CYPME

Abstract

CYPME indexes the 224 cybersecurity solution and service providers registered under the French Cyber PME programme (DGE / Bpifrance). The project maps each vendor to the 12 ANSSI cybersecurity capability domains, activity types, geographic presence, and certifications. It exists as a searchable, filterable reference for SMEs evaluating cybersecurity providers under this government-backed scheme.

Data Sources

Publisher: Direction Générale des Entreprises (DGE) and Bpifrance, via data.economie.gouv.fr and data.europa.eu.

Known limitations

• The dataset reflects a specific AMI (Appel à Manifestation d'Intérêts) snapshot. Providers may join or leave the scheme without the dataset being updated.
• 4 of 224 records have sparse or null fields (missing website or email).
• Most ANSSI visa fields contain "Aucun" (none) — few providers hold formal ANSSI certifications.
• Department presence is self-declared by providers and may not reflect actual operational reach.

Methodology

1. Source data acquisition

The raw dataset is a JSON export from the data.economie.gouv.fr open data platform. It contains 224 records with 28 verbose French field names per record (897 KB). A CSV variant is also archived for reference. Both formats are stored in data/ alongside the processed output.

2. Data transformation to companies.json

The source data is transformed into a compact JSON array (companies.json, 578 KB) optimised for client-side filtering. Field names are abbreviated to single-letter keys to reduce payload by ~36%. Boolean conversion is applied to the France 2030 laureate flag ("Oui"/"Non" to true/false). Department codes are extracted from location strings (e.g. "8 Ardennes" becomes "8") for consistent numeric sorting.

// Source field → Abbreviated key
nom_de_l_entreprise              → n   (name)
site_internet_de_l_entreprise    → w   (website)
adresse_mail                     → e   (email)
laureate_france_2030             → f30 (boolean)
nature_des_activites             → act (activity array)
chapitres I–XII                  → ch  (domain numbers)
                                   chd (domain → capabilities)

3. ANSSI capability domain aggregation

The source data stores capabilities across 12 separate array fields (chapitre_i through chapitre_xii), one per ANSSI cybersecurity domain. These are consolidated into two derived fields: ch (array of applicable domain numbers 1–12) and chd (object mapping domain number to its capability list). This enables efficient filtering ("does ch include 5?") instead of checking 12 separate fields.

{
  "ch": [5, 6, 9],
  "chd": {
    "5": ["Firewall", "Réseau et cloisonnement"],
    "6": ["Réseau administrateur"],
    "9": ["SOC", "Audit / PenTesting"]
  }
}

4. Client-side search and filter

The entire 224-record dataset is loaded into browser memory via a single fetch() call. Five filters operate in-memory: free-text search (case-insensitive substring on name and description), activity type, ANSSI domain, department, and France 2030 status. All filters trigger an immediate re-render of the result list. No debouncing is applied — acceptable for 224 records.

5. Security: HTML escaping

All data-derived strings are escaped before DOM insertion using a textContent → innerHTML pattern. This prevents XSS from any unexpected content in the source data. No external sanitisation library is used.

function esc(s) {
  const d = document.createElement('div');
  d.textContent = s;
  return d.innerHTML;
}

Stack & Tooling

• Languages: HTML5, CSS3 (custom properties), vanilla JavaScript ES2022+
• Libraries: none — zero external dependencies
• Fonts: Barlow Condensed (condensed sans-serif), JetBrains Mono (monospace) self-hosted WOFF2
• Data: static pre-computed JSON, no database, no API
• Hosting: static file server (PHP-capable host, but no PHP used)
• Build tools: none — source is production

Key Observations & Limitations

What works

• 224 records load and filter instantly with no perceptible latency.
• Abbreviated JSON keys cut payload by 36% with no loss of information.
• The ANSSI domain aggregation into ch/chd simplifies both filtering and display.
• Single-file architecture: the entire application is one HTML file plus one JSON file.

Known gaps

• No mechanism to detect or flag stale data — the dataset may become outdated without notice.
• Department filter uses numeric codes only; users must know French department numbering.
• No geographic visualisation (map) of provider distribution.
• Text search is substring-only; no fuzzy matching or stemming.

Possible future directions

• Map view of provider locations by department.
• Cross-referencing with ANSSI's official qualified products catalogue.
• Automated data refresh from the source API.