Updated: Nov 8, 2021
The french government wants to launch a new "trusted cloud" label to certify cloud services that companies, administrations and citizens can rely on. An extension of SecnumCloud, this label will also be issued by the ANSSI. It remains to be seen what criteria will be used to award it and to what extent it will not benefit the hyperscaler licensing model.
What are the criteria?
The label will be based on the SecNumCloud visa issued by the French National Agency for Information Systems Security (ANSSI). Only three French cloud providers have received this visa to date, and only one of them for a public cloud infrastructure (Outscale). OVH is only qualified for its private cloud offering.
Cloud providers wishing to receive the new label will therefore have to comply with the technical reference framework of this visa and the requirements of the future European scheme known as the "European Cybersecurity Certification Scheme for Cloud Services".
Furthermore, "infrastructures and systems" will have to be located in Europe and therefore in European datacenters.
As for the operational and commercial porting of the offer" (marketing of US cloud offers under licence), this will have to be carried out by a European entity owned by European players. However, the shareholding is not specified.
What about non-European companies?
The government's cloud strategy also foresees that non-European companies will also be able to receive this label, provided that they respect certain rules such as locating data in Europe, locating the entity operating the services in Europe, and marketing the offers via French cloud providers. This practice would be aimed at overriding the CLOUD Act, which allows the American authorities to access data stored by American companies. But in practice, regardless of the location of the data, the US authorities have access to the data as soon as it is stored by a US company under the CLOUD Act. What about the European subsidiary of a US entity that operates its services in a European datacenter and is therefore in compliance?
Indeed, the legality of the storage of European data by American providers is far from assured since the invalidation of the Privacy Shield. The Court of Justice of the European Union had decided to repeal this text because of the American laws that violate the General Data Protection Regulation (GDPR).
A model that benefits hyperscalers and penalises end customers
With this new label model, American companies (hyperscalers) will be "encouraged" to market their offers even more, in the form of licences, to French suppliers, with a negotiation margin that will be more difficult for the latter. French suppliers will have to fight over SLAs, which will then be their responsibility. They will have no choice but to pass on their "lost margins" to the end customer and to work on a large volume of accounts and/or calculation instances.
To guarantee SLAs, they will also have to increase their skills in contractual, technical, regulatory and security aspects and invest in value-added managed services with a strong security focus. They will also have to invest massively in the physical and logical security of their data centres (at the risk of being confronted with the major security incidents experienced during the OVH data centre fire).
On the other hand, US providers will revise their licensing agreements to their advantage and shift even more responsibility for managed services to their cloud provider customers. A paradigm shift that will be highly advantageous to them from a commercial and legal point of view. The risk is that the gap between European hyperscalers and CSPs will widen even further.