3. The landscape of cyber security education and training programmes: The case of France

Chapter 2 underscores the robust and increasing demand for cyber security professionals, particularly highlighted in France where the volume of online job postings (OJPs) in this field has surged. This growth is attributed to the expansion of remote work and the broader integration of digital technologies, a trend accelerated by the COVID-19 pandemic. In France, as elsewhere, when the rising demand for cyber security expertise is not matched with an adequate supply of trained professionals, it results in talent shortages that can lead to vulnerabilities and cyber security threats. Such shortages are evident, with gaps in the cyber security workforce presenting significant challenges for the country.

Education and training to develop appropriate cyber security skills are vital to address these shortages and mitigate risks. France has increasingly become a digitised society where cyber security is a priority, including the necessity for a skilled workforce in this domain. The frequency and sophistication of cyberattacks are outpacing the nation’s defensive capabilities, reflected in the substantial growth in job postings for cyber security roles over the last decade. However, there is a notable gap in filled positions, signalling an urgent need for effective education and training systems, as well as policies that promote high-quality course offerings to attract a diverse array of learners. Employer engagement in programme design, clarity of career pathways into cyber security, and efforts to make the field more appealing to underrepresented groups, like females, are strategic actions to fill the workforce gap.

Many newcomers (i.e. individuals with no experience or skill in cyber security) to the cyber security field lack formal education in cyber security, often due to limited awareness and availability of targeted training. While many possess degrees in general computer science, specialised cyber security education is less common. To address this gap, young professionals frequently resort to self-study and utilise their professional networks to enhance their skills, underscoring the need for more accessible and known specialised training opportunities in cyber security.

French cyber security education spans from upper secondary levels like Vocational Baccalaureates to higher education, including advanced technician qualifications (Brevet de Technicien Supérieur, BTS) and university programmes like professional bachelor’s degrees. Tailored to labour market demands and learner diversity, these programmes also emphasise advanced qualifications like master’s degrees, highly valued by employers for cyber security roles. Additionally, France focuses on non-formal education, offering specialised continuing education modules for quick skill development and career transitions.

This chapter provides insights into the landscape of cyber security education and training in France, outlining strategies and policies aimed at expanding supply, fostering diverse participation, and ensuring the delivery of quality training in alignment with labour market needs.

This section provides an overview of the education and training landscape to prepare workers for cyber security roles in France. It focuses on education and training programmes that develop cyber security skills for entry-level jobs (i.e. a job that typically does not require advanced level of education and training the field or many years of relevant work experience). The first part of this section describes formal education programmes in this area, starting from vocational upper secondary education and up to master’s level programmes. Given the focus on preparation for entry-level jobs, engineering programmes and specialised master’s degrees are described here, but are not in the focus of the remaining parts of the report (Box 3.1). Following the description of formal education programmes, the second part of this section looks at non-formal education, which includes courses that do not lead to a formal qualification but may lead to certificates, including those delivered by industry.

Cyber security education and training for entry-level jobs in France include both formal and non-formal programmes. Formal education programmes in cyber security are available at various levels including upper secondary education (Vocational and Technological Baccalaureate), short-cycle tertiary programmes (Brevet de Technicien Supérieur, BTS) and bachelor’s level programmes (see Figure 3.1). Much cyber security education and training, however, is offered at the graduate level, involving engineering programmes (leading to an ISCED level 7 qualification) and specialised master’s degrees (ISCED level 7). This study focuses on qualifications at or below bachelor’s level (ISCED level 6). The programmes covered in this study include both programmes that specifically focus on cyber security and programmes with a slightly broader focus, which include cyber security in their curriculum or as area of specialisation. The latter category includes system engineering, information security, information systems management, ethical hacking, network security and information auditing.

Non-formal education encompasses courses that may lead to certificates but do not confer formal qualifications (see Figure 3.1). Professional certificates are offered by various organisations, providing targeted instruction and practical experience. The recent surge in demand for specialised information and communication technology (ICT) skills, such as cyber security, has led to a notable expansion in other forms of non-formal short courses, such as specialised training modules through continuing education. These offer flexible and accessible learning opportunities, allowing individuals to acquire expertise quickly and efficiently. Focusing on specific skill sets, these courses help address immediate local skill demands (i.e. subregional level) and enable professionals to stay updated with the latest industry developments.

Formal education programmes that develop skills for cyber security are delivered at various levels in France. Among programmes that prepare for a first entry into the labour market, provision ranges from upper secondary programmes (at ISCED level 3) to engineering degrees (at ISCED level 7). This section describes programmes at each level.

The array of formal specialised cyber security programmes is extensive and predominantly focused on short cycle tertiary education (ISCED 4 and 5). For the 2022-2023 academic year, a total of 1 025 cyber security programmes were offered across formal education institutions. The majority of these – around 900 (or 87% of the total) – were concentrated at the upper secondary (ISCED 3) and short-cycle tertiary levels (bac+2, ISCED 5) (see Figure 3.2). A further 69 specialised programmes were available at the bachelor’s level (bac+3, ISCED 6). It’s important to note that these figures exclude engineering programmes that may incorporate cyber security modules or emphasis, suggesting that the actual number of programmes in this field could be even higher.

Enrolment in computer science and related areas is considerably concentrated in higher education programmes. In 2021, around 240 000 students in this field enrolled in undergraduate (ISCED 6) and master’s (ISCED 7) programmes, marking a 76% increase compared to 2011 (see Figure 3.3). This increase is the result of efforts made by the government to guide young people towards science, technology, engineering and mathematics (STEM) subjects, particularly those programmes that meet the immediate needs of the labour market. In vocational and professional secondary education (ISCED 3), the number of students enrolled in computer science-related programmes has remained stable over the last decade, with approximately 60 000 students.

Even though the number of programmes in short-cycle tertiary education in computer science (e.g. Advanced technician qualifications, Brevet de technician supérieur, BTS in ISCED 5) is higher than in other educational levels, enrolment concentrates in higher education programmes (e.g. University Bachelor of Technology, professional and academic bachelor’s programmes, bachelors in ISCED 6). This can be attributed, on one hand, to recent reforms that have revitalised the offering of courses, particularly in cyber security, computers and networks, and electronics (JORF, 2020[5]) (MESR, 2023[6]), to which enrolment has not yet fully responded. These reforms have introduced more up-to-date content, advanced teaching methodologies, and industry-relevant skills into the curriculum. On the other hand, according to stakeholders interviewed, young people interested in studying computer science tend to enrol in higher education programmes (e.g. bachelor’s programmes) due to their potential for career progression. Such programmes often open up more career options, including the possibility of academic research or more specialised roles, and offer greater global recognition.

In France, upper secondary education leads to three types of baccalaureate qualifications (qualification delivered in upper-secondary education in France): the General, Technological and Vocational Baccalaureate. All three programmes take three years to complete and serve both as an upper-secondary education diploma and as a university entrance exam. Depending on the specialisation and optional subjects chosen, students are tested on a broad range of topics. The results are critical for admission into higher educational institutions, including universities, Grandes Écoles, and technical institutes.

Most students opt for the General Baccalaureate option in upper-secondary education. However, among those in General Baccalaureate, only few choose to take classes related to computer sciences and digital technology, which can be relevant for pursuing more advanced education in the field of cyber security. In 2021, only 54 000 General Baccalaureate students, including those in their second and third years of upper secondary education, took classes in this area of knowledge (4% of all General Baccalaureate students) (see Figure 3.4). Nevertheless, this proportion has grown compared to 2011, showing a 30% increase.

Enrolment in cyber security relevant fields in Technological and Professional Baccalaureate is higher than in General Baccalaureate, which indicates learners in these programmes are interested in getting skills needed for immediate employment upon graduation, since they are involved in more hands-on training and have stronger ties to the industry. More than 20% of students of Technological Baccalaureate are enrolled in the Science and Technologies for Industry and Sustainable Development (STI2D) programme including cyber security training. A similar proportion (17%) of students in Professional Baccalaureate are enrolled in the digital and energy transition programme. These shares have increased over time (12 percentage points and 17 percentage points. compared to 2018) reflecting an increase in the interest of learners in engaging in training in related to the ICT sector. The following sections will discuss in more detail the last two programmes: Vocational and Technological Baccalaureate.

The Vocational Baccalaureate (baccalaureate professionnel, bac pro) prepares students for a specific profession, but also allows for the possibility of further studies, especially for technical higher education courses such as BUT. These courses are offered by vocational upper secondary schools (lycées professionnels) and cover a range of professional fields including information technology (IT). One of the programmes is entitled “Cyber security, IT, networks and electronics”, offered within the “digital and energy transition” professional family. Over the three years of the programme, students gradually specialise within a field and towards a selected profession. Students who pursue a school-based route first spend their first year focusing on “Professions of the digital and energy transitions” and may chose cyber security during the second year. Alternatively, students may pursue the programme through an apprenticeship (whereby students alternate education and training in schools and in companies), starting in the first year with a focus on cyber security. Programmes are designed to lead into the labour market, as technicians. It is however possible, subject to certain conditions outlined below, to access a higher education programme.

Upon completing a bac pro, students have several pathways available to them, both in terms of further education and immediate job opportunities. They might choose to further their studies through programmes such as the BTS, a two-year course aligned with their field. Alternatively, some may venture directly into university aiming for bachelor’s or master’s degrees in relevant subjects or even explore non-formal training providers offering courses in cyber security. In terms of immediate employment, the bac pro qualification makes them eligible for entry-level roles in cyber security, ranging from junior analyst positions to IT support roles with a security emphasis. Internships are another viable route, providing hands-on experience and potential full-time job offers.

