SecNumCloud is ANSSI's standard for qualifying cloud service providers who guarantee a high level of security, confidentiality and legal sovereignty for data. It is essential for sensitive cloud services.
SecNumCloud is theANSSI 's standard for qualifying cloud service providers (IaaS, PaaS, SaaS) according to security and sovereignty requirements .
It is based onISO 27001, but adds more prescriptive obligations (application of security guides, partitioning, MFA, encryption, PASSI audits, localization, etc.), to offer a level of confidence verifiable by the State and major clients for the protection of their information systems.
SecNumCloud qualification, issued by France'sAgence Nationale de la Sécurité des Systèmes d'Information (ANSSI), has become a major challenge for all organizations wishing to offer or consume trusted cloud services.
Much more than a simple security certification, it is part of the digital sovereignty approach, guaranteeing that sensitive data and critical information systems remain protected in the face of legal and technological risks.
It guarantees that qualified cloud services (SaaS software, service platforms, hosting) comply with high standards of security, confidentiality and data sovereignty.
SecNumCloud stands out from other international platforms for its high standards of security, transparency and data localization.
Today, it is essential for responding to calls for tender from the public sector, major accounts and operators of vital importance (O.I.V.) and essential services (O.S.E.).
For companies and institutions, it means optimum protection of their information systems against cyber threats, while complying with French and European regulatory requirements .
With SecNumCloud, you can adopt a secure cloud adapted to today's strategic challenges.
SecNumCloud reflects the French approach of the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), renowned for its high standards: while it is not mandatory in Europe, it nevertheless constitutes a solid reference and a natural foundation for future European certification for cloud players: EUCS(European Certification Scheme for Cloud Services).
SecNumCloud qualification means meeting some of the highest standards in Europe in terms of cybersecurity and sovereignty.
For customers, it's a strong signal that your cloud services comply with a set of standards validated by ANSSI, the French national cybersecurity authority.
This inspires confidence, particularly among public-sector players and key accounts.
Under NIS 2 and the French digital strategy, many companies will be obliged to use SecNumCloud-qualified service providers.
More and more public tenders, and contracts in the healthcare, defense and critical infrastructure sectors, now require SecNumCloud-qualified solutions.
For a cloud solution provider or SaaS editor, this is an indispensable asset when working with the French government or OIVs (Opérateurs d'Importance Vitale).
The cloud market is dominated by a few global hyperscalers (AWS, Microsoft, Google).
However, none of them is SecNumCloud-qualified, as the standard requires protection against extraterritorial laws.(Although it's worth noting that these major players are in the process of setting up subsidiaries with French companies to gain access to state markets)
This gives French and European players capable of offering compliant services a unique competitive advantage.
Being SecNumCloud means standing out as a credible player in the sovereign cloud.
SecNumCloud is not just a national qualification: it's also a springboard to future European EUCS* certification
French requirements are among the most stringent in the world, preparing companies to easily pass the hurdle of European harmonization. Qualifying today means staying one step ahead of regulatory developments, and positioning yourself as a pioneer in European cybersecurity.
Note :
* EUCS: European Union Cybersecurity Certification Scheme for Cloud Services.
This is a project led byENISA (European Cybersecurity Agency) as part of the Cybersecurity Act (Regulation (EU) 2019/881). unified European certification framework for cloud services (IaaS, PaaS, SaaS), with several levels of assurance (from basic to high).
Qualification concerns cloud service offerings that we wish to promote within a company. It does not concern the entire company, although specified organizations and services are included depending on the offerings selected for qualification.
SecNumCloud can cover the entire value chain of your chosen cloud service offering:
The scope must be precisely defined and validated by ANSSI during the initial qualification stages.
Example: a SaaS provider needs to qualify not only its application, but also the underlying infrastructure layers (either operated in-house, or via a third-party provider who is SecNumCloud-qualified himself).
Cloud service providers (IaaS, PaaS, SaaS and CaaS) wishing to offer secure, sovereign offerings:
Sensitive organizations (public sector, healthcare, defense, finance, etc.) looking for solutions that comply with the strictest standards.
The SecNumCloud standard is at the heart of the system. Drawn up by ANSSI, it sets out the precise rules that a cloud service provider must comply with to obtain qualification.
Inspired by the international ISO 27001 standard, but much more prescriptive, it adds strong requirements on sovereignty, technical security and legal security. Version 3.2 , currently in force, meets the new obligations of the government's "Cloud at the center" doctrine.
The SecNumCloud standard combines three complementary dimensions - organizational, technical and legal - to ensure complete security and genuine digital sovereignty.
SecNumCloud is based on the principles of ISO 27001.
The service provider must implement a robust Information Security Management System (ISMS) , with:
- A documented security policy approved by senior management.
- A formalizedrisk analysis process, reviewed regularly.
- Clear procedures for administration, asset management, incidents and business continuity. Clear procedures for administration, asset management, incidents and business continuity.
- Security governance: defined roles and responsibilities, segregation of duties, regular audits.
- Monitoring and continuous improvement, to adapt the system to technological and regulatory developments.
This organizational dimension forms the basis of security management.
Beyond governance, SecNumCloud imposes precise and verifiable technical measures, largely based on ANSSI guides:
- Access control and authentication: nominative accounts, mandatory two-factor, partitioned administration interfaces.
- Encryption and cryptology: use of algorithms and protocols validated by ANSSI (CRYPTO_B1/B2, NT_TLS, NT_IPSEC, NT_SSH).
