OrganisationFR

ANSSI

France's national cybersecurity agency, issuing SecNumCloud and NIS2 compliance guidance for critical infrastructure.

Last refreshed: 17 May 2026 · Appears in 1 active topic

Key Question

Will ANSSI's SecNumCloud standard become the EU's de facto sovereign-cloud benchmark or will Brussels create a competing one?

Timeline for ANSSI

#523 Apr

France awards Health Data Hub to Scaleway

European Tech Sovereignty

View full timeline →

Follow European Tech Sovereignty →

Common Questions

What is ANSSI and what does it do?: ANSSI is France's national cybersecurity authority, responsible for protecting state and critical-infrastructure systems, issuing the SecNumCloud cloud security certification, and advising on NIS2 compliance. It reports to the Prime Minister via the SGDSN.Source: cyber.gouv.fr
What did ANSSI and Germany's BSI agree on in March 2026?: ANSSI and BSI published a joint declaration establishing harmonised Franco-German cloud sovereignty criteria: strict data localisation, exclusive European law, prohibition on non-EU state authority access, and EU-only business continuity — a framework for a potential EU-level standard.Source: ANSSI / BSI joint declaration, March 2026
How does ANSSI enforce cloud security rules for French government?: ANSSI issues SecNumCloud qualification, which Cloud au Centre doctrine mandates for all sensitive French public data. ANSSI-approved PASSI auditors conduct the qualification audits; qualification is valid 3 years with mandatory 18-month surveillance audits.Source: ANSSI / numerique.gouv.fr

Background

The Agence nationale de la sécurité des systèmes d'information (ANSSI) is France's national authority for cyberdefence and network and information security, reporting to the Secretariat-General for National Defence and Security (SGDSN) and thereby to the Prime Minister. Its missions span threat monitoring and anticipation, Incident Response, securing state and critical-infrastructure information systems, and developing national cybersecurity culture. ANSSI's most commercially significant power is the issuance of the SecNumCloud certification, which became mandatory for sensitive French public-sector data hosting under the 2021 Cloud au Centre doctrine.

In March 2026, ANSSI released the Référentiel Cyber France (ReCyF), a working document listing recommended security measures aligned with NIS2 obligations, and co-signed a joint declaration with Germany's BSI establishing harmonised Franco-German cloud sovereignty criteria. The BSI declaration is the most significant European coordination move in ANSSI's recent history, positioning the SecNumCloud framework as a candidate template for EU-level cloud security standards. ANSSI also published joint guidance with BSI on cloud sovereignty in advance of the Health Data Hub contract award.

ANSSI operates in the European context through ENISA (the EU Agency for Cybersecurity) and the NIS Cooperation Group. With NIS2 applying across EU member states from October 2024, ANSSI's experience as an early-adopter national authority gives it outsized influence in shaping how NIS2 is implemented across European critical infrastructure sectors.

How the World Sees Them

France

ANSSI is the operational arm of French cyber sovereignty; its SecNumCloud certification directly shapes which cloud providers can serve the French state.

Germany

BSI and ANSSI collaboration in 2026 is the deepest Franco-German cyber coordination since ENISA's founding; both see EU harmonisation as a way to export their standards.

US cloud providers

ANSSI's SecNumCloud requirements structurally exclude US providers from sensitive French workloads; the Franco-German joint declaration threatens to extend this exclusion EU-wide.

European Commission

ENISA and the Commission consult ANSSI heavily on NIS2 implementation and cloud security frameworks; SecNumCloud influences CAIDA's drafting.