From the start of the 2023 academic year, bac pro programmes offered in the field of “digital system” become “Cyber security, computer sciences and networks, electronics, (Cybersécurité, Informatique, et réseaux, electronique, CIEL” (see Figure 3.5) (MENJ, 2023[10]). Following this reform (JORF, 2023[11]), learners interested to engage with further education will have two options after completing a bac pro in CIEL: (1) Engaging directly with a BTS in CIEL and specialised either in “Computer sciences and network” or in “Electronics and network”, or (2) engaging with an extra year to obtain a field specialisation (Mention complémentaire or MC) either in “Production and repair of electronic products” or in “cyber security”. This additional year for field specialisation is designed to provide specialised skills or knowledge in a specific field, complementing the education and training received in the initial course of study (MENJ, 2023[12]). A MC includes both classroom instruction and practice-oriented vocational training through internships. The goal is to deepen students’ skills in a particular area, making them more competitive in the job market or preparing them for further studies.

The CIEL Vocational Baccalaureate trains technicians who can intervene in the production and maintenance processes of electronic products (production of models and prototypes, maintenance of an electronic system or computer network). Students acquire the skills to implement computer networks (installation of the elements of an electronic system and operation of the network). They are also trained in the analysis of software or hardware, for the purpose of cyber security and data enhancement. Graduates are trained to carry out activities in the “4.0” industry, in the fields of intelligent networks and data exploitation: industry (industrial automation, “4.0 and 5.0” factories, smart city, etc.), home automation, cyber security, telemedicine and health, transport, telecommunications, the Internet of things, etc.

Cyber security, IT and network vocational programmes are predominantly offered by upper secondary vocational schools (Lycée professionnel) compared to other programmes within the digital and energy transition field (see Figure 3.6). The predominance of bac pro in cyber security at Lycée professionnel institutions implies a strong emphasis on practical, job-ready skills closely aligned with industry needs. While this makes the training accessible and directly applicable to the workforce, it may lack the theoretical depth and broader academic context often required by university-level courses. This focus on vocational training is valuable for immediate employability especially for entry level jobs. However, given most cyber security roles require higher level qualifications and deeper expertise in the cyber security field, bac pro graduates are likely to need additional training in further education to develop skills allowing them to progress to more advanced job positions.

The Technological Baccalaureate is designed to provide students with foundational knowledge in specific technological fields such as engineering sciences, IT, health sciences, and agronomy. Unlike the academically focused General Baccalaureate, it melds traditional subjects with specialised, career-ready training, particularly in the final two years of upper-secondary education, the “première" and “terminale”. While the Technological Baccalaureate strikes a balance between academic and technical proficiency in specialised areas, the Vocational Baccalaureate is distinctly designed for students targeting immediate employment, offering hands-on skills, tailored to specific industries.

Students can choose among eight possible programmes covering topics from health and social science to industry, innovation and digital transformation (Education, 2023[16]). Two of the specialisation offered are relevant to the IT and cyber security sector: ‘Science and technologies of management’ ‘(Sciences et technologies du management et de la gestion, STMG) and Science and technology for industry and sustainable development’ (sciences et technologies de l’industrie et du développement durable, STI2D) (see Table 3.2). Both programmes include specialties relevant for the cyber security sector. The STMG programme includes a specialisation on ‘Information and management systems’ which covers the use of information systems and ICT management. The STDI2 programme includes the specialisation ‘Information and digital system’ which is oriented for students interested in learning how to process digital information and developing hardware and software products, which can be a better fit for learners interested in engaging with more specialised technical education in the cyber security field.

While fewer students overall enrol in the Technological Baccalaureate compared to General Baccalaureate, those who do choose this path are increasingly interested in the offerings of the STI2D programme. Technological Baccalaureate enrolment has decreased in the last decade, especially in the STI2D programme (see Figure 3.7). In 2022, 56 636 students enrolled in STI2D, 748 less than in 2014. However, the share of students in Technological Baccalaureate engaging with STI2D has increased going from 16% in 2014 to 19% in 2022. The STI2D programme resonates with contemporary global challenges and job market trends beyond the cyber security sector. As technological advancements and sustainability become central themes in modern industries, students may perceive STI2D as offering more relevant skills and better future career opportunities.

While the Technological Baccalaureate equips students with technical and foundational applied skills, for specialised domains like cyber security, the knowledge and skills garnered through this qualification alone might be insufficient for many entry-level positions. This may be due to the lack of practical skills which makes the Vocational Baccalaureate better placed for initial roles. To delve deeper into cyber security, students typically continue their education at the University Institutes of Technology (Instituts Universitaires de Technologie, IUTs) or other higher technical institutions. Additionally, they can pursue studies at universities or other higher education institutions such as Grandes Écoles. For the latter, students from both Technological and General Baccalaureate who are interested in advanced cyber security learning, such as a bachelor’s degree, often enrol in classes prépas. These are preparatory courses designed to ready students for entry into Grandes Écoles (see Box 3.2).

Advanced technician qualifications (Brevet de technicien supérieur or BTS) are short-cycle tertiary qualifications (ISCED level 5) and take two years to complete. To enrol in a BTS programme, students must hold a baccalaureate. Depending on the specific BTS course, certain types of baccalaureates may be preferred (see Table 3.3).

BTS programmes offer specialised vocational training across various fields, blending theoretical lessons with practical experience, often integrating internships. From the 88 available specialisations spanning multiple sectors, students keen on cyber security can select the “IT and Networks, Electronics (cybersécurité, informatique et réseaux, électronique, BTS CIEL)” track. Within this track, two options exist: Option A “Computer science and networks”, focusing on training technicians in coding IT solutions, data management, and secure database storage; and Option B “Electronics and networks”, emphasising electronic system design, hardware-software assembly, and computer network management (MESR, 2023[22]). While the BTS diploma is fundamentally designed for immediate professional integration, students with commendable academic achievements or exceptional exam marks can advance to a bachelor’s degree in Computer Methods Applied to Business Management (MIAGE). Alternatively, they may pursue a professional license in the IT and networks sector, either through an IT-specialised school or a post-baccalaureate in the industrial technology preparatory class (Classes Préparatoire Adaptation Technicien Supérieur, ATS), setting them on track for an engineering school.

After completing a Vocational or Technological Baccalaureate in CIEL or STI2D, students can enroll in the BTS SIO programme (Brevet de Technicien Supérieur – Services Informatiques aux Organisations). Established in 2011, the BTS SIO is a two-year programme recognised by the French state. It prepares graduates for immediate employment in the IT sector or for further studies in computer science. The BTS SIO offers two specialisations: SLAM (Solutions Logicielles et Applications Métiers) and SISR (Solutions d’Infrastructure, Systèmes et Réseaux). SLAM focuses on software solutions and business applications, including drafting specifications, developing software solutions, and integrating them into organisations (Onisep, 2023[23]). SISR targets future professionals in network and computer equipment, emphasising installation, maintenance, and security of IT systems (Onisep, 2023[24]).

Enrolment in short-cycle tertiary programmes has declined over the past decade. However, participation in courses related to computing, information processing, and data management has seen a slight uptick (see Figure 3.8. In 2022, 9 944 students enrolled in these programmes, marking a 9% increase from 2014. This sector is among the top five in demand. The popularity of BTS programmes in computing and data, despite the broader decline, underscores France's growing reliance on technology. Traditional fields may be losing appeal due to limited growth, while tech roles offer better job opportunities and adaptability, making them more attractive to students. Furthermore, national strategies and policy reforms, such as the inception of a national digital and computer sciences day, an expanded course offering, and improved information and career guidance on ICT sector, have amplified its allure (NSI, 2023[25]).

Individuals can also opt for apprenticeships at initial levels to prepare for entry-level cyber security jobs. Apprenticeships combine classroom learning with real-world work, allowing apprentices to gain job-specific skills while working alongside experienced staff from the sector in addition to the more theoretical aspects of cyber security. Students can participate in apprenticeships at various levels – depending on their previous experience, their knowledge in the field, and -in some cases- their prior qualifications. There are apprenticeships targeting beginners in the field (equivalent to Vocational Baccalaureate or ISCED 3) to more experienced learners (equivalent to a master’s degree or ISCED 7).

A significant imbalance exists despite the availability of cyber security apprenticeships at all levels: at short-cycle tertiary level apprenticeships positions are plentiful, but much higher enrolment in advanced-level apprenticeships (see Figure 3.9). As of October 2023, the ONISEP portal listed positions apprenticeship programmes, with the majority (72%) corresponding to short-cycle programmes (ISCED 5) (see Figure 3.9, Panel A). This indicates a commitment by educational institutions and employers to extend work-based learning to newcomers in cyber security. However, when it comes to actual enrolment, 72% of apprentices enrolled for bachelor’s, master’s, or doctoral level programmes (see Figure 3.9, Panel B). This trend towards advanced-level programmes is shaped by career aspirations and the enhanced employability associated with higher degrees. Moreover, employer preferences lean towards recruits with a deeper educational background for handling sophisticated tasks.

Enrolment in ICT-related apprenticeship programmes has increased significantly over the last decade, particularly at advanced levels, mirroring the sector's rapid growth and the escalating demand for specialised, high-level skills in the digital market, including cyber security. In 2023, close to 85 000 students were engaged in ICT apprenticeships, a fivefold increase from 2014 (see Figure 3.9, Panel B). The growth is even more pronounced at the higher educational levels (bachelor’s and master’s degrees), where enrolment has risen eightfold since 2014. This uptick is driven by government support for vocational education and the alignment of programmes with industry demands, ensuring apprentices are well-prepared for the evolving technological landscape. Additionally, tax incentives for companies employing apprentices and enhanced collaboration between higher education and the tech sector have been influential, multiplying opportunities and incentives for students (MTPEI, 2021[27]).

At the bachelor’s level three types of qualifications may prepare for a career in cyber security: university bachelor’s of technology (BUT), professional bachelor’s and academic bachelor’s degrees. The distinction between BUT programmes and professional bachelor’s qualifications is rooted in their history. Until the 2021 reform, BUT programmes existed in a shorter form: two-year programmes led to a short-cycle tertiary qualification (diplôme universitaire de technologie or DUT). Graduates of DUT programmes commonly pursued an additional year of education, such obtaining a professional bachelor’s qualification. Since the 2021 reform, the new BUT programmes are one year longer than their predecessor and lead to a bachelor’s level qualification. Professional bachelor’s programmes maintain their function of following up on short-cycle tertiary education, as they continue to offer a progression route to BTS graduates.

