top of page

New french"trusted cloud" label extends SecNumCloud

Updated: Nov 8, 2021

The french government wants to launch a new "trusted cloud" label to certify cloud services that companies, administrations and citizens can rely on. An extension of SecnumCloud, this label will also be issued by the ANSSI. It remains to be seen what criteria will be used to award it and to what extent it will not benefit the hyperscaler licensing model.

GCTI Trusted Cloud

What are the criteria?

The label will be based on the SecNumCloud visa issued by the French National Agency for Information Systems Security (ANSSI). Only three French cloud providers have received this visa to date, and only one of them for a public cloud infrastructure (Outscale). OVH is only qualified for its private cloud offering.

Cloud providers wishing to receive the new label will therefore have to comply with the technical reference framework of this visa and the requirements of the future European scheme known as the "European Cybersecurity Certification Scheme for Cloud Services".

Furthermore, "infrastructures and systems" will have to be located in Europe and therefore in European datacenters.

As for the operational and commercial porting of the offer" (marketing of US cloud offers under licence), this will have to be carried out by a European entity owned by European players. However, the shareholding is not specified.

What about non-European companies?

The government's cloud strategy also foresees that non-European companies will also be able to receive this label, provided that they respect certain rules such as locating data in Europe, locating the entity operating the services in Europe, and marketing the offers via French cloud providers. This practice would be aimed at overriding the CLOUD Act, which allows the American authorities to access data stored by American companies. But in practice, regardless of the location of the data, the US authorities have access to the data as soon as it is stored by a US company under the CLOUD Act. What about the European subsidiary of a US entity that operates its services in a European datacenter and is therefore in compliance?