Facing cyber risk, heading for the trusted cloud

Many public and private entities store their computer data on remote servers operated by companies other than themselves. This is the principle behind cloud computing: applications and data are no longer located on a specific computer belonging to their actual owner, but in a cloud made up of numerous interconnected remote servers, sometimes located in foreign countries. The market for exchanges between file owners and hosting providers has grown very rapidly, reaching €534 billion in 2024 across all segments, according to Databridge.

For this price, the service had better be effective! And in this field, effectiveness means security. You already know this: in our digitalized and ultra-connected society, cyber risk is everywhere. And it affects everyone, large and small, public and private. In its state of cyber threat Published on February 20, 2025, the French National Cybersecurity Agency (ANSSI) warns of "new opportunities for attacks and security issues" for organizations that use the cloud. In particular, it identified that cloud services could be used as attack infrastructures, whether by renting the infrastructure itself from cloud operators or by using consumer platforms as a place to store and access malicious code or exfiltrate stolen data. These new practices complicate detection by concealing malicious activities within the legitimate traffic of users of these platforms. , warns the agency.

SecNumCloud: a qualification valid for three years

This need to build a bulwark against these threats is the raison d'être of SecNumCloud. This recognition mark, created in 2016 by ANSSI, certifies cloud computing services that deploy a very tight security net. AFNOR Certification is one of the organizations authorized to award it. It's a very engaging approach. The certification, which is valid for three years, gives the service provider a competitive advantage, lending credibility to its offering of a trusted cloud. This makes all the difference when responding to a call for tenders. , explains Thomas Sanjullian, Head of Trusted Services Assessment at AFNOR Certification. This is even more important when the data stored is sensitive, or even sovereign data belonging to the state. In France, the SREN law of May 2024 enshrines the government's "cloud at the center" doctrine. Article 31 stipulates that for this type of data, the public contracting authority must ensure that the chosen cloud service implements strict security and protection criteria, in particular to prevent access by public authorities of third countries not authorized by European Union law.

ISO/IEC 27017 under public review

In the large family of voluntary ISO/IEC 27000 standards on information security, ask for ISO/IEC 27017! This text, dated January 2021, is due to be published in a new version in mid-2026. It serves as a code of practice for security controls for cloud services, based on ISO/IEC 27002. It includes an annex A with measures to be added to the ISMS statement of applicability. And like any standard, the next version will undergo a public inquiry. You can participate until April 18, 2025. .

This is fortunate: SecNumCloud, in its current version 3.2, requires that servers be geographically located in France or the European Union and operated by entities with majority European capital. This provides protection against requests for access to data issued by non-European authorities. "Typically, an American judge invoking the Patriot Act will not get satisfaction," explains Thomas Sanjullian. As the law requires the use of a provider offering a "trusted" service for sensitive data and government data, SecNumCloud is the best choice in this regard. This distinctive mark is endorsed by ANSSI, and only service offerings with a security visa issued by this agency can claim to be "trusted." It should be noted here that SecNumCloud recognizes a specific cloud offering (IaaS, CaaS, PaaS, SaaS), not a provider.

EUCS: the risk of a race to the bottom

The subject is so sensitive that the European version of SecNumCloud, at the EU level, is still under debate six years after the publication of the Cybersecurity Act, the European regulation on cybersecurity. This EU counterpart, known as EUCS, provides for the harmonization of security standards for cloud computing services, with a system of equivalencies between countries and levels of security assurance, from lowest to highest. This is where the problem lies: SecNumCloud would be equivalent to the highest level, but would coexist with less robust systems corresponding to lower levels of assurance. This would be a kind of leveling down that would deal a severe blow to France's stance of having a very demanding extraterritoriality system. "The Spanish subsidiary of an American giant could obtain certification in Spain that would potentially give it access to SecNumCloud qualification in France," fears Thomas Sanjullian.

In February 2025, discussions were still deadlocked among the EU-27. In the meantime, SecNumCloud continues to make steady progress in France and plays its role as a passport to a "sovereign, robust, and legitimate" cloud. Want to find out more? Come to the InCyber Forum in Lille on April 3, 2025, where Thomas Sanjullian will give a talk entitled "EUCS: the decline of a European ambition."

You can also register for our AFNOR training courses on the subject .