University bachelor’s of technology (BUT) programmes take three years to complete and are provided by University Institutes of Technology (IUT), nested within universities. BUT programmes target recent upper secondary graduates who seek to pursue higher education that prepares for careers in technology-related fields. Among 2021 entrants to BUT programmes, 57% held a General and 40% a Technological Baccalaureate. Only 1.5% of entrants held a Vocational Baccalaureate (ONISEP, 2023[28]). BUT programmes may be pursued either through the traditional route, with an internship (22-26 weeks over the three-year period of the programme), or through an apprenticeship route, alternating periods of school-based and work-based learning. The programme has an applied focus, and some courses are taught by professionals in the sector.

BUT programmes are available in the field of “Networks and telecommunications” (see Table 3.4). During the second year of studies, student must choose between four tracks, one being cyber security. The cyber security track allows students to acquire skills needed to administer and supervise secure information systems and respond to cyberattacks. Graduates are equipped with skills needed to implement security protocols and IT security compliance management within their relevant legislations (e.g. data protection) and government recommendations, which is one of the most relevant skills required for cyber security professionals in France (see Chapter 2). BUT programmes in networks and telecommunications may be accessed with a General or Technological Baccalaureate (“Sciences and technologies of Industry and sustainable development”). Access with a Vocational Baccalaureate (“Cyber security, ICT and networks”) is possible if the candidate has a particularly strong profile. These programmes prepare for labour market entry, but a considerable share of graduates transition into an engineering school and graduate with an engineer qualification (at ISCED level 7).

Various progression routes are open to BUT graduates. After two years spent in a BUT programmes, students may transition to a bachelor’s programme at a university. While BUT programmes are oriented towards labour market entry, graduates may also apply to a master’s level programme upon completion. In addition, many engineering schools welcome students from IUT, through their parallel admissions. The number of places assigned to these profiles and the diploma specialties accepted vary from one school to another.

The professional bachelor’s qualifications at bac+3 level, are provided mostly by IUTs, nested within universities. They allow students to acquire or deepen their theoretical and practical knowledge and skills in a particular sector or preparing for a specific profession. Prior to the 2019 reform, professional bachelor’s qualifications were obtained through a one-year programme, which followed up on two-year DUT qualifications (MESR, 2022[31]). Since the reform, professional bachelor’s programmes may be accessed directly after the completion of upper secondary education, or after one or two years of tertiary education (after gaining 60 or 120 ECTS credits). The duration of the professional bachelor’s programme may now vary from one to three years, depending on the entry point of students.

Among the 173 specialisations on offer, several may focus on cyber security: “Computer Professions: Systems and Networks Administration and Security”; “Computer Networks and Telecommunications Professions”; and “Automated Systems, Networks, and Industrial Computing”. The coursework includes theoretical and practical lessons, simulations of professional exercises, as well as a period of work-based learning in the company. One-third of the professional bachelor’s programme includes individual and collective tutored projects or compulsory internships. A quarter of the lessons are taught by professionals in the field. Many professional bachelor’s qualifications are pursued through an apprenticeship, alternating periods of school-based and work-based learning (see Table 3.5 for some examples).

Academic (non-professional) bachelor’s programmes take three years to complete and are delivered within universities. Unlike professional bachelor’s programmes, they are less oriented towards preparation for labour market entry. While students may pursue internships, those are not a mandatory part of the curriculum. Various bachelor’s programmes prepare for employment in the digital sector and contain a substantial element of cyber security. Graduates of these bachelor’s programmes are well-prepared mainly for further academic pursuits, including specialised master's degrees that offer deeper expertise in the field (see Table 3.6 for some examples).

Academic bachelor’s programmes have a broader focus (e.g. computer science) and do not specifically prepare for a career in cyber security. The curriculum of academic bachelor’s programmes encompasses a broad spectrum of subjects, from the essentials of computer science to advanced topics in network security, ethical hacking, cryptography, and information systems security. Alongside technical skills, these programmes emphasise understanding the legal and ethical aspects of cyber security, critical for managing risks and protecting information in a professional setting. Although primarily taught in French, some programmes offer courses in English, thus attracting an international cohort.

The escalating frequency and sophistication of cyber threats have heightened the need for advanced cyber security programmes. In response to this demand, there's a marked increase in students advancing from bachelor’s to master's programmes, with 38% of computer science higher education enrolment in 2022 dedicated to these advanced levels (see Figure 3.3). These programmes delve into specialised domains of cyber security, preparing students for the complexities of the field. Moreover, for those seeking to attain an even higher level of academic credential, prestigious grandes écoles offer engineering degrees, and doctoral studies provide avenues into research and teaching (see Box 3.3).

Non-formal training in the field of cyber security is an increasingly popular alternative pathway to traditional academic routes, catering to the need for flexible and focused skill development. These trainings are offered by a diverse range of providers, including private training companies, industry associations, and online platforms. This type of training is characterised by its practical orientation, shorter duration, and often, the provision of certifications that are highly regarded by employers in the cyber security sector. Such non-formal programmes are designed to meet the demands of working professionals seeking to update their skills, career changers, and organisations looking to rapidly upskill their workforce in response to the dynamic cyber threat landscape.

In France, non-formal education programmes cover a wide range of courses, thus this section focuses in two of the most popular in the cyber security field: Continuing education programmes and certificate training.

Continuing education programmes (formation continue) are one of the multiple non-formal up- and reskill opportunities individuals have in several fields including cyber security. These programmes are tailored for professionals aiming to enhance their existing expertise or pivot their careers into the cyber security domain. Within continuing education programmes learners can engage with Institutional diplomas or certificates (Diplôme d'établissement) which are developed and conferred by educational institutions, offering them the flexibility to design programmes that swiftly respond to industry shifts and specialised professional requirements. These diplomas, while tailored to the institution’s standards, are well-regarded within the professional sphere, especially when issued by reputable schools. An example of this diploma in the cyber security field is the “Certificat de Spécialisation en Cybersécurité” offered by multiples grandes écoles or universities. This training is collaboratively prepared with industry partners to ensure the programmes is in line with the latest cyber security trend and practices (see Table 3.9 for other examples).

Entrance into a “Diplôme d'établissement” cyber security programme usually requires a background in computer science or a related discipline, with additional prerequisites that may include certain IT competencies or preliminary courses. After completing this targeted diploma, graduates are poised for immediate entry into the cyber security job market, leveraging their specialised training to meet industry demands. For those looking to deepen their expertise, further educational pursuits or professional certifications are viable next steps, opening doors to advanced security roles or managerial positions within the cyber security sector.

Regardless of the field, the number of continuing education courses offered, and the diplomas awarded have been increasing, indicating a growing demand for short, concise courses focused on imparting specific, highly sought-after skills in the job market (DEPP, 2023[9]). In 2021, around 40 400 institutional diplomas were awarded, nearly double the number offered in 2010 (just over 24 000) (see Figure 3.10). A similar pattern is found for courses in the field of computer science, including cyber security. In 2022, around 9 250 people have been trained, including through continuing education programmes, to become specialists in the field at all levels (MFIDS, 2022[43]), thanks to the national acceleration strategy for cyber security, developed by the French Government (MFIDS, 2021[44]).

These are certification-oriented educational programme that offer a mix of theorical and practical training that culminates in credentials recognised in the industry. In contrast to the “Diplôme d'établissement” programmes, these certificates are provided mostly by specialised providers or relevant companies in the cyber security field. With their emphasis on direct applicability and the fast acquisition of in-demand skills, these programmes are ideal for professionals aiming to quickly enhance their expertise or break into the cyber security field.

A wide range of certificate training programmes are available in the field of cyber security. This study focuses on three of them. A “simple certificate (attestation simple)” refers to a basic form of certification or acknowledgment for completing a training course. It does not involve any rigorous examination process or compliance with international standards. The ANSSI, through the SECNUMEDU-FC certification, recognises certifying non-formal training that meets its quality standards. In 2023, there are 60 simple certificate training programmes recognised by ANSSI, covering multiple specific competencies and at different levels of difficulty (ANSSI, 2023[45]). (Table 3.10 shows some examples.)

Learners can also engage with ISO/IEC 17024 certified training programmes, which are aligned with an internationally recognised standard. This ensures that professionals holding certifications in cyber security have been evaluated rigorously and fairly, based on global benchmarks for their skills, knowledge, and abilities. Adherence to ISO/IEC 17024 guarantees a certification process that is transparent, impartial, and of consistent quality, fostering trust and recognition in the expertise of certified cyber security professionals worldwide. As of 2023, ANSSI has recognised 20 ISO/IEC 17024 training programmes and is planning to expand this offering in 2024 (ANSSI, 2023[45]).

The Professional Qualification Certificat (Certificat de Qualification Professionnelle, CQP) is an industry-recognised French certification denoting an individual’s capability to perform a specific role, particularly within technical or vocational domains (MTPEI, 2017[47]). Acting as a skills and competency benchmark, these certificates are driven by sector-specific professional organisations to meet workplace standards. Within cyber security, CQPs hold significant value due to the field's specialised requirements. They affirm a professional's proficiency in roles ranging from security analyst to incident responder, aligning with the pressing demand for experts adept at countering cyber threats and safeguarding information. Cyber security CQPs prioritise practical, job-related skills and knowledge required to meet the exacting expectations of employers in this crucial sector.

Finally, numerous online platforms provide French-language cyber security courses, broadening the accessibility of specialised training (see Box 3.1). These courses serve a spectrum of learners, offering flexible, self-paced learning environments from foundational to advanced levels. The flexible way of provision and interactive nature of online courses, coupled with certification options, make them an attractive avenue for those seeking to enter or progress in the cyber security field.

The background to current efforts to enhance cyber security education is the National Strategy for Cyber Security, supported by a EUR 1 billion investment package (Box 3.5). This infusion of resources is dedicated to elevating the nation’s cyber defences through advanced education, innovative research, and specialised training programmes, aimed at cultivating a skilled cyber security workforce.

A major challenge is to anticipate future skills needs, identifying professions and competences of the future, as well as those that will be less needed (including within the field of cyber security, as for example artificial intelligence reshapes how cyber security professionals work).

