SecNumCloud
ANSSI's qualification scheme for trusted cloud providers — proving both technical security and immunity to non-EU extraterritorial law (notably the U.S. CLOUD Act), required for French public-sector and critical-infrastructure cloud workloads.
SecNumCloud is the French ANSSI qualification scheme for trusted cloud service providers. Its current reference is SecNumCloud v3.2 (2022, refreshed 2024). A SecNumCloud-qualified provider has been audited against ~200 requirements covering technical security, operational resilience — and, crucially, immunity to non-EU extraterritorial law.
The extraterritoriality clause (Section 19.6 of the reference) is what makes SecNumCloud politically distinctive. A provider whose corporate ownership, capital, or governance subjects it to laws like the U.S. CLOUD Act cannot qualify — even if its data centres are entirely in France. That excludes U.S.-headquartered hyperscalers from direct qualification; offerings such as Bleu (Microsoft + Capgemini + Orange) and S3NS (Google + Thales) are joint ventures explicitly designed to satisfy the immunity criterion through a French majority-controlled operating entity.
Today’s qualified providers include OVHcloud, Outscale (Dassault Systèmes), Cloud Temple, Worldline, NumSpot, and a handful of others. Bleu and S3NS were granted qualification visa and have qualified offers in progress as of 2026.
SecNumCloud is mandatory or strongly recommended for:
- Sensitive state IS (the doctrine “cloud au centre” from the French Prime Minister’s 2021 circular, reaffirmed in 2023).
- French OIVs and OSEs under NIS2 transposition.
- Some public-sector procurement (UGAP central-purchasing catalogues, regional and city contracts).
For a mairie, a hospital group, or a financial entity hosting workloads in France, SecNumCloud is the practical answer to the procurement question is this cloud legally protected from a U.S. court order. The complementary layer — the people using the cloud — is where Engarde sits, distinct from other vendors sharing the Engarde name.
Related terms
- Cloud ActU.S. federal law (2018) compelling U.S.-headquartered cloud providers to hand over customer data on lawful U.S. request — regardless of where the data is physically stored — which conflicts with EU data-protection law for EU customers.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- PSSI (Information Systems Security Policy)The French Politique de Sécurité des Systèmes d'Information — an organization's master security policy, formalized following ANSSI's PSSI-E methodology.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- HDS (Hébergeur de Données de Santé)French certification, granted by ANS, that any organization hosting personal health data on behalf of a French controller must hold.