3. The landscape of cyber security education and training programmes: The case of France

Upper secondary level

In France, upper secondary education leads to three types of baccalaureate qualifications (qualification delivered in upper-secondary education in France): the General, Technological and Vocational Baccalaureate. All three programmes take three years to complete and serve both as an upper-secondary education diploma and as a university entrance exam. Depending on the specialisation and optional subjects chosen, students are tested on a broad range of topics. The results are critical for admission into higher educational institutions, including universities, Grandes Écoles, and technical institutes.

Most students opt for the General Baccalaureate option in upper-secondary education. However, among those in General Baccalaureate, only few choose to take classes related to computer sciences and digital technology, which can be relevant for pursuing more advanced education in the field of cyber security. In 2021, only 54 000 General Baccalaureate students, including those in their second and third years of upper secondary education, took classes in this area of knowledge (4% of all General Baccalaureate students) (see Figure 3.4). Nevertheless, this proportion has grown compared to 2011, showing a 30% increase.

Figure 3.4. Total number of students and number of students in fields related to computer sciences by type of baccalaureate qualifications, in 2021

Note: For General Baccalaureate only students choosing subjects related to computer sciences such mathematics, Digital and computer science, physics and chemistry are considered. In the French education system, “première” and “terminale” are the final two years of the General Baccalaureate programme. “Première” is equivalent to the junior year of high school, and “terminale” corresponds to the senior year. During these years, students typically focus on more specialised subjects in preparation for the baccalaureate exams, which are crucial for university admission in France.

Source: DEPP (2023[9]), Repères et références statistiques, edition 2023, www.education.gouv.fr/reperes-et-references-statistiques-2023-378608.

Enrolment in cyber security relevant fields in Technological and Professional Baccalaureate is higher than in General Baccalaureate, which indicates learners in these programmes are interested in getting skills needed for immediate employment upon graduation, since they are involved in more hands-on training and have stronger ties to the industry. More than 20% of students of Technological Baccalaureate are enrolled in the Science and Technologies for Industry and Sustainable Development (STI2D) programme including cyber security training. A similar proportion (17%) of students in Professional Baccalaureate are enrolled in the digital and energy transition programme. These shares have increased over time (12 percentage points and 17 percentage points. compared to 2018) reflecting an increase in the interest of learners in engaging in training in related to the ICT sector. The following sections will discuss in more detail the last two programmes: Vocational and Technological Baccalaureate.

Vocational Baccalaureate

The Vocational Baccalaureate (baccalaureate professionnel, bac pro) prepares students for a specific profession, but also allows for the possibility of further studies, especially for technical higher education courses such as BUT. These courses are offered by vocational upper secondary schools (lycées professionnels) and cover a range of professional fields including information technology (IT). One of the programmes is entitled “Cyber security, IT, networks and electronics”, offered within the “digital and energy transition” professional family. Over the three years of the programme, students gradually specialise within a field and towards a selected profession. Students who pursue a school-based route first spend their first year focusing on “Professions of the digital and energy transitions” and may chose cyber security during the second year. Alternatively, students may pursue the programme through an apprenticeship (whereby students alternate education and training in schools and in companies), starting in the first year with a focus on cyber security. Programmes are designed to lead into the labour market, as technicians. It is however possible, subject to certain conditions outlined below, to access a higher education programme.

Upon completing a bac pro, students have several pathways available to them, both in terms of further education and immediate job opportunities. They might choose to further their studies through programmes such as the BTS, a two-year course aligned with their field. Alternatively, some may venture directly into university aiming for bachelor’s or master’s degrees in relevant subjects or even explore non-formal training providers offering courses in cyber security. In terms of immediate employment, the bac pro qualification makes them eligible for entry-level roles in cyber security, ranging from junior analyst positions to IT support roles with a security emphasis. Internships are another viable route, providing hands-on experience and potential full-time job offers.

From the start of the 2023 academic year, bac pro programmes offered in the field of “digital system” become “Cyber security, computer sciences and networks, electronics, (Cybersécurité, Informatique, et réseaux, electronique, CIEL” (see Figure 3.5) (MENJ, 2023[10]). Following this reform (JORF, 2023[11]), learners interested to engage with further education will have two options after completing a bac pro in CIEL: (1) Engaging directly with a BTS in CIEL and specialised either in “Computer sciences and network” or in “Electronics and network”, or (2) engaging with an extra year to obtain a field specialisation (Mention complémentaire or MC) either in “Production and repair of electronic products” or in “cyber security”. This additional year for field specialisation is designed to provide specialised skills or knowledge in a specific field, complementing the education and training received in the initial course of study (MENJ, 2023[12]). A MC includes both classroom instruction and practice-oriented vocational training through internships. The goal is to deepen students’ skills in a particular area, making them more competitive in the job market or preparing them for further studies.

Figure 3.5. Pathways into cyber security skills in vocational baccalaureate education

Note: BTS refers to Brevet de Technicien Supérieur. MC refers to Mention complémentaire.

Source: ONISEP (2023[13]), Bac pro cybersécurité, informatique et réseaux, électronique (CIEL), www.onisep.fr/ressources/univers-formation/formations/Lycees/bac-pro-cybersecurite-informatique-et-reseaux-electronique, EDUSCOL (2023[14]), Rénovation de la filière systèmes numériques en “Cybersécurité, Informatique et réseaux, Electronique (CIEL) ”,

 https://eduscol.education.fr/sti/actualites/renovation_filiere_ciel.

