Inside SecNumCloud 3.2: What's Changed and What Comes Next?

June 10, 2024 - 4 min read
Inside SecNumCloud 3.2: What's Changed and What Comes Next?

The latest version of the SecNumCloud framework, 3.2, released by the French Cybersecurity Agency (ANSSI) in March 2022, marks a significant advancement in France's cybersecurity landscape.

Following the previous version from 2017, this update has generated considerable discussion due to its strong protective stance against non-European laws and the perceived risks to data confidentiality. It also introduces important clarifications that cloud providers and auditors have long been asking for to simplify the understanding and evaluation of existing rules.

In this article, we explore the major developments in this latest version and consider the future of SecNumCloud qualification in light of the emerging EUCS standard.

How Has SecNumCloud Qualification Evolved Since It Began?

Since its inception in 2014, the SecNumCloud qualification has continuously evolved to incorporate feedback from the IT ecosystem, legislative changes, and new perceived threats.

➡️ A Brief History of SecNumCloud

After two “experimental” versions in 2014 and 2015, the first “official” version of the SecNumCloud framework was published in 2016. This version laid the foundation for the ISO 27001 standard, which focuses on information security management systems—essentially, the mechanisms and practices implemented in a company to ensure the protection, confidentiality, integrity, and availability of the information it holds. It included additional recommendations specific to the cloud ecosystem.

The aim, according to ANSSI, was to “provide companies and institutions with a concrete way to select providers that adhere to best practices in IT security.” This initial version offered two levels of assurance: an “essential” level, regarding the provider's ability to manage standard data, and an “advanced” level, attesting to the provider's capacity to securely host “critical” data.

A significant update was introduced in 2017 to align the qualification with regulatory aspects imposed by the GDPR. The framework then remained stable until its latest version, SecNumCloud 3.2, updated in 2022.

What Are the New Requirements in SecNumCloud 3.2?

Strict Adherence to European Law 🇪🇺

The key change in SecNumCloud 3.2 is the introduction of new measures designed to protect qualified cloud providers from extraterritorial laws. Two American laws are particularly notable:

  • The FISA (Foreign Intelligence Surveillance Act), which governs electronic surveillance and intelligence collection both domestically and internationally. Since 2008, an amendment allows U.S. authorities to collect, use, and share personal data stored on American servers, provided it pertains to foreign individuals.
  • The Cloud Act (Clarifying Lawful Overseas Use of Data Act), which authorizes U.S. authorities, with a warrant, to access electronic data held by American cloud service providers, even if the data is stored abroad. This can apply to any individual or company and can be done discreetly, raising conflicts of law issues between the U.S. and other countries, particularly with the GDPR in Europe.

To ensure that SecNumCloud-qualified cloud providers operate strictly under European jurisdiction, the 3.2 framework sets stringent conditions, including:

  • Being headquartered in Europe
  • Not being controlled by companies outside the EU (individual ownership must not exceed 24% and collective ownership must not exceed 39%)
  • Performing primary administration and maintenance activities within Europe

Unlike the previous version (SecNumCloud 3.1), cloud providers based outside Europe or with majority non-European ownership are no longer eligible for qualification. This has led to more alliances between French companies and American cloud providers to meet these requirements and and be able to claim the "Cloud de Confiance" label.

The Concept of Service Composition 🍔

Another significant advancement in version 3.2 is the clarification of the "composition of services" concept. What does this mean?

As you know, SecNumCloud 3.2 qualification is open to all cloud providers offering SaaS (Software as a Service), PaaS (Platform as a Service), CaaS (Container as a Service), or IaaS (Infrastructure as a Service). Sometimes, non-qualified providers rely on already qualified services as part of their offerings. For example, Scalingo, as a PaaS provider, is not currently SecNumCloud-qualified but offers clients the use of the qualified infrastructure (IaaS) of our partner Outscale. Outscale was the first IaaS infrastructure to be SecNumCloud 3.2 qualified at the end of 2023. 👏

With this update, the qualification process becomes simpler, focusing only on the unqualified components and services. There is no longer a need to requalify the entire data processing chain up to the datacenter!

Other New Features

SecNumCloud 3.2 also introduces several updates and clarifications, including:

  • Guidelines for conducting intrusion tests throughout the qualification lifecycle
  • Mandatory independent PASSI (Information Systems Security Audit Service Providers) audits after each major change
  • New requirements for emerging service categories like Containers as a Service (CaaS)
  • Clarification of data backup conditions
  • The obligation to delete all data at the end of the contract, with formal notice of 21 calendar days.

Is SecNumCloud 3.2 Equivalent to the “Cloud de Confiance” Label?

The connection between the "Cloud de Confiance" label and SecNumCloud is very strong. The "Cloud de Confiance" label is given to cloud services that meet high-security standards and ensure enhanced data protection. This label was created by the government to address concerns about digital sovereignty and data confidentiality.

To receive the "Cloud de Confiance" label, a cloud service must:

  • Be qualified under the SecNumCloud framework
  • Not be subject to non-European law

With the updates in SecNumCloud 3.2, achieving this qualification essentially means being recognized as “Cloud de Confiance.”

What Does the Future Hold? Will SecNumCloud 3.2 Eventually Be Replaced by EUCS Certification?

The ANSSI has long pushed for a European qualification that aligns with SecNumCloud's recommendations. Currently, the requirements of version 3.2 are seamlessly integrated into the EUCS, particularly at its “high” level among the three available levels (basic, substantial, high).

A legislation known as the Cyber Act standardizes certification frameworks at the European level, enabling mutual recognition among member states. In cases where both national and European frameworks cover the same scope, the European scheme takes precedence. Consequently, SecNumCloud could eventually be supplanted by the EUCS.

If the final version of the EUCS fails to meet the ANSSI's criteria, a supplementary qualification model may be proposed for French public and critical organizations. Stay tuned for the latest updates!

Share the article
Jennifer Taylor
Jennifer Taylor
Jennifer recently joined Scalingo as Growth Marketing Manager and is exploring the dynamic PaaS and cloud industry with a keen interest in sharing the knowledge acquired along the way.

Try Scalingo for free

30-day free trial / No credit card required / Hosted in Europe