SecNumCloud: Understanding the trusted cloud standard

SecNumCloud: Understanding the trusted cloud standard Build • Antoine Quint • 11/05/26 • 4 min read

This article is the first in a three-part series on the SecNumCloud framework, its strategic implications, and Scaleway’s path toward obtaining this demanding qualification.

Data security long relied on a reassuring physical reality: servers were hosted internally, on-premises , literally within reach of IT teams. With the rise and widespread adoption of cloud computing, companies and institutions gained unprecedented agility, but in return, they had to delegate control over that physical infrastructure.

This shift in paradigm is what makes the question of trust so critical. Since the infrastructure is no longer directly in front of you, it is legitimate to ask not only where your data is stored, but also how it is actually protected — and by whom.

To answer this question, the market initially relied on international standards. ISO standards, such as ISO 27001 and ISO 27017 , laid excellent foundations for governance and risk management. However, given the growing sophistication of cyber threats and the interference of certain foreign legislations, these general frameworks have shown their limits when it comes to highly sensitive data.

Europe now has a vital need for trusted infrastructure capable of guaranteeing full strategic autonomy . It had to move from a logic of “best practices” to an absolute level of technical requirements, imposed and controlled by the State. It is in this context that the SecNumCloud qualification has emerged as the most demanding standard for security and sovereignty in France, and as a major source of inspiration for Europe as a whole.

So what exactly lies behind this seal of approval issued by ANSSI , and how does it go far beyond traditional certifications? Let’s take a closer look at the framework.

What is SecNumCloud?

Issued by ANSSI — the French National Cybersecurity Agency — the SecNumCloud qualification confirms that a cloud provider meets the highest requirements in terms of security and regulatory compliance.

Certification, approval, or qualification: what exactly are we talking about?

These three terms are often confused. Yet their scope is very different:

Certification — proof of compliance: Certification is an attestation issued by an independent third party confirming that a product, service, or management system, such as ISO 27001 , complies with a given framework. It is a guarantee of compliance recognized by the market.

Approval — acceptance of risk: Approval is a formal decision, most often made by the owner of an information system, for example a public administration or a company, although some French regulations require this decision to be carried by a State authority such as ANSSI, for example in the context of classified information. It consists of formally accepting the residual risks associated with using that system in a specific business context.

Qualification — the State’s recommendation: Qualification goes far beyond a simple attestation of compliance. First, it certifies that a service has been audited according to rigorous criteria defined by ANSSI, which validates the audit report. But above all, once this audit is complete, the French State officially recommends this service to protect the Nation’s most critical data, including data from public administrations and Operators of Vital Importance — public or private entities who operate equipment or facilities necessary to the French nation’s survival. Qualification therefore directly commits the trust of the State.

SecNumCloud is already a mature framework. Created in 2016, it has continued to evolve in response to emerging threats.

Its current version ( 3.2 , launched in 2022) marks a turning point by introducing an essential parameter: legal sovereignty . SecNumCloud acts as a strong barrier against extraterritorial laws such as the US CLOUD Act . By choosing a SecNumCloud-qualified service, you have the assurance that your data remains protected and subject exclusively to European jurisdiction, shielded from any foreign surveillance or interference.

Why go beyond international standards?

To fully understand the paradigm shift represented by SecNumCloud, it's important to understand how it differs from existing standards such as ISO 27001:

ISO 27001: This is the leading international standard. It demonstrates that an organization has implemented a rigorous risk analysis approach — the Information Security Management System, or ISMS — to protect its information system. It is a dynamic approach in which the organization assesses its own risks and defines proportionate measures to address them, for example through the technical and organizational controls of its Statement of Applicability. This offers a high degree of adaptability to each context. The emphasis is on continuous improvement, rather than on a universal baseline of requirements.

SecNumCloud: This is the highest level of cloud requirements in France. As with ISO 27001, a SecNumCloud-qualified hosting provider still conducts its own risk analyses, but ANSSI adds a set of non-negotiable baseline requirements. On critical topics such as segregation, cryptography, and administration, ANSSI imposes its own technical rules and recommends the use of qualified products. Added to this is the sovereignty dimension, namely strict protection against extraterritorial laws, which is entirely absent from international standards.

In short, ISO 27001 is an essential foundation for a secure information system. SecNumCloud qualification goes further, through:

its depth in terms of technical requirements;

its extended scope, including sovereignty; and

the mandatory nature of its requirements.

Together, these criteria shift cloud providers from a purely continuous improvement approach to an essential security baseline.

At the heart of the framework: four major pillars of requirements

The SecNumCloud framework is a dense document that leaves nothing to chance. Its requirements are structured around four major pillars that cover all the security aspects needed to properly protect an information system:

Organizational security: The provider must rely on a reinforced ISMS: staff screening from the recruitment stage, strict control of subcontractors, regular audits by qualified third parties — PASSI auditors — and incident response processes guaranteeing rapid interventions in line with the…