The CIEL Vocational Baccalaureate trains technicians who can intervene in the production and maintenance processes of electronic products (production of models and prototypes, maintenance of an electronic system or computer network). Students acquire the skills to implement computer networks (installation of the elements of an electronic system and operation of the network). They are also trained in the analysis of software or hardware, for the purpose of cyber security and data enhancement. Graduates are trained to carry out activities in the “4.0” industry, in the fields of intelligent networks and data exploitation: industry (industrial automation, “4.0 and 5.0” factories, smart city, etc.), home automation, cyber security, telemedicine and health, transport, telecommunications, the Internet of things, etc.

Cyber security, IT and network vocational programmes are predominantly offered by upper secondary vocational schools (Lycée professionnel) compared to other programmes within the digital and energy transition field (see Figure 3.6). The predominance of bac pro in cyber security at Lycée professionnel institutions implies a strong emphasis on practical, job-ready skills closely aligned with industry needs. While this makes the training accessible and directly applicable to the workforce, it may lack the theoretical depth and broader academic context often required by university-level courses. This focus on vocational training is valuable for immediate employability especially for entry level jobs. However, given most cyber security roles require higher level qualifications and deeper expertise in the cyber security field, bac pro graduates are likely to need additional training in further education to develop skills allowing them to progress to more advanced job positions.

Figure 3.6. Distribution of vocational baccalaureate programmes in cyber security, IT and networks, and electronics and other digital and energy transition fields, by type of establishment in 2023

Note: Other educational establishment also includes rural family home, regional adapted education establishment and college. Lycée GT refers to General and Technological Upper Secondary School (Lycée General et Technologique).

Source: ONISEP (2023[15]) Les familles de métiers en seconde professionnelle, www.onisep.fr/formation/apres-la-3-la-voie-professionnelle/les-diplomes-de-la-voie-pro/le-bac-professionnel/les-familles-de-metiers.

Technological Baccalaureate

The Technological Baccalaureate is designed to provide students with foundational knowledge in specific technological fields such as engineering sciences, IT, health sciences, and agronomy. Unlike the academically focused General Baccalaureate, it melds traditional subjects with specialised, career-ready training, particularly in the final two years of upper-secondary education, the “première" and “terminale”. While the Technological Baccalaureate strikes a balance between academic and technical proficiency in specialised areas, the Vocational Baccalaureate is distinctly designed for students targeting immediate employment, offering hands-on skills, tailored to specific industries.

Students can choose among eight possible programmes covering topics from health and social science to industry, innovation and digital transformation (Education, 2023[16]). Two of the specialisation offered are relevant to the IT and cyber security sector: ‘Science and technologies of management’ ‘(Sciences et technologies du management et de la gestion, STMG) and Science and technology for industry and sustainable development’ (sciences et technologies de l’industrie et du développement durable, STI2D) (see Table 3.2). Both programmes include specialties relevant for the cyber security sector. The STMG programme includes a specialisation on ‘Information and management systems’ which covers the use of information systems and ICT management. The STDI2 programme includes the specialisation ‘Information and digital system’ which is oriented for students interested in learning how to process digital information and developing hardware and software products, which can be a better fit for learners interested in engaging with more specialised technical education in the cyber security field.

Table 3.2. Technological baccalaureate programmes oriented to ICT, information systems and cyber security
	Description	Specialties	Career prospects
Science and technologies of management (STMG)	This programme is oriented towards students interested in the reality of how organisations operate, relationships at work, new digital uses, marketing and performance measurement, decision analysis and the impact of business strategies.	Management and finance Marketing Human resources and communication Information and management systems	This programme prepares students for careers in finance, management control, information systems, human resources, marketing and communication
Science and technology for industry and sustainable development (STI2D)	This programme is aimed at high school students interested in technological innovation and energy transition, as well as for those that want to understand how technical systems in industry and everyday life work	Architecture and construction (AC) Energy and environment (EE) Technological innovation and eco-design (ITEC) Information and digital system (SIN)	This programme leads to jobs as technicians or engineers in electrical engineering, electronics, IT, mechanics, civil engineering, logistics
Note: Specialties in bold are directly related to the cyber security field.
Source: MENJ (2023[17]), Réussir au Lycée, www.education.gouv.fr/reussir-au-lycee/le-baccalaureat-technologique-1916; ONISEP (2023[18]), Le bac STMG (sciences et technologies du management et de la gestion), www.onisep.fr/formation/apres-la-3-la-voie-generale-et-technologique/qu-est-ce-que-la-voie-generale-et-technologique/la-voie-technologique-en-premiere-et-terminale/le-bac-stmg-sciences-et-technologies-du-management-et-de-la-gestion.

While fewer students overall enrol in the Technological Baccalaureate compared to General Baccalaureate, those who do choose this path are increasingly interested in the offerings of the STI2D programme. Technological Baccalaureate enrolment has decreased in the last decade, especially in the STI2D programme (see Figure 3.7). In 2022, 56 636 students enrolled in STI2D, 748 less than in 2014. However, the share of students in Technological Baccalaureate engaging with STI2D has increased going from 16% in 2014 to 19% in 2022. The STI2D programme resonates with contemporary global challenges and job market trends beyond the cyber security sector. As technological advancements and sustainability become central themes in modern industries, students may perceive STI2D as offering more relevant skills and better future career opportunities.

