Glossary · EU Sovereign Cloud

SecNumCloud (ANSSI Cloud Computing Security Qualification)

French national cybersecurity agency (ANSSI) qualification for cloud services. Combines high-assurance security baseline with sovereignty requirements (immunity from non-EU law). The technical foundation of the Cloud de Confiance label.

## What SecNumCloud actually is SecNumCloud is the cloud computing security qualification issued by **ANSSI** (Agence nationale de la sécurité des systèmes d'information) — France's national cybersecurity agency. The current version, **SecNumCloud 3.2**, was released in 2022 and significantly tightened earlier sovereignty criteria. SecNumCloud serves as the technical foundation for the broader [Cloud de Confiance](/en/glossary/cloud-de-confiance/) label. Where Cloud de Confiance is the broader policy framework, SecNumCloud is the specific technical qualification. ## What SecNumCloud requires SecNumCloud 3.2 imposes around **300 security controls** across multiple domains, including: ### Technical security - Cryptographic controls (FIPS-aligned algorithms, key management under EU control) - Network segmentation and traffic isolation - Audit logging and incident detection - Vulnerability management and patching - Backup and disaster recovery ### Operational security - Personnel screening for staff with administrative access (must be EU residents) - Physical security of data centers - Operational procedures with formal change management - Supply chain security ### Sovereignty (the differentiator) SecNumCloud 3.2 introduced explicit sovereignty requirements that distinguish it from international standards like ISO 27001: - **No extraterritorial law exposure**: provider must be structurally immune to non-EU law including [CLOUD Act](/en/glossary/cloud-act/) and FISA 702 - **EU-controlled corporate structure**: majority European ownership; no foreign parent with effective control - **EU data residency**: customer data and metadata must remain in EU - **EU staff**: personnel with administrative access must be EU residents subject to EU law The sovereignty requirements are why most US hyperscalers can only meet SecNumCloud through joint ventures with French firms (S3NS, Bleu). ## How SecNumCloud audits work The qualification process involves: 1. **Application** to ANSSI 2. **Audit by ANSSI-qualified Common Criteria evaluation laboratory** (Centre d'évaluation de la sécurité des technologies de l'information, CESTI) 3. **Technical review** by ANSSI 4. **Qualification grant** if criteria met 5. **Periodic recertification** (typically every 3 years) The audit is extensive and expensive — typically 12-18 months and several hundred thousand euros for a credible provider. This barrier ensures only serious sovereign-cloud players hold it. ## Currently qualified providers (selection) As of 2026, providers holding SecNumCloud 3.2 qualification include: - **OVHcloud** (specific offerings) - **Outscale** (Dassault Systèmes) - **S3NS** (Thales-controlled Google Cloud technology) - **Bleu** (Capgemini/Orange Microsoft Azure technology, in qualification process) - **Numspot** (Docaposte/Bouygues/Dassault/Banque des Territoires JV) - **Worldline** (specific offerings) - Various smaller specialized providers The list is deliberately small — SecNumCloud is positioned as a high-assurance signal, not a commodity certification. ## Why SecNumCloud matters ### 1. The benchmark for cloud sovereignty SecNumCloud 3.2 set the technical and structural benchmark for what "real" cloud sovereignty means. Other European national schemes (BSI C5, Italian ACN, Spanish ENS) are increasingly converging toward similar models. ### 2. Public-sector procurement gateway France's "doctrine cloud au centre" (cloud-first doctrine) mandates SecNumCloud-qualified cloud for sensitive public-sector workloads. This is a multi-billion-euro procurement pipeline. ### 3. Operators of essential services (NIS2) [NIS2](/en/glossary/nis2/) operators of essential services in France increasingly look to SecNumCloud as the canonical way to demonstrate cloud security. ANSSI guidance under NIS2 references SecNumCloud directly. ### 4. The pattern for EUCS High The contested [EUCS](/en/glossary/eucs/) scheme's "High" level — if finalized with sovereignty criteria — would likely mirror SecNumCloud 3.2 closely. ### 5. Hyperscaler joint ventures S3NS (Thales + Google Cloud) and Bleu (Capgemini/Orange + Microsoft) exist *because of* SecNumCloud. The joint venture model is the only way US hyperscaler technology can serve SecNumCloud-mandated workloads. ## SecNumCloud vs SOC 2 / ISO 27001 / BSI C5 | Aspect | SecNumCloud | SOC 2 / ISO 27001 | BSI C5 | |--------|-------------|---------------------|--------| | Security baseline | Comprehensive | Comprehensive | Comprehensive | | Sovereignty requirements | **Yes (strict)** | None | Soft (documents exposure) | | EU corporate structure | Required | Not required | Not required | | Foreign-law immunity | Required | Not addressed | Not required | | Audit rigor | Very high | Moderate-high | High | | Typical cost | High | Moderate | Moderate-high | | Market | French regulated sectors | International | German regulated sectors | SecNumCloud is unique in combining strong security baseline with binding sovereignty criteria. ## What SecNumCloud means in practice ### For French buyers SecNumCloud is the default expectation for sensitive workloads. For regulated industries (banking, healthcare, defense) and public sector, it is effectively mandatory. ### For European cloud providers SecNumCloud qualification is an expensive but high-value investment for serving French regulated markets. The certification creates competitive moat. ### For US hyperscalers Direct SecNumCloud qualification is structurally impossible due to CLOUD Act exposure. Participation requires joint venture model (S3NS, Bleu) where French partner has majority control. ### For European businesses generally SecNumCloud-qualified providers are credible options regardless of national origin. Their qualification is meaningful evidence of sovereignty alignment. ## What 2026-2027 brings - **SecNumCloud 4.0** anticipated revision aligned with NIS2 and EUCS work - **AI workload extensions** as ANSSI develops cloud guidance for AI Act - **More JV qualifications** as US hyperscalers expand European JV partnerships - **Convergence with EUCS** if the pan-European scheme finalizes with strong sovereignty criteria - **Public-sector enforcement** as French agencies complete cloud-first migrations ## Practical implications For most European tech buyers: - **If you're French public-sector or in a regulated industry**: SecNumCloud is directly load-bearing - **If you serve French regulated customers**: SecNumCloud-qualified cloud is increasingly required of your supply chain - **If you're evaluating cloud sovereignty broadly**: SecNumCloud is the most mature European framework — its requirements are the benchmark - **For everyday SaaS decisions**: SecNumCloud is background context

Was this helpful?

← Back to glossary

Related EU alternatives on BetterInEurope

Related glossary terms