The programme “Competences and professions of the future 2021-2025” (“AMI-CMA” in French) is a key tool to help the education and training system respond in an agile way to expected skills needs. AMI-CMA is part of the broader strategy “France 2030”. The first wave was launched in 2021 and ended in March 2023. The second wave started in May 2023. In the context of efforts to support re-industrialisation and sovereignty, major skills gaps appear in various fields: in particular the digital economy, healthcare and food. The AMI-CMA programme aims to train 400 000 people per year by 2030 and yield one million new graduates by 2030 at various levels: operators, technicians, engineering assistants, engineers, as well as master’s and doctoral graduates, mostly in STEM fields. The AMI-CMA programme contains two elements. The first is diagnostic: assessing skills needs in the light of existing education and training programmes, in order to identify priorities for investment. The second element is training: developing new education and training programmes. New programmes must build on a prior diagnostic that identified a gap. They are then developed through a consortium that includes employer representatives and a training provider (e.g. university, school, apprentice training centre) (ANR, 2021[49]).

The Ministry of Higher Education and Research emphasises the importance of three levels of expertise and related education programmes in cyber security. First, it seeks to develop good digital hygiene habits in the entire population, so that cyber security becomes a “reflex”. Efforts in this area target in particular higher education students, but also include initiatives at lower levels of education. Second, efforts aim to ensure that individuals are equipped with skills needed to use existing cyber security solutions. This targets higher education students, mostly at short-cycle tertiary and bachelor’s level. The third area of interest is to develop a talent pool of individuals who can develop cyber security solutions. This involves advanced higher education programmes, including engineering programmes, master’s and doctoral programmes. Efforts focus also on supporting research, both in private and public entities.

Within higher education, one question is at which level cyber security programmes are, or should be, offered. Interviews conducted with policy makers in higher education suggest that the overall vision is that during the first years of higher education students tend to develop a broader set of skills within their field of study. Higher levels of specialisation usually happen at later stages, mostly five years into higher education – in the form of long first-degree programmes, such as those offered by engineering schools, or master’s degrees. The balance between bachelor’s level profiles and master’s level profiles (including engineers) is about a quarter for the former and three quarters for the latter. Companies seeking to recruit an information systems security manager typically require an engineering degree. This reflects the broader role of engineering schools in supplying advanced technical skills within the French economy. Finally, PhD graduates play a key role in supporting innovation efforts in the field of cyber security, both within the public and the private sector.

In addition, there is recognition among policy makers and higher education providers that it is necessary to include an element of cyber security in some programmes outside the digital sector. Examples include law and marketing – programmes that train future professionals who have an important role to play in the case of cyberattacks or in providing cyber security solutions. Box 3.6 provides an example of how cyber security is integrated into a management programme.

The French Cyber security strategy is closely intertwined with broader European efforts, such as Horizon Europe and the Digital Europe Programme, to establish a cohesive cyber security skillset across the EU. Anchored by the European Cyber security Skills Framework, these collaborative measures aim to harmonise skills qualifications and ensure a standardised approach to cyber defence (see Box 3.7). Additionally, the Cyber security Skills Academy in the European Union serves as a hub for professional training, further amplifying the strategy's effectiveness (see Box 3.7). France’s active involvement in these initiatives fosters a harmonious integration of expertise and resources, reinforcing a shared infrastructure of cyber security capabilities that safeguard the interconnected network of the EU. These concerted actions are pivotal in bolstering the region’s digital resilience against an array of cyber threats.

Two quality labels have been developed to signal high-quality cyber security content in education and training programmes. The two labels are designed for two different levels of expertise, reflecting the idea that ensuring cyber security requires not only skilled professionals with technical cyber security skills, but also some knowledge of cyber security issues among those working in a broader set of professions. The first label focuses on programmes that include an element of cyber security within professions linked to the digital sector. The second label focuses on highly technical programmes, that develop specialised technical skills in cyber security, preparing professionals for entry into employment as a cyber security specialist. Both labels are discussed in detail below.

Several higher education institutions that prepare for employment in the digital sector seek to go beyond raising awareness. They integrate a stronger element of cyber security in their programmes, but do not train specialised cyber security professionals.

ANSSI established the label CyberEdu to signal education programmes within the digital sector that integrate an element of cyber security. Its development followed the publication of a White Paper on Defense and National security in 2013. The CyberEdu label is designed to help the introduction of cyber security concepts into all digital-related training programmes in France. The goal is to ensure that all those involved in the information systems chain (e.g. administrators, developers, project managers) feel concerned, as digital security also requires the engagement of those who are not experts in the field. The approach seeks to improve vigilance and incident response, limit vulnerabilities in information systems, and facilitate co-operation with cyber security specialists. All professionals need to be aware, initiated, or even trained in cyber security without necessarily becoming experts in the field.

The Association CyberEdu was established to help implement efforts in this area. It brings together computer science teachers, cyber security specialists, and non-specialists, to promote the CyberEdu approach throughout the country. Their activities include developing pedagogical tools, organising events and communication regarding cyber security, and certifying training programmes. These efforts are aligned with the National Strategy for Cyber security, presented by the prime minister in 2015. This strategy outlined two objectives that are related to CyberEdu: integrating cyber security awareness into all higher education and continuing education programmes; and integrating cyber security training into all higher education programmes that include a component of computer science (CyberEdu, 2022[52]).

One of the Vocational Baccalaureate programmes is certified by CyberEdu: “Cyber security, ICT and networks”. In addition, several short-cycle tertiary qualifications are certified by CyberEdu. The main programme at short-cycle tertiary level is the “BTS in information technology services for organisations”. It has two options: “Infrastructure, systems and networks solutions” and “Software solutions and business applications”. Both options contain cyber security as one of the three key competence areas targeted by the programme. These programmes may be accessed with different types of baccalaureat: the Vocational Baccalaureate in “Cyber security, ICT and networks”, or a Technological Baccalaureate (either “Sciences and technologies of management and administration” or “Sciences and technologies of Industry and sustainable development”). Admission is also possible with a general baccalauréat. While most graduates will enter the labour market upon completion, it is possible to progress to a professional bachelor’s programme in the same field. Finally, several bachelor’s programmes have gained the CyberEdu quality label. This includes both bachelor’s programmes, as well as professional bachelor’s programmes (Table 3.12 provides some examples).

The Digital Security Education (Sécurité Numérique éducation or SecNumedu) label was developed to identify high-quality specialised programmes in cyber security. This accreditation is awarded by the ANSSI, the French National Agency for the Security of Information Systems, which serves as the country’s chief authority on defending its information systems. The SecNumedu label recognises courses that meet a high standard of quality and provide relevant, comprehensive training in the field of cyber security. It covers a wide range of programmes, from entry-level cyber security courses to more advanced and specialised courses, each catering to different aspects of cyber security such as network security, data protection, cyber threat intelligence, and ethical hacking.

The benefits of the SecNumedu label are substantial for both educational institutions and learners. For institutions, having the SecNumedu label denotes a recognised quality standard for their programmes, which can help attract more learners, foster institutional prestige, and, in turn, support the continuous development of the cyber security field. For learners, enrolling in a SecNumedu labelled programme ensures that they receive up-to-date, comprehensive, and high-quality education in cyber security. Additionally, a certificate from a SecNumedu accredited course can enhance their employment prospects, as employers often look for candidates with recognised qualifications in the competitive field of cyber security. By ensuring a certain standard of training, the certification benefits the entire ecosystem - it helps the institutions to maintain quality education, and it helps the learners to gain relevant and recognised skills in the cyber security domain.

The SecNumEdu label concerns mostly engineering programmes and master’s programmes, but it is also associated with some professional bachelor’s degrees. Table 3.13 provides some examples of programmes that have obtained this label.

This section focuses on two kinds of industry involvement in the delivery of education programmes in the field of cyber security. The first part describes the use of work-based learning in cyber security programmes. The second part explores the involvement of professionals in cyber security in teaching future professionals in the field.

An element of work-based learning is commonly used in programmes that focus on cyber security (as well as other professionally-oriented programmes). Work-based learning, especially through apprenticeships, offers graduates an edge by fostering close ties with specific companies and industries, often leading to more permanent job placements right from the start (Couppié and Gasquet, 2021[58]). Thus, the inclusion of a mandatory internship is a quality criterion for obtaining a SecNumEdu label. For example, three-year programmes leading to a Vocational Baccalaureate require 18 to 22 weeks to be spent in work-based learning (ONISEP, 2023[59]). BTS, DUT, professional bachelor’s and engineering programmes either involve a mandatory internship or may be pursued through an apprenticeship, alternating periods of work-based learning with classroom learning (see Table 3.8). For example, at the Saint Malo University Institute of Technology apprenticeship is a common route to BUT qualifications. Among first year students 30% pursue an apprenticeship, among second year students 60% do so, while all third year students pursue this route. This typically involves alternating one month spent within the IUT and one month spent with an employer.

Participation in apprenticeships has increased significantly over the last decade, particularly in the ICT field (see Figure 3.11). The number of ICT apprentices has risen by 80% since 2014, which is nearly 20 percentage points higher than the average for all fields within the service sector. While apprenticeship enrollment has climbed at all levels and across all fields, it has been predominantly concentrated at higher educational levels, including bachelor’s, master’s, and Ph.D. programmes. Specifically, the number of ICT apprentices at these advanced levels has almost doubled in 2022 compared to 2014. As technology rapidly advances, there is a pressing need for a highly skilled workforce with expertise in areas such as cyber security, data science, and software development. Higher education institutions have responded by creating more apprenticeship opportunities that dovetail with advanced degree programmes, offering students the dual advantage of academic credentials and practical, work-based experience. Moreover, businesses are increasingly recognising the value of integrating apprentices into their workforce, not just for the fresh perspectives and current academic knowledge they bring, but also as a means of developing a talent pipeline tailored to their specific technological and operational needs.