Figure 3.7. Evolution of enrolment in technological baccalaureate between 2014-2022, by programme specialisation

Note: STMG refers to science and technologies of management. SDT2A refers to science and technology of design and applied arts, STI2D refers to science and technology for industry and sustainable development, STL refers to laboratory science and technology, ST2S refers to health and social sciences and technologies, S2TMD refers to Technical Baccalaureate of music and dance, STHR refers to science and technology in the hotel and restaurant industry, and STAV refers to sciences and technologies of agronomy and living organism.

Source: ONISEP (2022[19]), La voie technologique en première et terminale, www.onisep.fr/formation/apres-la-3-la-voie-generale-et-technologique/qu-est-ce-que-la-voie-generale-et-technologique/la-voie-technologique-en-premiere-et-terminale.

While the Technological Baccalaureate equips students with technical and foundational applied skills, for specialised domains like cyber security, the knowledge and skills garnered through this qualification alone might be insufficient for many entry-level positions. This may be due to the lack of practical skills which makes the Vocational Baccalaureate better placed for initial roles. To delve deeper into cyber security, students typically continue their education at the University Institutes of Technology (Instituts Universitaires de Technologie, IUTs) or other higher technical institutions. Additionally, they can pursue studies at universities or other higher education institutions such as Grandes Écoles. For the latter, students from both Technological and General Baccalaureate who are interested in advanced cyber security learning, such as a bachelor’s degree, often enrol in classes prépas. These are preparatory courses designed to ready students for entry into Grandes Écoles (see Box 3.2).

Box 3.2. The General Baccalaureate and classes préparatoire: An additional pathway to access cyber security programmes

In France, the Baccalaureate Général, much like its technologique and professionelle counterparts, offers a foundational step towards a cyber security career. This baccalaureate furnishes students with theoretical training, positioning them for higher education avenues such as the preparatory class (classe préparatoire) or university. Following the 2018 reform, schools deliver a common core curriculum, allowing students to select specialised subjects aligned with their ambitions. Picking subjects like mathematics, physics, and computer science strategically positions students for advanced studies in cyber security, be it in computer science, information technology, or dedicated cyber security programmes.

Preparatory class (Classes Préparatoires aux Grandes Écoles, CPGE)

Classes Préparatoires or classes prépa act as a pivotal bridge for students aspiring to delve deep into cyber security. Focused programmes like MPSI (Mathematics, Physics, and Engineering Sciences) and PCSI (Physics, Chemistry, and Engineering Sciences) provide an intensive grounding in key subjects like mathematics and computer science-foundations vital for grasping cyber security intricacies, from encryption algorithms to network design. Moreover, Classes Prépas prime students for Grandes Écoles, institutions that offer specialised training in several fields, including cyber security. Within these premier schools, students gain advanced technical expertise, while also exploring the ethical, managerial, and societal facets of cyber security. Thus, the rigorous foundation set by Classes Prépas significantly elevates a student’s readiness for elite cyber security education.

Source: MENJS (2023[20]), Reussir au Lyceé, www.education.gouv.fr/reussir-au-lycee/le-baccalaureat-technologique-1916.

Short-cycle tertiary level

Advanced technician qualifications (Brevet de technicien supérieur or BTS) are short-cycle tertiary qualifications (ISCED level 5) and take two years to complete. To enrol in a BTS programme, students must hold a baccalaureate. Depending on the specific BTS course, certain types of baccalaureates may be preferred (see Table 3.3).

BTS programmes offer specialised vocational training across various fields, blending theoretical lessons with practical experience, often integrating internships. From the 88 available specialisations spanning multiple sectors, students keen on cyber security can select the “IT and Networks, Electronics (cybersécurité, informatique et réseaux, électronique, BTS CIEL)” track. Within this track, two options exist: Option A “Computer science and networks”, focusing on training technicians in coding IT solutions, data management, and secure database storage; and Option B “Electronics and networks”, emphasising electronic system design, hardware-software assembly, and computer network management (MESR, 2023[22]). While the BTS diploma is fundamentally designed for immediate professional integration, students with commendable academic achievements or exceptional exam marks can advance to a bachelor’s degree in Computer Methods Applied to Business Management (MIAGE). Alternatively, they may pursue a professional license in the IT and networks sector, either through an IT-specialised school or a post-baccalaureate in the industrial technology preparatory class (Classes Préparatoire Adaptation Technicien Supérieur, ATS), setting them on track for an engineering school.

After completing a Vocational or Technological Baccalaureate in CIEL or STI2D, students can enroll in the BTS SIO programme (Brevet de Technicien Supérieur – Services Informatiques aux Organisations). Established in 2011, the BTS SIO is a two-year programme recognised by the French state. It prepares graduates for immediate employment in the IT sector or for further studies in computer science. The BTS SIO offers two specialisations: SLAM (Solutions Logicielles et Applications Métiers) and SISR (Solutions d’Infrastructure, Systèmes et Réseaux). SLAM focuses on software solutions and business applications, including drafting specifications, developing software solutions, and integrating them into organisations (Onisep, 2023[23]). SISR targets future professionals in network and computer equipment, emphasising installation, maintenance, and security of IT systems (Onisep, 2023[24]).

