SecNumCloud
ANSSI's cloud security certification requiring data sovereignty, encryption, and no non-EU state authority access.
Last refreshed: 17 May 2026 · Appears in 1 active topic
Can any US cloud provider ever get SecNumCloud certification, or is it structurally impossible under US law?
Timeline for SecNumCloud
Required as contractual condition for Health Data Hub migration
European Tech Sovereignty: France awards Health Data Hub to Scaleway- What is SecNumCloud and why does it matter for French government contracts?
- SecNumCloud is ANSSI's cloud security certification requiring 360+ compliance criteria including data localisation in France and prohibition of non-EU state authority access. Since 2021, the Cloud au Centre doctrine mandates it for all sensitive French public-sector data hosting.Source: ANSSI / numerique.gouv.fr
- Why can't AWS or Microsoft get SecNumCloud certification?
- SecNumCloud explicitly prohibits cloud providers from being subject to non-EU state authority access to data. US cloud providers are subject to the US CLOUD Act, which allows US government data access. These two requirements are legally incompatible.Source: ANSSI SecNumCloud v3.2 / legal analysis
- How does SecNumCloud relate to Germany's cloud sovereignty standards?
- In March 2026, ANSSI and Germany's BSI published a joint declaration harmonising Franco-German sovereign cloud criteria — strict data localisation, exclusive EU law, no non-EU authority access, EU-only business continuity — laying groundwork for a potential EU-level standard.Source: ANSSI-BSI joint declaration, March 2026
Background
SecNumCloud is the security visa issued by ANSSI, France's national cybersecurity agency, to cloud service providers — IaaS, PaaS, SaaS, and CaaS — that meet stringent requirements for security and data sovereignty. Created in 2017 and now at version 3.2, the framework imposes more than 360 compliance criteria across 14 themes covering technical, organisational, operational, and legal security, building on ISO/IEC 27001 with prescriptive French additions: compartmentalisation, multi-factor authentication, encryption, PASSI audit requirements, and mandatory data localisation in French territory.
As of 2026, nine providers hold SecNumCloud qualification, with twelve additional applications under review. Qualification is valid for three years; surveillance audits are mandatory every 18 months. The landmark policy development is the March 2026 joint declaration by ANSSI and Germany's BSI establishing harmonised Franco-German sovereign cloud criteria, including strict data localisation, exclusive application of European law, prohibition on non-EU state authority access, and business continuity without dependence on non-EU actors.
SecNumCloud has become commercially decisive under the Cloud au Centre doctrine, which since 2021 mandates SecNumCloud qualification (or equivalent European certification) for all French public-sector sensitive data hosting. The Health Data Hub contract requiring Scaleway's SecNumCloud qualification is the largest single procurement requiring the certification to date, and the Franco-German declaration positions SecNumCloud as a template for an EU-level sovereign cloud standard. US hyperscalers (AWS, Microsoft, Google) cannot currently qualify due to the prohibition on non-EU state authority access under US law.