Some institutions, in particular engineering schools, report that those pursuing an apprenticeship route have a different profile compared to those who pursue their education in classroom settings with an internship. Graduates of BTS or DUT programmes already have some experience of workplaces, and in some programmes tend to pursue apprenticeships, while those admitted through preparatory courses more often pursue a school-based route with an internship. Another potential reason for this is that admission results after preparatory courses (and subsequent tests) are announced during the summer, while the recruitment for apprentice engineer positions tends to happen over the spring or early in the summer.

Upper-secondary and higher education institutions use different strategies for establishing connections with companies that provide internships or host apprentices. Many have built a network of partner companies, through prior professional connections, alumni networks as well as links to the local economy. Internal platforms allow students to connect with opportunities offered by employers, or students may find suitable opportunities on their own. In the field of cyber security, there is a diverse range of potential employers that offer work-based learning opportunities. Options include start-ups, in the digital sector or elsewhere, large private-sector companies as well as the public sector (e.g. ministries). Providers tend to report that it is easy to find placements for students, as the sector faces skills shortages and employers are keen to train and identify potential future recruits. There is also some variation across providers in how different schedules for those pursing an apprenticeship vs. those in school-based settings are organised. Some providers report high degrees of personalisation in terms of schedules, with the use of hybrid forms of teaching (online and in-person). Others schedule in-person lessons in a way that it is compatible with the schedules of both school-based students and apprentices.

At upper secondary level it is uncommon for teachers of vocational subjects to pursue parallel employment in the private sector. However, regulations allow for and encourage experienced professionals to move into the teaching profession. Teaching as a contractual or substitute teacher is possible without taking the national examination. Such non-tenured teachers allow to respond in a flexible way to changes in demand and tackle challenges related to tenured teacher shortages. Becoming a non-contractual teacher requires either holding a three-year tertiary qualification, or a lower level qualification (upper secondary or short-cycle tertiary level) combined with relevant work experience. The requirements for becoming a tenured teacher are more stringent. Candidates must succeed at a centralised examination for vocational upper secondary teachers (CAPLP), in the case of cyber security the examination focuses on electrical engineering. Candidates must hold a short-cycle tertiary qualification (at least), and five years of relevant work experience either in industry or in teaching. As successful candidates become civil servants, employment outside the school is subject to strict regulation (Vocation Enseignant, 2023[62]).

Part-time teachers who pursue employment in the private sector while dedicating some time to teaching are more common in upper-secondary and higher education. The teacher workforce in tertiary education programmes includes full-time teachers (who hold the title teacher-researcher) and part-time teachers from industry. All providers of programmes that lead to cyber security professions report extensively using part-time teachers who are industry professionals. The precise share of full-time teachers vs. part-time industry professionals varies across providers and programmes. However, including industry professionals is also one of the evaluation criteria for engineering schools (evaluated by the “Commission des titre d’ingénieur”). This is viewed by providers as essential in linking the content of their programmes to rapidly changing industry needs.

There is some variation across providers in how easy it is for them to recruit industry professionals who are willing to work as part-time teachers. Salaries for part-time teaching are not competitive compared to what skilled professionals may earn in industry. At the same time, industry professionals have different motives for engaging with teaching. Some have decades of industry experience and seek to pursue a different type of professional engagement. Others have close links with a particular provider, for example because they are alumni or because they collaborate on a research project, so they accept to teach part-time. For provider institutions engagement with part-time teachers involves additional administrative tasks. For example, schedules need to be organised around the professional constraints of part-timers. In the area of cyber security, some professionals may be on call for emergency situations, so unexpectedly they may not be available for their usual lesson. Inevitably, some part-time teachers may quit teaching, so they need to be replaced from one year to another. New part-time teachers need extra support as they gain confidence in teaching a course.

For full-time teachers, applied research projects conducted jointly with industry are an important means of maintaining close connections with this fast-changing sector. The way teaching tasks are shared between full-time and part-time teachers also varies across institutions. Some institutions report that theoretical subjects are taught by full-time academics, while more applied courses are commonly taught by part-time teachers from the industry. Other providers report that subjects are shared between full-time and part-time teachers based on their particular expertise, not necessarily along these lines.

Multiple initiatives have been implemented to facilitate the participation of experts in the cyber security teaching workforce. One such initiative is led by Campus Cyber, a central hub for cyber security collaboration, where relevant stakeholders such as training providers and companies meet to exchange experiences and knowledge. For instance, experts from multiple cyber security organisations located on the campus participate as teachers at the School of Engineering and Computer Science, EPITA, which is also based on the campus (see Box 3.8).

Reflecting the increasing demand for cyber security professionals (see Chapter 2) individuals trained in cyber security are highly employable (BDM, 2022[65]). In general, ICT graduates have higher employment rate than graduates with qualifications at the same level from other fields. In 2020, in France, 86% of ICT graduates from across all levels of education were employed compared to 68% of graduates from other fields. Similar patterns are found by qualification level except for graduates with short-cycle tertiary degree (e.g. BUT), who have lower employment rate than those from other fields. This is mainly due to the fact employer consider cyber security roles often require specialised skills and certification beyond foundational knowledge, which demands candidates with more extensive training or higher educational qualification for roles that are more complex. As a consequence, ICT graduates with a master’s degree have the highest employability rate among all ICT professionals (90% in 2020). Moreover, most graduates with cyber security specialisation find employment within a few months of completing their education (Eurostat, 2022[66]).

The long-term job quality for cyber security professional in France are also favourable. Cyber security professionals work mostly as employee and mostly so for large enterprises (see Figure 3.13, Panel A and Panel C). The proportion of cyber security professionals working in large enterprises is higher (69%) than for other ICT professionals (60%). Job stability is a strong feature in this field, as cyber security experts are integral to the long-term digital strategy of organisation. 82% cyber security professionals work full time, which is slightly lower than in other ICT fields, but higher than for professionals outside of the ICT field (see Figure 3.13, Panel B). In terms of the contract, most of cyber security professionals have a permanent job contract (82%) (see Figure 3.13, Panel D). Furthermore, the versatile skills set acquired in cyber security education allows for career flexibility, enabling professional to change and adapt to new roles or specialisation as the field evolves.

Database and network professionals including those in cyber security earn higher incomes than their peers in other ICT roles and across other occupations (see Figure 3.14). Cyber security professionals predominantly occupy the higher income deciles. Cyber security skills are especially lucrative within the ICT sector, contrasting with a more uniform distribution of earnings among other cyber security jobs in sectors other than ICT. For instance, the average salary for a web and cyber security specialist in France is around EUR 75 996, with a range typically between EUR 58 121 and EUR 90 009. Similarly, a cyber security engineer's average salary is approximately EUR 68 025 in 2023 (Payscale, 2023[68]). For comparison, the average yearly salary for an information technology manager, which can be considered a broader ICT role, is around EUR 62 500 in France in 20231 (Salary explore, 2023[69]). These high salaries are primarily due to the increasing importance and complexity of safeguarding digital assets in the modern, digitally-driven world. It can also be attributed to the strong market demand for cyber security skills, coupled with a global shortage of qualified cyber security professionals, which further drive up their value and salaries.

The typical cyber security professional in France is a highly qualified male between 30 to 49 years old, with specialised training in the IT/digital field, and with a bac+5 or higher education level (as shown in Chapter 2). However, the profession is getting younger, especially in most cyber security intensive occupations. A significant portion, 59%, of these professionals are aged between 30 and 49; 30% fall into the 30-39 bracket, while 29% are between 40 and 49 (see Figure 3.15). Notably, structures specialised in cyber security (i.e. organisations, departments or units that primarily provide specialising cyber security services and solutions)2 tend to employ a higher percentage of professionals under 30. This trend can be largely attributed to the fact that younger professionals, being recent graduates, are more in tune with the latest trends, technologies, and best practices in cyber security.

Most of new entrants into the cyber security profession lack a formal education background in cyber security. This gap may be due to insufficient information and availability of targeted training opportunities. According to a 2021 ANSSI survey, 52% of cyber security professionals hold degrees in general computer science or related digital fields, while only 31% and 19% possess specialised cyber security degrees and cyber security certification, respectively (ANSSI, 2021[71]). Additionally, awareness of available training opportunities is relatively low, with just 44% of new entrants being cognisant of such opportunities (ANSSI, 2021[71]). To stay current, young professionals often rely on informal learning methods; 86% engage in self-study and 82% leverage their professional networks to update their cyber security skills.

The professionals in cyber security are highly qualified, even at the start of their career. 76% of cyber security professionals hold a diploma or a level of qualification equal or greater than bac+ 5, which also reflects the labour market demand (see Chapter 2). Among the newcomers in the field, this proportion is slightly lower (72%). For cyber security professionals working within specialised cyber security sector (83%).

Females account for just 11% of cyber security professionals in France (BercyNumérique, 2023[72]). Interviews conducted with various institutions that deliver programmes preparing for cyber security suggest that the share of females among students is low, rarely exceeding 20%. Some providers reported that the share of females in cyber security education and training programmes had been growing but this improvement stopped as a result of COVID-19 related restrictions, which left limited room for career guidance interventions in schools.

This reflects the low levels of participation in ICT programmes among females in France, with around 20% of those graduating from ICT being females. The share of females among ICT graduates has been relatively stable at master’s level. At bachelor’s level there has been a slow increase over the past few years. At short-cycle tertiary level the share of females have increased strongly, from around 10% in 2015 to nearly 19% in 2021 (see Figure 3.16). Among OECD countries, a few have a higher share of females among ICT graduates – examples include Israel (53%), Norway (31%), Canada (28%) and Sweden (27%). At bachelor’s level, the share of females among ICT graduates is similarly low: females accounted for 17% of graduates in 2021 in France. Over the past years, the share of females has been increasing among ICT bachelor’s graduates, up from 14% in 2015. At this level as well, Israel and Sweden higher shares of females (31% and 35% respectively).

French law stipulates that, except for certain occupations like models and actors, all jobs need to be explicitly addressed to both men and females (French Government, 2023[73]). Signalling that a job is open to men and females is most commonly done by including an expression like “H/F” to mean male/female,3 or by using both gendered noun endings, for instance “Employé(e)” to mean both male and female employee.