- Supervision and logging: systematic collection of events, correlation, alerts and secure log storage.
- Infrastructure security: network compartmentalization, physical protection of data centers, DRP/PCA, encrypted and geographically separated backups.
- Administration workstations: hardened, isolated terminals complying with the [NT-ADMIN] guide.
Here, the service provider does not have the freedom allowed by ISO 27001: it must apply the prescribed measures and provide proof of them. The precise requirements are set out in the ANSSI guides.
SecNumCloud's uniqueness also lies in its legal and organizational obligations, which go beyond classic cybersecurity:
- Data localization: all data and its backups must be hosted in the European Union.
- European law entity : the service provider must be established in Europe and not be subject to extraterritorial laws (e.g. US Cloud Act).
- Personnel: administration and operation carried out by employees located in the EU, subject to European law.
- Controlled subcontracting: any recourse to a third party must be documented, contractually limited and subject to controls.
- Personal data protection: strict compliance with the RGPD, with impact analyses and appointment of DPO if necessary.
These requirements ensure legal immunity and enhanced trust, particularly for sensitive sectors (healthcare, defense, critical infrastructures).
SecNumCloud qualification is awarded by ANSSI to cloud service providers (IaaS, PaaS, SaaS, CaaS) who meet all the requirements of the standard.
It is an official label of cybersecurity and sovereignty, guaranteeing customers that their provider applies the highest level of protection in compliance with European law.
Its specificity - and also its difficulty - lies in the demanding process imposed by ANSSI, which combines in-depth audits, regular controls and formal validation by the national authority, making qualification particularly selective.
The process follows a strict procedure:
- Application by the service provider: submission of an application file specifying the scope of the service (IaaS, PaaS, SaaS) and compliance with requirements.
- Compliance audit: carried out by a qualified audit provider (PASSI), which verifies on site and on documents the implementation of organizational, technical and legal measures.
- Report sent to ANSSI: the auditor submits a full report, on which ANSSI bases its decision.
- ANSSI decision: if all requirements are met, qualification is issued and published on the official website.
- Monitoring and maintenance: qualification is not definitive. It is subject to periodic audits and continuous updating of security practices.
This process guarantees independent assessment and ongoing control of the compliance of qualified service providers.
SecNumCloud qualification is based on a rigorous framework designed to validate the security and reliability of your cloud services.
Here are the main steps to follow:
Unlike some certifications, SecNumCloud does not introduce several levels of maturity.
It sets a single level of requirements, considered to be the reference standard for protecting sensitive data (excluding "Diffusion Restreinte" or "Secret Défense", which are covered by other systems).
- Scope of qualification: the provider chooses to include one or more cloud services in the process (e.g. its SaaS messaging offering, or its complete IaaS).
- Precise scope: qualification covers only the audited activities. If the provider offers other services not included in the audit, they will not be eligible for qualification.
- Maintenance: the provider must prove on an ongoing basis that the service remains compliant, particularly in the event of technical, organizational or contractual changes.
In short, qualification is binary: either the offering is qualified and published by ANSSI, or it is not.
ISO 27001 and SecNumCloud don't conflict with each other, they complement each other.
ISO 27001 is often the first step: it sets up a structured security management framework (SMSI), involves management and lays the foundations for clear governance.
This certification is already a valuable asset for the company, in the eyes of both customers and partners. However, SecNumCloud qualification is a long and demanding process.
That's why we generally recommend starting withISO 27001 , which effectively prepares the ground.
SecNumCloud completes this foundation with much more demanding requirements, particularly in terms of technical (cryptology, supervision, partitioning), organizational (administration, subcontracting) and legal (data sovereignty and localization) aspects.
In our opinion, SecNumCloud qualification represents a real strategic lever for companies.
We particularly recommend it for those wishing to adopt a high level of security, demonstrate their commitment to digital sovereignty, or create a sustainable competitive advantage.
Although the approach is demanding and requires a major investment, it is a strong differentiator in regulated markets, key accounts and public tenders.
It also sends a clear signal of confidence and maturity to partners and customers alike. What's more, this qualification paves the way for the future: with the imminent arrival of EUCS certification at European level, and the implementation of regulations such as NIS 2these requirements will become unavoidable.
By committing today, you'll be ready and ahead of your competitors.
With Feel Agile, you benefit from comprehensive support - strategic, operational and technical - throughout your SecNumCloud compliance process.
Our agile approach is based on listening, expertise and adaptability, so that we can align ourselves with your priorities while complying with ANSSI's strict requirements.
We guide you from the initial analysis of your processes right through to full compliance with the standards.
Beyond the technical side, we reinforce your teams' cybersecurity culture through training and practical workshops, to ensure the long-term viability of your investments.
SecNumCloud guarantees advanced data protection against cyberattacks and facilitates compliance with regulations such as the RGPD.
It ensures digital sovereignty by keeping data under French and European jurisdiction, thus protecting against extra-European laws.
This qualification strengthens the confidence of customers and partners, while opening up access to sensitive markets such as public bodies, OIVs and OSEs.
By reducing cyber risks and giving you a competitive edge, SecNumCloud is establishing itself as an essential security standard for cloud service providers.
Ensure the confidentiality and integrity of hosted data
Compliance with RGPD requirements and French laws
Ensuring service continuity and resilience in the face of cyber threats
.webp)
All you need to know about the SECNUMCLOUD standard
Do you have any questions? Would you like a quote for certification or support?
2025 FeelAgile