Local authorities are particularly exposed to cyber-threats, with major risks such as paralysed public services and citizens’ compromised sensitive data. According to a recent study by Cybermalveillance.gouv.fr, although the majority of businesses are aware of the cyber-threat issue, they are still failing to make appropriate investments in their digital security.
In 75% of cases, a limited cybersecurity budget makes it difficult to implement effective protections. In addition, the extensive use of personal equipment in the workplace (62%) amplifies the risks by offering new opportunities for cybercriminals to gain access, whether via terminals or the network. In 2024, one local authority in ten said it had been the victim of one or more cyberattacks. These results underline the urgent need to step up efforts to raise awareness and provide support.
State of play: cybersecurity arrangements still lacking in local authorities
Whether small or large, local authorities are increasingly exposed to ever-changing cyber-threats. This vulnerability is the result of a number of structural factors. Firstly, their budgets for cybersecurity are often limited, which slows down the acquisition of high-performance equipment and the implementation of appropriate solutions. At the same time, the lack of qualified staff, combined with levels of awareness among agents that are still low, aggravates the situation by creating an environment conducive to human error, which is often exploited by attackers. Finally, the frequent use of personal equipment for professional tasks, combined with pools of disparate or technologically obsolete IT equipment, complicates system security.
Not only do such vulnerabilities make local authorities prime targets for opportunistic attacks, but those authorities can also become collateral victims of larger-scale cyberattacks. The value of the data they handle – and of financial data in particular – makes them a particularly attractive source of income for cybercriminals. For example, an official document such as an identity card issued by a local council can be resold for between €2 and €5, while a medical record can be worth between €50 and €250.
The consequences of cyberattacks on such organisations are many and far-reaching. They primarily affect systems security, compromising the integrity of data and the protection of citizens. Disruptions to essential services such as waste management, access to water or school administration paralyse the day-to-day running of local government. Added to this is the damage to the authority’s public image, which often attracts media coverage. Lastly, financial losses – including from ransom demands, remediation costs and penalties – compound an already substantial set of negative consequences.
The challenges of digital transformation: opportunities and risks
Digital transformation offers a major opportunity to modernise public services and streamline resource management. Advanced technologies enable local authorities to improve the quality of their services, simplify exchanges with citizens and increase their operational efficiency. Increasingly paperless administrative procedures and artificial intelligence applied to energy management illustrate the potential of this transition for local and regional authorities.
However, this development brings major challenges. The growing interconnection of infrastructures – which is essential in a smart city context – increases the risk of cyberattacks by widening the surface of exposure. Connected networks, while increasing the efficiency of urban systems, can also become targets for both targeted and widespread attacks. In addition, remote maintenance exposes systems to greater risk of intrusion, while the presence of digital infrastructures in public spaces makes them vulnerable to physical damage. The large number of players involved – suppliers, service providers and technology partners – also makes the task of securing and co-ordinating digital ecosystems a complex one.
And lastly, digital transition faces a number of obstacles. The often limited budgets of local authorities restrict access to advanced technologies and secure solutions. In addition, a lack of in-house expertise can impede the management and integration of digital tools, making projects dependent on external service providers that can be difficult to control.
Towards resilient and intelligent communities: the foundations of secure transition
Close collaboration between elected representatives, network operators and software publishers is essential for a collective approach to cybersecurity. This synergy distributes responsibilities, pools expertise and promotes a coordinated approach to threats. By diversifying stakeholders, it strengthens collective resilience and limits single points of failure.
For effective protection, a comprehensive security strategy urgently needs to be taken right from the start of the digital transition. This means tailoring protection measures to the specific features of each information system while considering the organisational particularities and risks associated with each component of the digital infrastructure.
Compliance with the recommendations of the relevant authorities is vitally important. Regulatory developments such as the NIS2 directive and the GDPR are imposing stricter standards, particularly for critical players. Their application not only reduces vulnerabilities, but also boosts the confidence of citizens and partners.
Finally, if innovation and protection are to go hand in hand, incorporating cybersecurity into the planning process for smart cities projects is key. The installation of sensors and connected equipment throughout the region means that a meshed network capable of detecting and reacting quickly to incidents can be set up. The adoption of advanced solutions, such as Extended Detection and Response (XDR), optimises infrastructure protection while improving operational efficiency. Such proactive approaches enable smart cities to reconcile technological development with risk management.
For local authorities, digital transition represents a major opportunity to modernise public services, but it cannot be achieved without a solid approach to cybersecurity. By integrating security into project design, strengthening in-house skills and relying on specialist partners, they can protect their essential systems while fully exploiting the benefits of innovation. This balance between modernisation and resilience is essential if they are to meet the expectations of citizens, ensure continuity of services and preserve trust.