Enrolment in short-cycle tertiary programmes has declined over the past decade. However, participation in courses related to computing, information processing, and data management has seen a slight uptick (see Figure 3.8. In 2022, 9 944 students enrolled in these programmes, marking a 9% increase from 2014. This sector is among the top five in demand. The popularity of BTS programmes in computing and data, despite the broader decline, underscores France's growing reliance on technology. Traditional fields may be losing appeal due to limited growth, while tech roles offer better job opportunities and adaptability, making them more attractive to students. Furthermore, national strategies and policy reforms, such as the inception of a national digital and computer sciences day, an expanded course offering, and improved information and career guidance on ICT sector, have amplified its allure (NSI, 2023[25]).

Figure 3.8. Enrolment in short-cycle tertiary level programmes and equivalent qualifications in service specialities by speciality, 2014 and 2022

Number of students by training specialisation

Note: Figures include all students enrolled in Higher technical sections (Sections de techniciens supérieurs, STS), upgrading classes for Advanced technician qualifications (Brevet de technician supérieur, BTS), National Diploma of Crafts and Design (Diplôme National des Métiers d'Art et du Design, DN MADE), bridging classes and Diploma in crafts and applied arts (Diplôme des Métiers d'Art, DMA) by training speciality in 2022-2023. ‘Hairdressing, beauty care’ includes other personal services specialism; ‘Computing and information processing’ includes data transmission professions; ‘Image and sound techniques, related entertainment includes entertainment professions’; ‘Cleaning, environmental protection’ include sanitation related professions.

Source: DEPP (2023[9]), Repères et références statistiques, edition 2023, www.education.gouv.fr/reperes-et-references-statistiques-2023-378608.

Apprenticeships

Individuals can also opt for apprenticeships at initial levels to prepare for entry-level cyber security jobs. Apprenticeships combine classroom learning with real-world work, allowing apprentices to gain job-specific skills while working alongside experienced staff from the sector in addition to the more theoretical aspects of cyber security. Students can participate in apprenticeships at various levels – depending on their previous experience, their knowledge in the field, and -in some cases- their prior qualifications. There are apprenticeships targeting beginners in the field (equivalent to Vocational Baccalaureate or ISCED 3) to more experienced learners (equivalent to a master’s degree or ISCED 7).

A significant imbalance exists despite the availability of cyber security apprenticeships at all levels: at short-cycle tertiary level apprenticeships positions are plentiful, but much higher enrolment in advanced-level apprenticeships (see Figure 3.9). As of October 2023, the ONISEP portal listed positions apprenticeship programmes, with the majority (72%) corresponding to short-cycle programmes (ISCED 5) (see Figure 3.9, Panel A). This indicates a commitment by educational institutions and employers to extend work-based learning to newcomers in cyber security. However, when it comes to actual enrolment, 72% of apprentices enrolled for bachelor’s, master’s, or doctoral level programmes (see Figure 3.9, Panel B). This trend towards advanced-level programmes is shaped by career aspirations and the enhanced employability associated with higher degrees. Moreover, employer preferences lean towards recruits with a deeper educational background for handling sophisticated tasks.

Figure 3.9. Number of cyber security apprenticeships positions and enrolment in ICT related apprenticeships in 2014 and 2023

Note: Upper secondary apprenticeships include Certificate of Vocational Aptitude (certificat d’Aptitude Professionnelle, CAP), Vocational Studies Certificate (Brevet d’Etudes Professionnelles, BEP), Professional certificate (Brevet Profesionnelle, BP), Vocational bacalaureatte (Bac professionnel); Short-cycle tertiary education includes Higher Technician section (Section de Techniciens Supériurs, STS); master’s degree and PhD includes engineering programmes (Diplôme d’Ingenieur).

Source: MERS (2022[26]), Les effectifs d’étudiants dans le supérieur continuent leur progression en 2022-2023, www.enseignementsup-recherche.gouv.fr/fr/les-effectifs-d-etudiants-dans-le-superieur-continuent-leur-progression-en-2021-2022-88609; ONISEP (2023[4]), L'offre de formations de cybersécurité, www.onisep.fr/.

Enrolment in ICT-related apprenticeship programmes has increased significantly over the last decade, particularly at advanced levels, mirroring the sector's rapid growth and the escalating demand for specialised, high-level skills in the digital market, including cyber security. In 2023, close to 85 000 students were engaged in ICT apprenticeships, a fivefold increase from 2014 (see Figure 3.9, Panel B). The growth is even more pronounced at the higher educational levels (bachelor’s and master’s degrees), where enrolment has risen eightfold since 2014. This uptick is driven by government support for vocational education and the alignment of programmes with industry demands, ensuring apprentices are well-prepared for the evolving technological landscape. Additionally, tax incentives for companies employing apprentices and enhanced collaboration between higher education and the tech sector have been influential, multiplying opportunities and incentives for students (MTPEI, 2021[27]).

