SecNumCloud: The Strategic Challenges of The Qualification

This article is the second in our series on the SecNumCloud framework, its strategic implications, and Scaleway’s path toward obtaining this demanding qualification.

Previously, we looked at how SecNumCloud redefines the criteria for trust in the cloud: a public framework, high technical and organizational requirements, an independent audit, and a qualification decision issued by ANSSI.

In this article, we move from the definition of the framework to its concrete implications for a cloud provider. Because aiming for SecNumCloud is not just about meeting compliance requirements: it means making structuring choices around architecture, operations, and technological sovereignty.

The strategic choices behind the qualification

For a cloud provider, committing to SecNumCloud qualification is a strong move. Technically, it responds to the growing sophistication of cybersecurity threats; legally, it responds to the interference of foreign extraterritorial laws. In practice, it responds to the implicit or explicit expectations of a growing number of industries increasingly concerned with these issues.

But this process goes beyond simple compliance: it imposes structuring industrial choices.

Aiming for this State standard raises concrete questions about architecture and the business model:

The architecture dilemma: Should a provider build a separate, isolated qualified infrastructure for critical customers, or raise all of its public infrastructures to the SecNumCloud level of requirements?
The financial and operational impact: Physical segregation, documentary traceability, and regular audits require significant investment. The challenge is to absorb these costs without undermining the competitiveness of the offers or affecting customers who do not need such a high level of requirements.

Each market player responds to these challenges with its own strategy. At Scaleway, our ambition to become a European hyperscaler has led us to make specific and differentiating architecture decisions.

While SecNumCloud provides a solid defense against cyberattacks and foreign legal interference, it is essential to take a critical view of what the framework — which remains a cybersecurity tool, not an industrial policy instrument — does not cover.

The qualification does guarantee operational autonomy for the service: the provider retains full control over administration, protecting you from externally imposed loss of access. However, the framework does not regulate the provider’s software choices. The question of long-term technological independence and reversibility therefore remains open.

It is precisely on these issues that Scaleway’s approach takes over, to avoid two pitfalls:

The risk of gradual degradation

A cloud offering, even a qualified one, that relies on closed technology components or extra-European licensed software remains vulnerable to an interruption in updates. If access to these third-party providers were cut off, for example following a decision by a third-party State, the inability to maintain and patch systems would inevitably erode your level of security.

Beyond security issues alone, this disruption would deprive you of any functional updates and innovation, freezing your information system in the past and severely undermining your competitiveness.

Vendor lock-in

SecNumCloud does not impose any requirement regarding the openness of the technologies used: a provider can perfectly well offer you a qualified environment while locking you into a proprietary ecosystem. The day you want to migrate your data or change architecture, reversibility costs become prohibitive.

True cloud sovereignty actually requires true independence: the freedom to always have the choice to change technology partners. If your infrastructure is so deeply embedded in one player’s technologies that leaving becomes impossible, you are no longer sovereign — you are captive. Hence the importance of reversibility: the freedom to regain control of your infrastructure at any time.

For Scaleway, the answer to these limits lies in our DNA: openness and interoperability. Sovereignty is not limited to legal protection alone; it fundamentally resides in freedom of choice.

By prioritizing Open Source and open standards, we do more than secure your data according to the highest requirements set by the State: we ensure that you remain in control of your technology choices, without critical dependency or proprietary lock-in. That is why we design our infrastructures to be natively reversible.

By facilitating application interoperability and data portability, we guarantee one thing: you choose to stay with Scaleway because of the quality of our services, not because you are technically or financially locked in.

Scaleway’s path toward qualification

From the outside, obtaining ANSSI qualification may seem like a mere administrative formality. For a cloud provider, this process is in fact a true marathon, stretching over several months or even years. Extremely rigorous, the evaluation process is structured by ANSSI around precise milestones (jalons):

Milestone 0: Acceptance of the qualification request

This is not a simple declaration of intent, but rather a matter of precisely defining our target: what SecNumCloud offering do we want to provide? Which specific products will be included in this scope? In short, setting a direction. To validate this milestone, our teams had to produce and submit extensive documentation, including a comprehensive architecture file. This document details all of our architecture choices and the technical components involved. This is how ANSSI was able to formally validate the admissibility of our approach in December 2024.

Milestone 1: Acceptance of the evaluation strategy

Once the scope has been frozen, the next step is to determine how and when this offering will be tested. This milestone is about planning: we defined the evaluation methods, selected the independent audit firm (CESTI) accredited by the State, and set the timeline for the next steps. It is the official roadmap that establishes the control methodology. For us, this milestone was passed in July 2025.

Milestone 2: Acceptance of the evaluation work

This is a particularly critical, long, and complex phase. We are currently at the heart of the evaluation of the offering we are proposing. This evaluation is divided into a meticulous documentary audit, followed by an on-site technical audit. The independent auditors inspect our infrastructure, our processes, and our code in depth to verify that reality matches our commitments. ANSSI will then have to validate the rigor of the work carried out by the auditors and the strict adherence to the methodology.

Milestone 3: Qualification decision

Based on the auditors’ report, ANSSI evaluates the cloud service and delivers its final verdict.

These steps, as well as their preparation, involve every layer of Scaleway: engineering, security, legal, human resources, and operations.

Finally, it should be noted that qualification is part of a demanding lifecycle, subject to annual surveillance audits and full renewal every three years. This timeframe ensures that a provider’s offering remains aligned with SecNumCloud standards and continues to adapt to new cybersecurity and sovereignty challenges.

SecNumCloud qualification is therefore not a simple administrative outcome: it is a structuring trajectory, one that engages the architecture, operations, internal processes, and technological vision of a cloud provider.

In the next article in this series, we will go behind the scenes of these choices at Scaleway, to understand how this ambition is translated concretely into the design of our qualified offering.