If you've spent any time around French government IT or cloud procurement in the past two years, you've heard "SecNumCloud" mentioned in tones ranging from cautious respect to outright fear. It's referenced in regulations, required in tenders, and treated as a kind of gold standard for sovereign cloud — but a lot of the people who reference it haven't actually read what it requires. This post is the non-expert's overview.
What SecNumCloud is
SecNumCloud is a cloud security qualification framework published by ANSSI (Agence nationale de la sécurité des systèmes d'information), France's national cybersecurity agency. The current version (3.2, published April 2025) is a 200+ page document specifying technical, organizational, and legal requirements that a cloud provider must meet to be qualified to host the most sensitive French data.
It's a qualification, not a certification — meaning ANSSI itself approves providers, not a third-party auditor. The bar is high enough that as of early 2026, only a handful of providers have full qualification: 3DS Outscale, OVHcloud (Cloud Avenue), Oodrive, and a few others. SecNumCloud-qualified providers are listed publicly on ANSSI's website.
What it requires, broadly
The 3.2 version added explicit sovereignty requirements that close some loopholes in earlier versions. Headline requirements:
- EU control of corporate ownership. The provider must be controlled by EU entities — meaning more than 75% of voting rights must be held by EU-domiciled entities, and operational control (board, executives) must be EU-based.
- EU jurisdiction only. The provider must not be subject to extraterritorial laws of non-EU countries (Cloud Act, UK IPA, China NIL, etc.).
- EU-located infrastructure. Datacenters, network equipment, customer-facing systems must be physically in EU territory.
- EU-located staff. Customer-impacting operational staff (admins with access to customer data, support, security ops) must work from EU territory.
- Cryptographic isolation. Customer data must be encrypted with keys that are technically inaccessible to non-EU influence.
- Auditable supply chain. Every subprocessor with access to customer data must independently meet equivalent sovereignty requirements.
And the technical baseline you'd expect from any serious cloud security framework: ISO 27001-style controls, incident response procedures, vulnerability management, separation of duties, etc.
What it doesn't require
SecNumCloud is specifically a security and sovereignty qualification. It doesn't require:
- HDS (health data hosting) certification — that's a separate French framework
- FedRAMP equivalent — irrelevant since it's specifically about EU data
- Specific technical implementations (you can use any encryption, any hypervisor, etc., as long as the security properties are met)
Who needs it
SecNumCloud isn't required for most workloads. The categories that do need it:
- OIV (Opérateurs d'Importance Vitale) — operators of vital importance, defined under French law. Banks, telcos, water/electric utilities, transport operators. Their critical workloads must be on SecNumCloud-qualified infrastructure.
- OSE (Opérateurs de Services Essentiels) under NIS2 — essential service operators in healthcare, finance, energy, water, digital infrastructure. Required to do supply chain risk assessment, with SecNumCloud being one accepted way to satisfy the requirement.
- French government and public sector for sensitive workloads (not all government workloads — administrative office productivity may not need it).
- Defense and intelligence contractors handling classified or sensitive data.
- Other companies that voluntarily choose SecNumCloud as a procurement signal — increasingly common in regulated industries.
What the 2025 update changed
The 3.2 update tightened sovereignty in several ways:
- Closed the "subsidiary loophole." Earlier versions allowed a US-headquartered provider to qualify a French subsidiary if certain firewalls existed. 3.2 makes clear that ultimate control must be EU.
- Added explicit Cloud Act language. Providers must demonstrate they cannot be compelled to disclose customer data under non-EU legal process.
- Strengthened subprocessor requirements. Every link in the chain must independently qualify, not just the visible provider.
- Added staff jurisdiction requirements. Operational staff with privileged access can't be in jurisdictions where they could be compelled to use that access by non-EU authorities.
These changes have practical consequences. Joint ventures between US providers and European integrators (think Bleu, S3NS) had to restructure to maintain qualification. Some providers that were close to qualifying under 3.1 are now further from qualification under 3.2.
How qualification works
A provider files with ANSSI, undergoes an extensive audit (typically 12-18 months), and either qualifies or doesn't. The audit covers documentary review, technical inspection, on-site visits to datacenters, and interviews with personnel. Qualification is granted for 3 years, with annual surveillance audits to maintain it.
Mid-tier audits exist (qualification for less critical workloads) but the term "SecNumCloud" generally refers to the top-level "qualification renforcée" qualification.
What it means for FranceVPS customers
FranceVPS is currently in the qualification process — we've completed the documentary review and are entering the technical audit phase. Expected completion: Q3 2026. For customers who need SecNumCloud-qualified infrastructure today (Q2 2026), we recommend OVHcloud Cloud Avenue or 3DS Outscale.
Importantly, infrastructure that's not yet SecNumCloud-qualified can still be highly secure and sovereign — qualification is a specific framework, not a synonym for "secure." For customers who need French sovereignty but don't need SecNumCloud-the-formal-qualification, FranceVPS already meets the underlying technical and legal requirements.
The takeaway
SecNumCloud matters when it's required for your specific workload — typically because of sector regulation (healthcare, banking, public sector) or because a procurement contract specifies it. For workloads outside those categories, it's a useful signal of provider seriousness but not a hard requirement.
If you're not sure whether your workload needs SecNumCloud, the answer is probably no. Sector-specific regulations are explicit when they require it. Most French SaaS, e-commerce, and general business workloads don't need it — they need GDPR compliance, sovereignty (no Cloud Act exposure), and good security hygiene. Those bars are reachable without the full SecNumCloud qualification process.