The online job postings data provided by Lightcast contain a transcript of the job title that is mentioned for each job posting. This job title can be used to identify the type of language that is used in job postings to capture the attention of job seekers. In this context, leveraging the text available in the job titles can help make visible what kind of gendered language is used in job titles, as well as whether a job title explicitly mentions that the position is open to multiple genders.

To examine how inclusive French cyber security roles are to females,4 this section performs a keyword analysis of 91 042 job titles in between January 2018 and June 2023 (see Annex 3.A) for more details on the method). First, the share of OJPs which includes an explicit gender signifier, so either “H/F” or a gendered noun ending, is calculated. Next, the share of OJPs for which a job title has both a feminine and a masculine variant is shown, as well as how many of these OJPs actually include the feminine variant of that title.5

In total, 86.1% of all cyber OJPs include a gender signifier in the job title, which means around one seventh of OJPs do not.6 While this result does not immediately suggest that employers who omitted a gender signifier are inherently non-inclusive, the analysis does indicate that the absence of such a signifier could potentially point to a disregard or indifference towards promoting gender diversity and inclusion in the workplace. While it is essential not to overgeneralise, this lack of proactive gender representation may hint at underlying biases or challenges some employers face in promoting females in the cyber security profession.

The feminisation of the names of professions has become increasingly more common in France in the last decade. For instance, in 2019 the Académie française published a report on this topic, in which they pronounced that in principle, from the perspective of the rules of the French language, there is no obstacle to the feminisation of professions (Académie française, 2019[74]).This was the first time that this influential institution, which was created in 1634, has gone this far in recognising the feminine in words (Rérolle, 2019[75]).

However, only around one-fifth of cyber security OJPs for which a feminine form exists actually includes the feminine form. In total there are around 54% of OJPs for which both a feminine and a masculine form of the role exist, the other OJPs are for roles like “Analyste” or “Juriste”, which do not have a gendered noun ending. Jobs which do have the potential for a feminine form are roles like developer (développeuse/développeur), administrator (administratrice/administrateur), and manager (cheffe/chef) for example.

The fact that a low share of OJPs makes use of feminine noun endings, combined with 14% of OJPs which do not include any gender signifiers, shows that there is still room for promoting more inclusivity in the cyber security field, starting from the use of more inclusive language when looking for potential candidates to hire. The data cannot show whether there are objective barriers for females to enter into cyber security professions, but there is an indication that many employers do not think about the explicit inclusion of females in this technical field.

Figure 3.18 shows that the results differ significantly per cyber security job role, especially with respect to opting to use a gendered noun ending. The share of OJPs including any type of gender signifier in the job title ranges between 84% for cyber security analysts, to 91% for auditors and advisors. For cyber security analysts, a feminine variant of the profession only exists for a third of job titles, however, in nearly two thirds of those cases, the employers opt to include this feminine variant. By contrast, for the roles which are most focused on programming and informatics, architects and engineers, a feminine version of the job role exists around 70% of the time, however, in only 7% of these OJPs the feminine variant is actually mentioned. In total, 86% of OJPs for this role still include a gender signifier, so most use “H/F”. The results therefore show, a discrepancy in the use of feminine variant of the profession between the different job roles, as evidenced by for instance architects and engineers compared to analysts.

The lack of gender diversity in cyber security education enrolment can be extrapolated to occupations. In France, the proportion of cyber security professionals who are females is notably low, mirroring the wider trend in the ICT sector (see Box 3.9).

Diversifying the profile of cyber security professionals is seen as a key objective in France for various reasons. First, it allows to expand the talent pool, needed to reach the target of 75 000 individuals trained in cyber security by 2025. Second, having a diversity of perspectives among professionals is essential for effective cyber security strategies. Successful attacks rely on weaknesses that attackers have identified and professionals in the company have missed or have not addressed. A greater diversity of perspectives within a company is viewed as helpful in identifying and addressing such weaknesses. This section focuses on two aspects of diversity: gender and socio-economic background.

To combat the notable underrepresentation of females in France's cyber security sector, strategies like “Les Cadettes de la Cyber” and the "CEFCYS" association have been implemented (see Box 3.10). These initiatives not only aim to diversify the talent pool in cyber security but also to enhance the field's innovation and problem-solving capacity by integrating diverse perspectives essential for tackling complex cyber threats. Additionally, French Government has implemented campaigns in high schools and universities aim to encourage more women to pursue engineering and computer science studies (TechCrunch, 2017[79]). The initiative also supports companies in hiring more women, assists women in starting companies, and aids in job placement in tech companies. These efforts are part of a broader strategy to increase female participation in the cyber security sector in France, recognising the need for diverse perspectives in tackling complex cyber threats.

Beyond improving gender diversity, efforts have been focused on providing information about the various cyber security roles to expand young people’s understanding of the field and its occupations. Recently the Ministry of Education and Youth (MENJ) has launched a campaign aims to introduce and attract a diverse range of young students’ cyber security careers (see Box 3.11). By providing educational resources, showcasing a variety of roles within the sector, and engaging students in interactive learning experiences, the initiative seeks to break down stereotypes and promote cyber security as a viable and exciting career path, thereby helping to secure France's digital future.

Efforts to increase socio-economic diversity among cyber security professionals focus on ensuring that cyber security education is available in the types of programmes that enroll students from diverse backgrounds, and that those are linked to strong progression pathways to higher levels of education.

Upper secondary programmes play an important role in diversifying the socio-economic background of future cyber security professionals. They have the potential to develop technical skills relevant to cyber security among students from less privileged socio-economic backgrounds. Programmes leading to the Vocational or Technological Baccalaureate tend to enrol, on average, more students from disadvantaged backgrounds that programmes leading to the General Baccalaureate. For example, in 2020, children of parents who were managers or held a highly skilled profession accounted for a third of those who obtained the General Baccalaureate. Their share among Technological or Vocational Baccalaureate was much lower (16% and 8% respectively) (MENJ, 2023[81]). In addition, these programmes (and in particular the Technological Baccalaureate) can serve as an entry route into higher education programmes in cyber security.

Higher education programmes delivered in University Institutes of Technology (including BTS, BUT and professional bachelor’s programmes) have the potential to play an important role in terms of diversifying the social background of future cyber security professionals.

First, they provide a progression route for graduates of the Vocational or Technological Baccalaureate, Quotas have been implemented to facilitate such transitions. For BTS programmes the quota varies, but Vocational and Technological Baccalaureate graduates account for around two-thirds of all BTS entrants (32% and 30% respectively, data for cyber security only were not available) (Letudiant, 2023[82]). Graduates of the Vocational Baccalaureate (either “Cyber security, IT, networks, electronics” or “Electricity and connected environments”) or Technological Baccalaureate (Sciences and technologies of Industry and sustainable development”) can transition relatively easily into a BTS in “Cyber security, IT and networks, electronics”. On the other hand, in BUT programmes half of available places are reserved for graduates of a Technological Baccalaureate within a related field. Those who obtained a Technological Baccalaureate with excellent results (mention bien or très bien) are automatically admitted (ONISEP, 2023[83]). In the case of cyber security, for example, there is a progression route for graduates of a Technological Baccalaureate in “Sciences and technologies of Industry and sustainable development” into a BUT in “Networks and telecommunications”.

More broadly, the socio-economic background of entrants to BTS and BUT programmes (all fields included) is more diverse than that of scientific preparatory courses, which are the classical entry route into engineering schools. Data from the 2017 admission process show that those admitted to a scientific preparatory course had a very high share of students from privileged backgrounds and one of the highest shares of excellent results at the baccalaureate (INSEE, 2021[84]). BTS and BUT (formerly DUT) programmes on the other hand, have a more diverse student intake. 17% of BTS entrants have excellent results at the baccalaureate and around 30% come from privileged backgrounds. DUT programmes had 28% of their entrants with excellent results at the baccalaureate and around half from privileged backgrounds.

Professional bachelor’s degrees, which include a range of programmes with SecNumEdu certification, in turn allow BTS and year 2 BUT graduates to further their technical skills and obtain a bachelor’s qualification. Given the admission routes to these programmes, the socio-economic profile of professional bachelor’s students will also be more diverse than that of preparatory courses and engineering schools.

Finally, upon completion of a part or the entirety of a programme within a University Institute of Technology, students may transition into an engineering school. A growing number of engineering schools admit such students. The share of BTS or BUT graduates among entrants to engineering programmes varies from around half of entrants in some schools, to just a few or no entrants at all. On average 18.5% of those admitted to engineering schools are graduates of a BTS or BUT programme and 8% have completed the second or third year of a bachelor’s programme (ONISEP, 2022[85]). To facilitate successful transitions from practically oriented programmes to more theoretical, research-oriented engineering programmes, BTS graduates may pursue a bridging year (“higher technician adaptation”, adaptation technicien supérieur).


[74] Académie française (2019), La Féminisation des Noms de Métiers et de Fonctions, https://www.academie-francaise.fr/sites/academie-francaise.fr/files/rapport_feminisation_noms_de_metier_et_de_fonction.pdf (accessed on 1 October 2023).

[49] ANR (2021), Compétences et Métiers d’Avenir (CMA) – Appel à manifestation d’intérêt – 2021-2025, https://anr.fr/fr/detail/call/competences-et-metiers-davenir-cma-appel-a-manifestation-dinteret-2021-2025/.

[45] ANSSI (2023), FORMATIONS CONTINUES LABELLISÉES SECNUMEDU-FC, https://www.ssi.gouv.fr/particulier/formations/secnumedu-fc-labellisation-de-formations-continues-en-cybersecurite/formations-continues-labellisees-secnumedu/.

[57] ANSSI (2023), Se former à la cybersécurité, https://cyber.gouv.fr/se-former-la-cybersecurite.

[70] ANSSI (2022), Les profils de la cybersécurité: Enquête 2021, https://www.ssi.gouv.fr/uploads/2021/10/anssi-les_profils_de_la_cybersecurite-enquete_2021.pdf.

[2] ANSSI (2021), France Relance, https://www.ssi.gouv.fr/agence/cybersecurite/france-relance/le-volet-cybersecurite-de-france-relance-faq/.

