The SecNumCloud 3.2 qualification of the PREMI3NS offering from S3NS, by the end of 2025, triggered a wave of controversy across the IT landscape.
Enough to prompt Vincent Strubel, the chief executive of ANSSI, to take up the pen and publish a lengthy op-ed on LinkedIn. A pedagogical demining exercise aimed at addressing the questions or misunderstandings about what SecNumCloud qualification does and does not entail.
“This is not a chocolate medal.”
First, a reminder from the head of France’s national cybersecurity agency: SecNumCloud is neither an arbitrary decision nor a political choice. The qualification stems from a formal evaluation process grounded in strict requirements. “The rules, the process, and the level of stringency are the same for everyone,” insists Vincent Strubel.
The procedure? Long and demanding. Nearly 1,200 control points checked on-site by an independent assessor, under ANSSI’s watchful eye which “does not hesitate to ask the assessor to deepen their work or to reassess conclusions more strictly.” A reference framework that has been constantly updated for more than ten years. “In short, this isn’t a chocolate medal, and it isn’t for everyone,” summarizes the director.
Protecting against the CLOUD Act… and the “kill switch”
The risks tied to extraterritorial law? That is the issue that commands attention. Vincent Strubel recalls the challenge: to prevent data hosted in the cloud from falling under the American CLOUD Act or China’s 2017 National Intelligence Law, which allow authorities to demand access to European clients’ data.
The SecNumCloud remedy: a European provider that alone controls the data. Even if the offering is “hybrid” and relies on American technology, “the cloud technology provider is subject to American laws, but does not have access to the data and therefore cannot comply with such an injunction,” explains the head of ANSSI.
Another protection: the “kill switch” scenario, a sudden service shutdown imposed on certain clients. Strubel cites the recent example of judges at the International Criminal Court denied access to American digital services. With SecNumCloud, the non-European subcontractor “lacks the capacity to cut the service for any given client, because they are not the ones administering the solution.”
Total self-sufficiency, an illusion
Vincent Strubel speaks plainly: SecNumCloud does not mean independence from dependencies. An offering labeled as “hybrid” is “probably more exposed to this risk, but imagining there are 100% European offerings is pure fantasy that would not stand up to facts.”
All cloud providers rely on electronic components and software not fully controlled 100% in Europe. Open source? “Greater freedom of action,” certainly, but “not the panacea”: no actor can claim to fully master the entire cloud technology stack.
“If one day we lose access to American, Chinese, or more generally non-European technology, we will face a global degradation of security standards,” warns the ANSSI director. An issue that would go far beyond hybrid offerings alone.
Cyberattacks, the real threat
Vincent Strubel emphasizes: the nationality-based criteria for the provider account for “only a small part of the requirements” in the framework. The real threat? Cyberattacks, which remain “the most tangible danger hanging over sensitive cloud usage.”
Providers, “whatever their nationality,” are high-value targets that “constantly face attack attempts, including particularly sophisticated ones, some of which inevitably succeed.” American hyperscalers as well as European players, no one is spared.
Hence the drastic technical requirements: strong segmentation between clients, an isolated administration chain, secure management of updates, universal encryption. “These requirements are generally not all met by a standard cloud offering, regardless of origin,” notes the ANSSI director.
The standard even accounts for human risk: bribery, coercion, or infiltration of the provider’s employees. An entire chapter is devoted to it.
“Sovereign,” but not a magic wand
Is SecNumCloud a sovereignty label? Strubel hedges: “It’s hard to answer that question, given that the concept of digital sovereignty is almost never defined, and everyone gives it a different meaning.”
For ANSSI, digital sovereignty comprises three aims: not being an easy victim of cyberattacks, enforcing our rules rather than submitting to others’ rules, and having freedom of technological choice. SecNumCloud meets the first two and contributes to the third.
“Qualified SecNumCloud offerings are therefore, without the slightest doubt, sovereign, and this qualification is an essential lever for defending our digital sovereignty,” says Vincent Strubel. But he immediately warns: this qualification “will not create alternative solutions or fully mastered technological bricks.” “It’s a cybersecurity tool, not an industrial policy.”
Hybrid or not, the same fight
The ANSSI director dispels a common belief: qualified “hybrid” offerings “meet exactly the same requirements as the others.” The distinction between hybrid and non-hybrid? “Quite artificial,” he concludes. “There aren’t, on one side, offerings entirely dependent on non-European suppliers and, on the other, 100% European offerings.”
Some call for a lighter label, taking only capital criteria and skipping the technical requirements. Vincent Strubel rejects the idea: “From a cybersecurity standpoint, it would make no sense to cover only certain threats and not others.” A solution must cover all risks, “because attackers always go for the weakest link.”
His striking analogy: “A cloud escaping non-European law but at the mercy of cyberattacks makes as much sense as a house with reinforced shutters and bars on the windows, yet whose door is shut by a curtain.”
The same rejection applies to a purely technical label: it is impossible to cover legal risks with technology alone. For example, data encryption “does not protect against the CLOUD Act: the cloud provider will inevitably have access to the encryption key sooner or later.”
