercrime.

Yes, subject to confidentiality and legal professional privilege. Depending on the matter, the firm can share anonymised references or feedback on request (sectors, types of incidents, GDPR/CNIL topics) and examples of engagements: cyber crisis management, notifications and communications, compliance audits, litigation, or negotiating/drafting IT contracts (cloud, SaaS, outsourcing). Where possible, named references may be provided with the prior consent of the relevant client.

The firm was founded by Jérôme DEROULEZ, a former judge, including as an investigating judge. This litigation and investigative background supports the firm’s work on cybercrime-related matters, incident response and proceedings (contractual actions, filing complaints, evidence preservation).