Bachelor’s level

At the bachelor’s level three types of qualifications may prepare for a career in cyber security: university bachelor’s of technology (BUT), professional bachelor’s and academic bachelor’s degrees. The distinction between BUT programmes and professional bachelor’s qualifications is rooted in their history. Until the 2021 reform, BUT programmes existed in a shorter form: two-year programmes led to a short-cycle tertiary qualification (diplôme universitaire de technologie or DUT). Graduates of DUT programmes commonly pursued an additional year of education, such obtaining a professional bachelor’s qualification. Since the 2021 reform, the new BUT programmes are one year longer than their predecessor and lead to a bachelor’s level qualification. Professional bachelor’s programmes maintain their function of following up on short-cycle tertiary education, as they continue to offer a progression route to BTS graduates.

Continuing education programmes (Formation continue)

Continuing education programmes (formation continue) are one of the multiple non-formal up- and reskill opportunities individuals have in several fields including cyber security. These programmes are tailored for professionals aiming to enhance their existing expertise or pivot their careers into the cyber security domain. Within continuing education programmes learners can engage with Institutional diplomas or certificates (Diplôme d'établissement) which are developed and conferred by educational institutions, offering them the flexibility to design programmes that swiftly respond to industry shifts and specialised professional requirements. These diplomas, while tailored to the institution’s standards, are well-regarded within the professional sphere, especially when issued by reputable schools. An example of this diploma in the cyber security field is the “Certificat de Spécialisation en Cybersécurité” offered by multiples grandes écoles or universities. This training is collaboratively prepared with industry partners to ensure the programmes is in line with the latest cyber security trend and practices (see Table 3.9 for other examples).

Entrance into a “Diplôme d'établissement” cyber security programme usually requires a background in computer science or a related discipline, with additional prerequisites that may include certain IT competencies or preliminary courses. After completing this targeted diploma, graduates are poised for immediate entry into the cyber security job market, leveraging their specialised training to meet industry demands. For those looking to deepen their expertise, further educational pursuits or professional certifications are viable next steps, opening doors to advanced security roles or managerial positions within the cyber security sector.

Regardless of the field, the number of continuing education courses offered, and the diplomas awarded have been increasing, indicating a growing demand for short, concise courses focused on imparting specific, highly sought-after skills in the job market (DEPP, 2023[9]). In 2021, around 40 400 institutional diplomas were awarded, nearly double the number offered in 2010 (just over 24 000) (see Figure 3.10). A similar pattern is found for courses in the field of computer science, including cyber security. In 2022, around 9 250 people have been trained, including through continuing education programmes, to become specialists in the field at all levels (MFIDS, 2022[43]), thanks to the national acceleration strategy for cyber security, developed by the French Government (MFIDS, 2021[44]).

Figure 3.10. Diplomas awarded on completion of continuing education

Note: Figures includes all diplomas awarded in all fields and specialisations including those related to computer science. Value for 2021 is projected (p).

Source: DEPP (2023[9]), Repères et références statistiques, edition 2023, www.education.gouv.fr/reperes-et-references-statistiques-2023-378608.

Certifying or certificate training offered by specialised providers (Formation certifiante)

These are certification-oriented educational programme that offer a mix of theorical and practical training that culminates in credentials recognised in the industry. In contrast to the “Diplôme d'établissement” programmes, these certificates are provided mostly by specialised providers or relevant companies in the cyber security field. With their emphasis on direct applicability and the fast acquisition of in-demand skills, these programmes are ideal for professionals aiming to quickly enhance their expertise or break into the cyber security field.

A wide range of certificate training programmes are available in the field of cyber security. This study focuses on three of them. A “simple certificate (attestation simple)” refers to a basic form of certification or acknowledgment for completing a training course. It does not involve any rigorous examination process or compliance with international standards. The ANSSI, through the SECNUMEDU-FC certification, recognises certifying non-formal training that meets its quality standards. In 2023, there are 60 simple certificate training programmes recognised by ANSSI, covering multiple specific competencies and at different levels of difficulty (ANSSI, 2023[45]). (Table 3.10 shows some examples.)

Learners can also engage with ISO/IEC 17024 certified training programmes, which are aligned with an internationally recognised standard. This ensures that professionals holding certifications in cyber security have been evaluated rigorously and fairly, based on global benchmarks for their skills, knowledge, and abilities. Adherence to ISO/IEC 17024 guarantees a certification process that is transparent, impartial, and of consistent quality, fostering trust and recognition in the expertise of certified cyber security professionals worldwide. As of 2023, ANSSI has recognised 20 ISO/IEC 17024 training programmes and is planning to expand this offering in 2024 (ANSSI, 2023[45]).

The Professional Qualification Certificat (Certificat de Qualification Professionnelle, CQP) is an industry-recognised French certification denoting an individual’s capability to perform a specific role, particularly within technical or vocational domains (MTPEI, 2017[47]). Acting as a skills and competency benchmark, these certificates are driven by sector-specific professional organisations to meet workplace standards. Within cyber security, CQPs hold significant value due to the field's specialised requirements. They affirm a professional's proficiency in roles ranging from security analyst to incident responder, aligning with the pressing demand for experts adept at countering cyber threats and safeguarding information. Cyber security CQPs prioritise practical, job-related skills and knowledge required to meet the exacting expectations of employers in this crucial sector.

