SecNumCloud, the passport to trusted cloud offerings

Many public and private sector players store their IT data on remote servers, operated by companies other than themselves. This is the principle of cloud computing: applications and data are no longer located on a specific computer, at their true owner’s premises, but in acloud made up of numerous interconnected remote servers, sometimes located in foreign countries. According to Databridge, the market for exchanges between file owners and hosting providers has grown rapidly, reaching 534 billion euros in 2024 for all segments combined.
For this price, the service has every interest in being high-performance! And in this business, performance means security. We’re not telling you anything: in our digitalized, ultra-connected society, cyber risks are everywhere. And it affects everyone, big and small, public and private. In its state of the cyber threat published on February 20, 2025, the French National Agency for Information Systems Security (ANSSI) warns of ” new attack opportunities and security issues ” for organizations using the cloud. In particular, it has identified that cloud services can be used as attack infrastructures, whether by renting infrastructure itself from cloud operators, or using consumer platforms as a place to store and access malicious code or exfiltrate stolen data. ” These new practices complicate detection by hiding malicious activity within the legitimate traffic of users of these platforms “, warns the agency.
SecNumCloud: qualification valid for three years
This need to provide a bulwark against these threats is the raison d’être of SecNumCloud. This sign of recognition, devised in 2016 by ANSSI, qualifies cloud computing services deploying a very tightly meshed security net. AFNOR Certification is one of the bodies authorized to award it . ” It’s a highly engaging process. Qualification, which is valid for three years, gives service providers a competitive edge, as it gives them credibility in offering a trusted cloud. This makes all the difference when responding to an invitation to tender. “Thomas Sanjullian, head of trust services assessment at AFNOR Certification, explains. All the more so when the data stored is sensitive, or even government data. In France, the SREN law of May 2024 enshrines the government’s “cloud at the center” doctrine. Article 31 stipulates that, for this type of data, the public-sector client must ensure that the chosen cloud service implements strict security and protection criteria, in particular to guard against any access by public authorities from third countries not authorized by European Union law.
ISO/IEC 27017 under public inquiry
In the large family of ISO/IEC 27000 voluntary standards on information security, ask for ISO/IEC 27017! This January 2021 text is due to be published in a new version in mid-2026. It acts as a code of practice for security controls on cloud services, controls based on ISO/IEC 27002. It includes an Annex A with measures to be added to the ISMS declaration of applicability. And, as with all standards, the next version is subject to a public inquiry. You can take part until April 18, 2025 by clicking here .
And that’s just as well: SecNumCloud, in its current version 3.2, requires servers to be geographically located in France or the European Union, and operated by players with predominantly European capital. This provides protection against data access requests from non-European authorities. ” Typically, a U.S. judge invoking the Patriot Act doesn’t get his way “, illustrates Thomas Sanjullian. Since the law requires that sensitive data and government data must be processed by a service provider offering a “trusted” service, SecNumCloud is a first-rate insurance policy in this respect. This distinctive sign is endorsed by the ANSSI, and only services with a security visa issued by this agency can claim to be “trusted”. SecNumCloud recognizes a specific cloud offering (IaaS, CaaS, PaaS, SaaS), not a provider.
EUCS: the risk of a race to the bottom
The subject is so sensitive that the European version of SecNumCloud, on an EU-wide scale, is still being debated, six years after the publication of the Cybersecurity Act, the European regulation on cybersecurity. This EU counterpart, dubbed EUCS, provides for the harmonization of security standards for cloud computing services, with a system of equivalences between countries and levels of security assurance, from the lowest to the highest. Here’s the rub: SecNumCloud would be equivalent to the highest level, but would coexist with less robust systems corresponding to lower assurance levels. A sort of “levelling down”, which would deal a heavy blow to the French bias in favor of a highly demanding extra-territoriality system. ” The Spanish subsidiary of an American giant could obtain certification in Spain, potentially giving it access to SecNumCloud qualification in France “, fears Thomas Sanjullian.
In February 2025, discussions were still at a standstill within the EU-27. In the meantime, SecNumCloud continues to make headway in France, acting as a passport to a ” sovereign, robust and legitimate ” cloud. Want to find out more? Join us at the InCyber Forum in Lille on April 3, 2025, where Thomas Sanjullian will be giving a talk entitled “EUCS: the decline of a European ambition”.