SecNumCloud: understanding the trusted cloud standard

Build
Antoine Quint
4 min read

This article is the first in a three-part series on the SecNumCloud framework, its strategic implications, and Scaleway’s path toward obtaining this demanding qualification.

Data security long relied on a reassuring physical reality: servers were hosted internally, on-premises, literally within reach of IT teams. With the rise and widespread adoption of cloud computing, companies and institutions gained unprecedented agility, but in return, they had to delegate control over that physical infrastructure.

This shift in paradigm is what makes the question of trust so critical. Since the infrastructure is no longer directly in front of you, it is legitimate to ask not only where your data is stored, but also how it is actually protected — and by whom.

To answer this question, the market initially relied on international standards. ISO standards, such as ISO 27001 and ISO 27017, laid excellent foundations for governance and risk management. However, given the growing sophistication of cyber threats and the interference of certain foreign legislations, these general frameworks have shown their limits when it comes to highly sensitive data.

Europe now has a vital need for trusted infrastructure capable of guaranteeing full strategic autonomy. It had to move from a logic of “best practices” to an absolute level of technical requirements, imposed and controlled by the State. It is in this context that the SecNumCloud qualification has emerged as the most demanding standard for security and sovereignty in France, and as a major source of inspiration for Europe as a whole.

So what exactly lies behind this seal of approval issued by ANSSI, and how does it go far beyond traditional certifications? Let’s take a closer look at the framework.

What is SecNumCloud?

Issued by ANSSI — the French National Cybersecurity Agency — the SecNumCloud qualification confirms that a cloud provider meets the highest requirements in terms of security and regulatory compliance.

Certification, approval, or qualification: what exactly are we talking about?

These three terms are often confused. Yet their scope is very different:

  • Certification — proof of compliance: Certification is an attestation issued by an independent third party confirming that a product, service, or management system, such as ISO 27001, complies with a given framework. It is a guarantee of compliance recognized by the market.
  • Approval — acceptance of risk: Approval is a formal decision, most often made by the owner of an information system, for example a public administration or a company, although some French regulations require this decision to be carried by a State authority such as ANSSI, for example in the context of classified information. It consists of formally accepting the residual risks associated with using that system in a specific business context.
  • Qualification — the State’s recommendation: Qualification goes far beyond a simple attestation of compliance. First, it certifies that a service has been audited according to rigorous criteria defined by ANSSI, which validates the audit report. But above all, once this audit is complete, the French State officially recommends this service to protect the Nation’s most critical data, including data from public administrations and Operators of Vital Importance — public or private entities who operate equipment or facilities necessary to the French nation’s survival. Qualification therefore directly commits the trust of the State.

SecNumCloud is already a mature framework. Created in 2016, it has continued to evolve in response to emerging threats.

Its current version (3.2, launched in 2022) marks a turning point by introducing an essential parameter: legal sovereignty. SecNumCloud acts as a strong barrier against extraterritorial laws such as the US CLOUD Act. By choosing a SecNumCloud-qualified service, you have the assurance that your data remains protected and subject exclusively to European jurisdiction, shielded from any foreign surveillance or interference.

Why go beyond international standards?

To fully understand the paradigm shift represented by SecNumCloud, it's important to understand how it differs from existing standards such as ISO 27001:

  • ISO 27001: This is the leading international standard. It demonstrates that an organization has implemented a rigorous risk analysis approach — the Information Security Management System, or ISMS — to protect its information system. It is a dynamic approach in which the organization assesses its own risks and defines proportionate measures to address them, for example through the technical and organizational controls of its Statement of Applicability. This offers a high degree of adaptability to each context. The emphasis is on continuous improvement, rather than on a universal baseline of requirements.
  • SecNumCloud: This is the highest level of cloud requirements in France. As with ISO 27001, a SecNumCloud-qualified hosting provider still conducts its own risk analyses, but ANSSI adds a set of non-negotiable baseline requirements. On critical topics such as segregation, cryptography, and administration, ANSSI imposes its own technical rules and recommends the use of qualified products. Added to this is the sovereignty dimension, namely strict protection against extraterritorial laws, which is entirely absent from international standards.

In short, ISO 27001 is an essential foundation for a secure information system. SecNumCloud qualification goes further, through:

  • its depth in terms of technical requirements;
  • its extended scope, including sovereignty; and
  • the mandatory nature of its requirements.

Together, these criteria shift cloud providers from a purely continuous improvement approach to an essential security baseline.

At the heart of the framework: four major pillars of requirements

The SecNumCloud framework is a dense document that leaves nothing to chance. Its requirements are structured around four major pillars that cover all the security aspects needed to properly protect an information system:

  1. Organizational security: The provider must rely on a reinforced ISMS: staff screening from the recruitment stage, strict control of subcontractors, regular audits by qualified third parties — PASSI auditors — and incident response processes guaranteeing rapid interventions in line with the availability levels contractually agreed with the customer.
  2. Technical security: The framework requires unbreachable logical segregation between customers, strict separation of administration networks, and the integration of cryptographic algorithms directly approved by ANSSI.
  3. Physical security: The data centers hosting qualified services are subject to strict controls: dedicated segregation of spaces, redundancy of critical facilities, and reinforced access control.
  4. Legal and sovereign security: The hosting provider must be a European entity whose capital is protected against non-European takeovers. Data may under no circumstances be transferred outside the European Union.

Why SecNumCloud is becoming a decisive trust criterion

Today, implementing state-of-the-art security measures is no longer enough; organizations must be able to prove their effectiveness. This is exactly what this qualification provides, through:

  1. Public and verifiable information: Since the SecNumCloud framework is public, customers know precisely which requirements their cloud provider meets.
  2. Independent assessment: The four security criteria mentioned above are meticulously assessed by an independent audit firm.
  3. Validation by a State authority: The information collected is used by ANSSI to issue a qualification decision.

Together, these elements give customers an unparalleled level of transparency into the security of their cloud provider.

For whom is SecNumCloud essential?

Although the qualification was originally designed for the most critical State environments, it is now being adopted by an increasingly broad ecosystem:

  • The public sector: This demand is driven by the French State’s “Cloud at the Center” doctrine, which requires this level of protection for citizens’ sensitive data.
  • OVIs and OESs — Operators of Vital Importance and Operators of Essential Services: Organizations in sectors such as energy, transport, and banking have strict legal obligations in terms of cybersecurity.
  • The healthcare sector: To host critical medical data away from foreign jurisdictions, going further than HDS — Hébergement des Données de Santé, France's certification for Healthcare Data Hosting.
  • B2B SaaS providers: More and more software vendors choose to rely on SecNumCloud infrastructure to reassure their own end customers and win demanding tenders by allowing that trust to extend across the value chain.

More broadly, SecNumCloud is becoming an obvious choice for any organization that requires a strengthened level of security and a guarantee of sovereignty.

All these actors may therefore be led to favor cloud providers with a qualified offering.

By establishing a baseline of technical, organizational, physical, and legal requirements, SecNumCloud marks a step change in cloud trust. Where international standards provide essential foundations, the qualification goes further: it imposes a verifiable framework, independently audited and recognized by the State, designed to protect the most sensitive data.

But understanding the framework is only the first step. For a cloud provider like Scaleway, pursuing SecNumCloud also implies deep strategic choices. This is what we will explore in the second article of this series.