[71] ANSSI (2021), Les professionnels de 5 ans et moins d’expérience dans le domaine de la cybersécurité (The professionals 5 years and under of experience in the field of cyber security), https://www.ssi.gouv.fr/uploads/2021/10/zoom_5_ans_experience_ou_moins_mars22_v3.pdf.

[1] ANSSI (2020), Panorama des métiers de la cybersécurité, https://www.ssi.gouv.fr/uploads/2021/10/anssi-panorama_metiers_cybersecurite-2020.pdf.

[65] BDM (2022), Cybersécurité : l’APEC dresse le panorama de l’emploi cadre en 2022, https://www.blogdumoderateur.com/cybersecurite-apec-dresse-panorama-emploi-cadre-2022/.

[72] BercyNumérique (2023), Cybersécurité : vers une parité hommes-femmes du secteur ?, https://www.bercynumerique.finances.gouv.fr/cybersecurite-vers-une-parite-hommes-femmes-du-secteur.

[64] Campus cyber (2023), concept: Réunir les acteurs de la sécurité numérique au sein d’un lieu totem pour protéger la société et faire rayonner l’excellence française du domaine, https://campuscyber.fr/.

[63] Campus cyber (2023), Matrice des compétences des métiers techniques, https://wiki.campuscyber.fr/Matrice_des_comp%C3%A9tences_des_m%C3%A9tiers_techniques.

[77] Cercle des femmes de la cybersecurite (2023), Présentation: L’association des femmes de la Cybersécurité, https://cefcys.fr/association-femmes-cybersecurite/.

[36] CESI (2023), Bachelor en sciences et en ingenierie, http://www.cesi.fr/programmes/cycle-bachelor-en-sciences-et-en-ingenierie/.

[41] CNAM Paris (2023), Certificat de compétence Analyste en cybersécurité, https://www.cnam-paris.fr/certificat-de-competence-analyste-en-cybersecurite-1263707.kjsp.

[58] Couppié, T. and C. Gasquet (2021), Débuter en CDI : le plus des apprentis, https://www.cereq.fr/debuter-en-cdi-le-plus-des-apprentis.

[52] CyberEdu (2022), Le project, https://www.cyberedu.fr/pages/le-projet/.

[9] DEPP (2023), Repères et références statistiques, edition 2023, https://www.education.gouv.fr/reperes-et-references-statistiques-2023-378608.

[61] DEPP (2016), Repères and références statistiques, https://www.education.gouv.fr/sites/default/files/imported_files/document/depp_rers_2016_614975.pdf.

[7] Depp (2022), Repères et références statistiques 2022, https://www.education.gouv.fr/media/116557/download.

[8] Depp (2012), Repères et réferences statisques sur les enseignements, la formation et la recherche, 2012, https://cache.media.enseignementsup-recherche.gouv.fr/file/2012/06/4/DEPP-RERS-2012_224064.pdf.

[32] ECE (2023), Bachelor en cybersécurite, http://www.ece.fr/faq/bachelor-cybersecurite/.

[16] Education (2023), Le baccalauréat technologique, https://www.education.gouv.fr/reussir-au-lycee/le-baccalaureat-technologique-1916.

[14] EDUSCOL (2023), Rénovation de la filière systèmes numériques en “ Cybersécurité, Informatique et réseaux, Electronique (CIEL), https://eduscol.education.fr/sti/actualites/renovation_filiere_ciel.

[51] ENISA (2022), European Cybersecurity Skills Framework (ECSF), https://www.enisa.europa.eu/topics/education/european-cybersecurity-skills-framework.

[39] EP (2023), Executive MSc in Cybersecurity, https://www.ip-paris.fr/en/education/executive-education/executive-msc-cybersecurity.

[33] EPITA (2023), Bachelor en cybersécurité, http://www.epita.fr/bachelor-cybersecurite/.

[34] ESAIP (2023), Bachelor en ingenierie informatique et cybersécurité, https://www.esaip.org/formation/bachelor-en-ingenierie-informatique-et-cybersecurite/.

[35] ESAIP (2023), Bachelor numerique, http://www.esaip.org/formation/bachelor-numerique/.

[67] Eurostat (2022), EU labour force survey, https://ec.europa.eu/eurostat/web/microdata/european-union-labour-force-survey.

[66] Eurostat (2022), ICT education - a statistical overview, https://ec.europa.eu/eurostat/statistics-explained/index.php?oldid=454538#:~:text=In%20the%20EU%2C%20more%20than,ICT%20educated%20persons%20are%20employed.

[73] French Government (2023), Offre d’emploi et embauche : les droits du candidat, https://travail-emploi.gouv.fr/droit-du-travail/la-vie-du-contrat-de-travail/article/offre-d-emploi-et-embauche-les-droits-du-candidat (accessed on  October 2023).

[48] GOuvernement (2021), Un plan à 1 milliard d’euros pour renforcer la cybersécurité, https://www.gouvernement.fr/actualite/un-plan-a-1-milliard-d-euros-pour-renforcer-la-cybersecurite.

[3] Gouvernement (2023), Maitriser les technologies numériques souveraines et sûres, https://www.gouvernement.fr/sites/default/files/contenu/piece-jointe/2023/07/levier_maitriser_les_technologies_numeriques_ok_ov_ajout_ensnum_verdissement_ok.pdf.

[38] INSA (2023), Computer security and technologies (STI), https://www.insa-centrevaldeloire.fr/en/training/Information-technology-and-cybersecurity.

[40] INSA Lyon (2023), Cybersécurité du Numérique, https://www.insa-lyon.fr/fr/mastere-cybersecurite-numerique.

[84] INSEE (2021), France, portrait social, https://www.insee.fr/fr/statistiques/5432519?sommaire=5435421#tableau-figure2_radio1.

[55] IUT Haguenau (2023), Systemes automatises, reseaux et informatique industrielle, https://iuthaguenau.unistra.fr/formations/licence-pro/systemes-automatises-reseaux-et-informatique-industrielle.

[29] IUT La Rochelle (2023), BUT informatique, http://www.iut-larochelle.fr/formations/departement-informatique/but-informatique/.

[30] IUT Valence (2023), BUT informatique, https://www.iut-valence.fr/nos-formations/b-u-t-/b-u-t-info/b-u-t-informatique-776395.kjsp.

[56] IUT Ville d’Avray Saint-Cloud Nanterre (2023), Licence professionnelle i2ap, https://cva-geii.parisnanterre.fr/formations/licence-professionnelle-i2ap.

[11] JORF (2023), Arrêté du 25 janvier 2023 portant définition et fixant les conditions de délivrance du brevet de technicien supérieur « Cybersécurité, Informatique et réseaux, Electronique, option A : “Informatique et réseaux”, option B : “Electronique et réseaux”, https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000047226070.

[5] JORF (2020), Arrêté du 17 janvier 2020 accordant la reconnaissance par l’Etat à des écoles techniques privées pour des formations préparant au brevet de technicien supérieur pour la rentrée universitaire 2020, https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000041477788.

[46] Leptidigital (2023), Les Meilleures Plateformes en Ligne de Formation dans le Digital, https://www.leptidigital.fr/internet/meilleures-plateformes-en-ligne-formation-digital-16991/.

[76] Les Cadettes de la Cyber (2021), Les Cadettes de la Cyber est un programme du Pôle d’Excellence Cyber (PEC), https://les-cadettes-de-la-cyber.org/qui-sommes-nous/.

[82] Letudiant (2023), Parcoursup : malgré les quotas de bacs pro, des places à prendre pour les bac généraux en BTS, https://www.letudiant.fr/etudes/btsdut/parcoursup-malgre-les-quotas-de-bacs-pro-des-places-a-prendre-pour-les-bac-generaux-en-bts.html#:~:text=Explications.,106%20sp%C3%A9cialit%C3%A9s%20propos%C3%A9es%20en%20BTS.

[10] MENJ (2023), Baccalauréat professionnel: Cybersécurité, Informatique et réseaux, Électronique (CIEL), https://eduscol.education.fr/sti/sites/eduscol.education.fr.sti/files/actualites/15324/15324-ref-bcp-ciel-vpub-eduscol.pdf.

[80] MENJ (2023), Lancement de la campagne nationale “DemainSpécialisteCyber” pour faire découvrir la cybersécurité et ses métiers, https://www.demainspecialistecyber.fr/.

[12] MENJ (2023), Mention complémentaire de niveau 4, https://eduscol.education.fr/sti/sites/eduscol.education.fr.sti/files/actualites/15324/15324-ref-mc-cyber-vpub-eduscol.pdf.

[17] MENJ (2023), Réussir au lycée, https://www.education.gouv.fr/reussir-au-lycee/le-baccalaureat-technologique-1916.

[81] MENJ (2023), Réussite au baccalauréat selon l’origine sociale, https://data.education.gouv.fr/explore/dataset/fr-en-reussite-au-baccalaureat-origine-sociale/table/?disjunctive.annee.

[20] MENJS (2023), Réussir au lyceé, https://www.education.gouv.fr/reussir-au-lycee/le-baccalaureat-technologique-1916.

[6] MESR (2023), Arrêté du portant définition et fixant les conditions de délivrance du brevet de technicien supérieur - Cybersécurité, Informatique et résaux, Électronique, https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000047226070.

[22] MESR (2023), Portant définition et fixant les conditions de délivrance du brevet de technicien supérieur “Cybersécurité, Informatique et réseaux, Électronique, Option A et Option B”, https://enqdip.sup.adc.education.fr/bts/referentiel/BTS_Cybersecurite_Informatique_reseaux_electronique.pdf.

[26] MESR (2022), “Note d’information du SIES”, in Les effectifs d’étudiants dans le supérieur continuent leur progression en 2021-2022, https://www.enseignementsup-recherche.gouv.fr/fr/les-effectifs-d-etudiants-dans-le-superieur-continuent-leur-progression-en-2021-2022-88609.

[31] MESR (2022), Licence professionnelle, https://www.enseignementsup-recherche.gouv.fr/fr/licence-professionnelle-45883#:~:text=Accessible%20auparavant%20apr%C3%A8s%20un%20bac%2B,tout%20moment%20du%20premier%20cycle.