Finally, numerous online platforms provide French-language cyber security courses, broadening the accessibility of specialised training (see Box 3.1). These courses serve a spectrum of learners, offering flexible, self-paced learning environments from foundational to advanced levels. The flexible way of provision and interactive nature of online courses, coupled with certification options, make them an attractive avenue for those seeking to enter or progress in the cyber security field.

Foundational cyber security skills for digital sector professionals

Several higher education institutions that prepare for employment in the digital sector seek to go beyond raising awareness. They integrate a stronger element of cyber security in their programmes, but do not train specialised cyber security professionals.

ANSSI established the label CyberEdu to signal education programmes within the digital sector that integrate an element of cyber security. Its development followed the publication of a White Paper on Defense and National security in 2013. The CyberEdu label is designed to help the introduction of cyber security concepts into all digital-related training programmes in France. The goal is to ensure that all those involved in the information systems chain (e.g. administrators, developers, project managers) feel concerned, as digital security also requires the engagement of those who are not experts in the field. The approach seeks to improve vigilance and incident response, limit vulnerabilities in information systems, and facilitate co-operation with cyber security specialists. All professionals need to be aware, initiated, or even trained in cyber security without necessarily becoming experts in the field.

The Association CyberEdu was established to help implement efforts in this area. It brings together computer science teachers, cyber security specialists, and non-specialists, to promote the CyberEdu approach throughout the country. Their activities include developing pedagogical tools, organising events and communication regarding cyber security, and certifying training programmes. These efforts are aligned with the National Strategy for Cyber security, presented by the prime minister in 2015. This strategy outlined two objectives that are related to CyberEdu: integrating cyber security awareness into all higher education and continuing education programmes; and integrating cyber security training into all higher education programmes that include a component of computer science (CyberEdu, 2022[52]).

One of the Vocational Baccalaureate programmes is certified by CyberEdu: “Cyber security, ICT and networks”. In addition, several short-cycle tertiary qualifications are certified by CyberEdu. The main programme at short-cycle tertiary level is the “BTS in information technology services for organisations”. It has two options: “Infrastructure, systems and networks solutions” and “Software solutions and business applications”. Both options contain cyber security as one of the three key competence areas targeted by the programme. These programmes may be accessed with different types of baccalaureat: the Vocational Baccalaureate in “Cyber security, ICT and networks”, or a Technological Baccalaureate (either “Sciences and technologies of management and administration” or “Sciences and technologies of Industry and sustainable development”). Admission is also possible with a general baccalauréat. While most graduates will enter the labour market upon completion, it is possible to progress to a professional bachelor’s programme in the same field. Finally, several bachelor’s programmes have gained the CyberEdu quality label. This includes both bachelor’s programmes, as well as professional bachelor’s programmes (Table 3.12 provides some examples).

Advanced technical skills for future cyber security professionals

The Digital Security Education (Sécurité Numérique éducation or SecNumedu) label was developed to identify high-quality specialised programmes in cyber security. This accreditation is awarded by the ANSSI, the French National Agency for the Security of Information Systems, which serves as the country’s chief authority on defending its information systems. The SecNumedu label recognises courses that meet a high standard of quality and provide relevant, comprehensive training in the field of cyber security. It covers a wide range of programmes, from entry-level cyber security courses to more advanced and specialised courses, each catering to different aspects of cyber security such as network security, data protection, cyber threat intelligence, and ethical hacking.

The benefits of the SecNumedu label are substantial for both educational institutions and learners. For institutions, having the SecNumedu label denotes a recognised quality standard for their programmes, which can help attract more learners, foster institutional prestige, and, in turn, support the continuous development of the cyber security field. For learners, enrolling in a SecNumedu labelled programme ensures that they receive up-to-date, comprehensive, and high-quality education in cyber security. Additionally, a certificate from a SecNumedu accredited course can enhance their employment prospects, as employers often look for candidates with recognised qualifications in the competitive field of cyber security. By ensuring a certain standard of training, the certification benefits the entire ecosystem - it helps the institutions to maintain quality education, and it helps the learners to gain relevant and recognised skills in the cyber security domain.

The SecNumEdu label concerns mostly engineering programmes and master’s programmes, but it is also associated with some professional bachelor’s degrees. Table 3.13 provides some examples of programmes that have obtained this label.

Providing work-based learning opportunities in the cyber security sector

An element of work-based learning is commonly used in programmes that focus on cyber security (as well as other professionally-oriented programmes). Work-based learning, especially through apprenticeships, offers graduates an edge by fostering close ties with specific companies and industries, often leading to more permanent job placements right from the start (Couppié and Gasquet, 2021[58]). Thus, the inclusion of a mandatory internship is a quality criterion for obtaining a SecNumEdu label. For example, three-year programmes leading to a Vocational Baccalaureate require 18 to 22 weeks to be spent in work-based learning (ONISEP, 2023[59]). BTS, DUT, professional bachelor’s and engineering programmes either involve a mandatory internship or may be pursued through an apprenticeship, alternating periods of work-based learning with classroom learning (see Table 3.8). For example, at the Saint Malo University Institute of Technology apprenticeship is a common route to BUT qualifications. Among first year students 30% pursue an apprenticeship, among second year students 60% do so, while all third year students pursue this route. This typically involves alternating one month spent within the IUT and one month spent with an employer.

Participation in apprenticeships has increased significantly over the last decade, particularly in the ICT field (see Figure 3.11). The number of ICT apprentices has risen by 80% since 2014, which is nearly 20 percentage points higher than the average for all fields within the service sector. While apprenticeship enrollment has climbed at all levels and across all fields, it has been predominantly concentrated at higher educational levels, including bachelor’s, master’s, and Ph.D. programmes. Specifically, the number of ICT apprentices at these advanced levels has almost doubled in 2022 compared to 2014. As technology rapidly advances, there is a pressing need for a highly skilled workforce with expertise in areas such as cyber security, data science, and software development. Higher education institutions have responded by creating more apprenticeship opportunities that dovetail with advanced degree programmes, offering students the dual advantage of academic credentials and practical, work-based experience. Moreover, businesses are increasingly recognising the value of integrating apprentices into their workforce, not just for the fresh perspectives and current academic knowledge they bring, but also as a means of developing a talent pipeline tailored to their specific technological and operational needs.

Some institutions, in particular engineering schools, report that those pursuing an apprenticeship route have a different profile compared to those who pursue their education in classroom settings with an internship. Graduates of BTS or DUT programmes already have some experience of workplaces, and in some programmes tend to pursue apprenticeships, while those admitted through preparatory courses more often pursue a school-based route with an internship. Another potential reason for this is that admission results after preparatory courses (and subsequent tests) are announced during the summer, while the recruitment for apprentice engineer positions tends to happen over the spring or early in the summer.

Upper-secondary and higher education institutions use different strategies for establishing connections with companies that provide internships or host apprentices. Many have built a network of partner companies, through prior professional connections, alumni networks as well as links to the local economy. Internal platforms allow students to connect with opportunities offered by employers, or students may find suitable opportunities on their own. In the field of cyber security, there is a diverse range of potential employers that offer work-based learning opportunities. Options include start-ups, in the digital sector or elsewhere, large private-sector companies as well as the public sector (e.g. ministries). Providers tend to report that it is easy to find placements for students, as the sector faces skills shortages and employers are keen to train and identify potential future recruits. There is also some variation across providers in how different schedules for those pursing an apprenticeship vs. those in school-based settings are organised. Some providers report high degrees of personalisation in terms of schedules, with the use of hybrid forms of teaching (online and in-person). Others schedule in-person lessons in a way that it is compatible with the schedules of both school-based students and apprentices.

Figure 3.11. Apprenticeships enrolment growth between 2014 and 2022, by field of study in the domain of services

In percentage change

Note: In educational contexts, “Services” as a field of study broadly covers service-oriented sectors such as hospitality, tourism, health and social care, business, and information and communication technologies services. This term typically includes vocational and professional training programmes in these non-industrial, non-agricultural areas, especially relevant in discussions of apprenticeship enrolment growth.

Source: DEPP (2016[61]), Repères and references statisques, www.education.gouv.fr/sites/default/files/imported_files/document/depp_rers_2016_614975.pdf.

Bringing cyber security professionals into the teaching workforce

At upper secondary level it is uncommon for teachers of vocational subjects to pursue parallel employment in the private sector. However, regulations allow for and encourage experienced professionals to move into the teaching profession. Teaching as a contractual or substitute teacher is possible without taking the national examination. Such non-tenured teachers allow to respond in a flexible way to changes in demand and tackle challenges related to tenured teacher shortages. Becoming a non-contractual teacher requires either holding a three-year tertiary qualification, or a lower level qualification (upper secondary or short-cycle tertiary level) combined with relevant work experience. The requirements for becoming a tenured teacher are more stringent. Candidates must succeed at a centralised examination for vocational upper secondary teachers (CAPLP), in the case of cyber security the examination focuses on electrical engineering. Candidates must hold a short-cycle tertiary qualification (at least), and five years of relevant work experience either in industry or in teaching. As successful candidates become civil servants, employment outside the school is subject to strict regulation (Vocation Enseignant, 2023[62]).

Part-time teachers who pursue employment in the private sector while dedicating some time to teaching are more common in upper-secondary and higher education. The teacher workforce in tertiary education programmes includes full-time teachers (who hold the title teacher-researcher) and part-time teachers from industry. All providers of programmes that lead to cyber security professions report extensively using part-time teachers who are industry professionals. The precise share of full-time teachers vs. part-time industry professionals varies across providers and programmes. However, including industry professionals is also one of the evaluation criteria for engineering schools (evaluated by the “Commission des titre d’ingénieur”). This is viewed by providers as essential in linking the content of their programmes to rapidly changing industry needs.

There is some variation across providers in how easy it is for them to recruit industry professionals who are willing to work as part-time teachers. Salaries for part-time teaching are not competitive compared to what skilled professionals may earn in industry. At the same time, industry professionals have different motives for engaging with teaching. Some have decades of industry experience and seek to pursue a different type of professional engagement. Others have close links with a particular provider, for example because they are alumni or because they collaborate on a research project, so they accept to teach part-time. For provider institutions engagement with part-time teachers involves additional administrative tasks. For example, schedules need to be organised around the professional constraints of part-timers. In the area of cyber security, some professionals may be on call for emergency situations, so unexpectedly they may not be available for their usual lesson. Inevitably, some part-time teachers may quit teaching, so they need to be replaced from one year to another. New part-time teachers need extra support as they gain confidence in teaching a course.