[43] MFIDS (2022), Stratégie nationale d’accélération pour la cybersécurité : les premières réalisations, https://www.economie.gouv.fr/strategie-nationale-acceleration-cybersecurite.

[44] MFIDS (2021), Cybersécurité : renforcement par le Gouvernement de la protection des citoyens, des administrations et des entreprises, https://www.economie.gouv.fr/cybersecurite-renforcement-gouvernement-protection-citoyens-administrations-entreprises.

[27] MTPEI (2021), Employeurs, recrutez en alternance : une solution pour l’avenir de votre entreprise, https://travail-emploi.gouv.fr/actualites/l-actualite-du-ministere/article/employeurs-recrutez-en-alternance-une-solution-pour-l-avenir-de-votre.

[47] MTPEI (2017), Certificat de Qualification Professionnelle (CQP), https://travail-emploi.gouv.fr/formation-professionnelle/certification-competences-pro/article/certificat-de-qualification-professionnelle-cqp.

[25] NSI (2023), La semaine du numérique et des sciences informatiques, https://www.semaine-nsi.fr/.

[13] ONISEP (2023), Bac pro cybersécurité, informatique et réseaux, électronique (CIEL), https://www.onisep.fr/ressources/univers-formation/formations/Lycees/bac-pro-cybersecurite-informatique-et-reseaux-electronique.

[21] ONISEP (2023), BTS cybersécurité, informatique et réseaux, électronique option B électronique et réseaux (CIEL ER), https://www.onisep.fr/ressources/univers-formation/formations/Post-bac/bts-cybersecurite-informatique-et-reseaux-electronique-option-b-electronique-et-reseaux.

[18] ONISEP (2023), Le bac STMG (sciences et technologies du management et de la gestion), https://www.onisep.fr/formation/apres-la-3-la-voie-generale-et-technologique/qu-est-ce-que-la-voie-generale-et-technologique/la-voie-technologique-en-premiere-et-terminale/le-bac-stmg-sciences-et-technologies-du-management-et-de-la-gestion.

[83] ONISEP (2023), Les BUT (Bachelors universitaires de technologie, https://www.letudiant.fr/etudes/btsdut/parcoursup-malgre-les-quotas-de-bacs-pro-des-places-a-prendre-pour-les-bac-generaux-en-bts.html#:~:text=Explications.,106%20sp%C3%A9cialit%C3%A9s%20propos%C3%A9es%20en%20BTS.

[28] ONISEP (2023), Les BUT (bachelors universitaires de technologie), https://www.onisep.fr/formation/apres-le-bac-les-etudes-superieures/les-principales-filieres-d-etudes-superieures/les-but-bachelors-universitaires-de-technologie#:~:text=Le%20BUT%20correspond%20%C3%A0%20180,de%20leurs%20deux%20premi%C3%A8res%20ann%C3%A9es.

[15] ONISEP (2023), Les familles de métiers en seconde professionnelle, https://www.onisep.fr/formation/apres-la-3-la-voie-professionnelle/les-diplomes-de-la-voie-pro/le-bac-professionnel/les-familles-de-metiers.

[59] ONISEP (2023), Les stages en lycée professionnel, https://www.onisep.fr/vers-l-emploi/stages-en-entreprises/les-stages-par-niveau-d-etudes/les-stages-en-lycee-professionnel.

[4] ONISEP (2023), L’offre de formations de cybersécurité, https://www.onisep.fr/recherche?context=formation&not_query_type=true&page=1&text=cybers%C3%A9curit%C3%A9.

[19] ONISEP (2022), La voie technologique en première et terminale, https://www.onisep.fr/formation/apres-la-3-la-voie-generale-et-technologique/qu-est-ce-que-la-voie-generale-et-technologique/la-voie-technologique-en-premiere-et-terminale.

[85] ONISEP (2022), Les différentes voies d’accès en école d’ingénieurs, https://www.onisep.fr/formation/les-principaux-domaines-de-formation/les-ecoles-d-ingenieurs/les-differentes-voies-d-acces-en-ecole-d-ingenieurs.

[60] ONISEP (2022), Les stages dans l’enseignement supérieur, https://www.onisep.fr/vers-l-emploi/stages-en-entreprises/les-stages-par-niveau-d-etudes/les-stages-dans-l-enseignement-superieur.

[24] Onisep (2023), SISR, https://www.onisep.fr/ressources/univers-formation/formations/Post-bac/bts-services-informatiques-aux-organisations-option-a-solutions-d-infrastructure-systemes-et-reseaux.

[23] Onisep (2023), SLAM, https://www.onisep.fr/ressources/univers-formation/formations/Post-bac/bts-services-informatiques-aux-organisations-option-b-solutions-logicielles-et-applications-metiers.

[68] Payscale (2023), Average Cyber Security Engineer Salary in France, https://www.payscale.com/research/FR/Job=Cyber_Security_Engineer/Salary.

[50] Rennes SB (2021), Rennes School of Business ouvre son nouveau parcours « Global Tech & Cybersecurity », https://www.rennes-sb.fr/programmes-fr/nouveau-parcours-global-tech-cybersecurity-programme-grande-ecole/.

[75] Rérolle, R. (2019), L’Académie française se résout à la féminisation des noms de métiers, https://www.lemonde.fr/societe/article/2019/02/28/l-academie-francaise-se-resout-a-la-feminisation-des-noms-de-metiers_5429632_3224.html (accessed on  October 2023).

[69] Salary explore (2023), Salaries in France by occupation and sector, https://www.salaryexplorer.com/average-salary-wage-comparison-france-c74.

[79] TechCrunch (2017), French Government to promote gender equality in the tech ecosystem, https://techcrunch.com/2017/01/31/french-government-to-promote-gender-equality-in-the-tech-ecosystem/?guccounter=1.

[42] TELECOM SudParis (2023), Certification professionnelle à la Gouvernance de la sécurité des systèmes d’information et des réseaux, https://www.telecom-sudparis.eu/formation/ces-securite-des-systemes-information-et-reseaux/.

[37] TELECOM SudParis (2023), Sécurité des systèmes et des réseaux, http://www.telecom-sudparis.eu/formation/securite-des-systemes-et-des-reseaux/.

[54] Université de Toulon (2023), Licence informatique parcours informatique, https://www.univ-tln.fr/Licence-Informatique-parcours-Informatique.html.

[53] UPEC (2023), Licence economie et gestion parcours informatique et management, https://www.u-pec.fr/fr/formation/niveau-l/licence-economie-et-gestion-parcours-informatique-et-management-miage.

[62] Vocation Enseignant (2023), Professeurs certifiés de lycée professionnel : tendance de recrutement, https://vocationenseignant.fr/reussir-le-concours-caplp-professeur-lycee-professionnel/.

[78] Women4Cyber (2023), Women4Cyber European Cyber Security Organisation, https://women4cyber.eu/about-us/.

The online job postings data provided by Lightcast contain a transcript of the job title that is mentioned for each job posting. Leverageing the text available in the job titles can help make visible what kind of gendered language is used in job titles, as well as whether a job title explicitly mentions that the position is open to multiple genders. For this purpose, this report uses a classification strategy based on regular expressions, as in Annex 2 at the end of Chapter 2.

The first row in shows the regular expressions selected for classifying whether the online job posting (OJP) is explicitly open to multiple genders. These expressions are both in French and in English to reflect the languages found in the OJPs.

The second and thirds rows display job roles that were identified as potentially having (French) gendered noun endings. These selections were made by analysing a total of 628 words that appeared more than 10 times in job titles from all OJPs in 2022. The purpose was to determine which job roles were frequently mentioned in these job titles, and which of those have a feminine version of the role. This investigation means that potentially other roles (which have fewer than 10 mentions in 2022) are not included in the rest of the analysis. The comparison in the analysis in the main text pertains only to those job titles which could possess a feminised version of the role, so as to exclude roles like for example “analyste” which is both masculine and feminine and to exclude English job roles which do not have an explicit gender.

The second row pertains to words where the root of the term could encompass both the male and female versions of the job role, without also encompassing English job titles. The third row shows only the feminine versions of all most often occurring job roles. Certain roles that have the same title in French masculine version as in English, however, additionally a feminine version exists in French: assistant, agent, consultant, and expert. These words were only included in the count of potentially having a feminine ending if specific French keywords such as “sécurité” and “données” were detected, or if the female-gendered version of the role was explicitly mentioned in the job title.

The last row shows the regular expressions that are used to find female gendered noun endings. OJPs in France often mention the feminine version of a job role by adding for instance (e), (ne) or (euse) behind the male job title. A job title which contained an expression found in row four is classified as having explicitly mentioned the female version of the role in the job title.


← 1. It's important to note that these figures are averages and actual salaries can vary widely based on factors like experience, education, certifications, and specific skills within the ICT field.

← 2. Structures specialising in cyber security are primarily providers of specialised services or solutions. The professionals concerned are the first and foremost cyber security consultants; they fall within the business of consulting, service and research according to the family of ANSSI’s cyber security profession overview. Specialised cyber security structures includes large consulting and IT and digital services companies, SMEs and start-ups highly specialised in cyber security.

← 3. Or sometimes h/f/x to signal male/female/other gender.

← 4. Given the restrictions of the French language, other genders than females are not explicitly investigated here, although job postings that for instance include words like “all genders” are also taken as explicitly being open to females.

← 5. It is worth noting that the analysis is only done by investigating job titles, not full job descriptions. It is possible that certain OJPs include a gender signifier in the full text, but not in the job title. These OJPs are not counted as making use of inclusive language in this analysis. However, a job title is the first part of a job description that is read, and using inclusive language in a job title is therefore of great importance. Additionally, it is possible that certain roles with a low number of mentions in 2022 are not included in the analysis, which is discussed in Annex 1.A.

← 6. However, one caveat is that it is not possible to verify whether the dataset includes the entire job title, which could mean that potentially, more OJPs originally included gender signifiers.

Legal and rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2024

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.