For full-time teachers, applied research projects conducted jointly with industry are an important means of maintaining close connections with this fast-changing sector. The way teaching tasks are shared between full-time and part-time teachers also varies across institutions. Some institutions report that theoretical subjects are taught by full-time academics, while more applied courses are commonly taught by part-time teachers from the industry. Other providers report that subjects are shared between full-time and part-time teachers based on their particular expertise, not necessarily along these lines.

Multiple initiatives have been implemented to facilitate the participation of experts in the cyber security teaching workforce. One such initiative is led by Campus Cyber, a central hub for cyber security collaboration, where relevant stakeholders such as training providers and companies meet to exchange experiences and knowledge. For instance, experts from multiple cyber security organisations located on the campus participate as teachers at the School of Engineering and Computer Science, EPITA, which is also based on the campus (see Box 3.8).

Employability

Reflecting the increasing demand for cyber security professionals (see Chapter 2) individuals trained in cyber security are highly employable (BDM, 2022[65]). In general, ICT graduates have higher employment rate than graduates with qualifications at the same level from other fields. In 2020, in France, 86% of ICT graduates from across all levels of education were employed compared to 68% of graduates from other fields. Similar patterns are found by qualification level except for graduates with short-cycle tertiary degree (e.g. BUT), who have lower employment rate than those from other fields. This is mainly due to the fact employer consider cyber security roles often require specialised skills and certification beyond foundational knowledge, which demands candidates with more extensive training or higher educational qualification for roles that are more complex. As a consequence, ICT graduates with a master’s degree have the highest employability rate among all ICT professionals (90% in 2020). Moreover, most graduates with cyber security specialisation find employment within a few months of completing their education (Eurostat, 2022[66]).

Figure 3.12. Employment rate for ICT graduates versus other fields, by level of education, 2020

Percentage of the working-age population, by qualification level and field

Note: ICT includes all the individual that indicated holding a degree in the ICT, including those related to cyber security. Other fields do not include a field data related such as engineering, manufacturing and construction, health and others. The field of study information is gathered for individuals that indicate attained at least upper secondary education.

Source: OECD calculations using Labour Force Survey. Eurostat (2022[67]), EU Labour force survey, https://ec.europa.eu/eurostat/web/microdata/european-union-labour-force-survey.

The long-term job quality for cyber security professional in France are also favourable. Cyber security professionals work mostly as employee and mostly so for large enterprises (see Figure 3.13, Panel A and Panel C). The proportion of cyber security professionals working in large enterprises is higher (69%) than for other ICT professionals (60%). Job stability is a strong feature in this field, as cyber security experts are integral to the long-term digital strategy of organisation. 82% cyber security professionals work full time, which is slightly lower than in other ICT fields, but higher than for professionals outside of the ICT field (see Figure 3.13, Panel B). In terms of the contract, most of cyber security professionals have a permanent job contract (82%) (see Figure 3.13, Panel D). Furthermore, the versatile skills set acquired in cyber security education allows for career flexibility, enabling professional to change and adapt to new roles or specialisation as the field evolves.

Figure 3.13. Employment characteristics of database and network professionals compared to other ICT and other sectors professionals

Note: Database and network professionals include cyber security professionals. Database and network professionals and other ICT professionals and associates include technicians, associate and professionals (including categories 2 and 3 of International Standard Classification of Occupations classification). Other occupation includes all the remaining categories of the ISCO classification, including professional and associates no in the ICT sector.

Source: OECD calculations using Labour Force Survey. Eurostat (2022[67]), EU Labour force survey, https://ec.europa.eu/eurostat/web/microdata/european-union-labour-force-survey.

Wages

Database and network professionals including those in cyber security earn higher incomes than their peers in other ICT roles and across other occupations (see Figure 3.14). Cyber security professionals predominantly occupy the higher income deciles. Cyber security skills are especially lucrative within the ICT sector, contrasting with a more uniform distribution of earnings among other cyber security jobs in sectors other than ICT. For instance, the average salary for a web and cyber security specialist in France is around EUR 75 996, with a range typically between EUR 58 121 and EUR 90 009. Similarly, a cyber security engineer's average salary is approximately EUR 68 025 in 2023 (Payscale, 2023[68]). For comparison, the average yearly salary for an information technology manager, which can be considered a broader ICT role, is around EUR 62 500 in France in 20231 (Salary explore, 2023[69]). These high salaries are primarily due to the increasing importance and complexity of safeguarding digital assets in the modern, digitally-driven world. It can also be attributed to the strong market demand for cyber security skills, coupled with a global shortage of qualified cyber security professionals, which further drive up their value and salaries.

Figure 3.14. Distribution of database and network professionals and other professionals by income deciles, 2020

Note: Database and network professionals include cyber security professionals. Database and network professionals and other ICT professionals and associates include technicians, associate and professionals (including categories 2 and 3 of the International Standard Classification of Occupations classification). Other occupation includes all the remaining categories of the ISCO classification, including professional and associates no in the ICT sector.

Source: OECD calculations using Labour Force Survey. Eurostat (2022[67]), EU Labour force survey, https://ec.europa.eu/eurostat/web/microdata/european-union-labour-force-survey.