SecNumCloud 3.2: strengthening security and legal sovereignty in the cloud

As we enter 2025, the landscape of the French trusted cloud continues to be shaped by the SecNumCloud repository in version 3.2. Created by ANSSI in 2016, this standard has undergone several major evolutions, with the latest version 3.2, launched in 2022, transforming the approach to digital sovereignty in France.

SecNumCloud repository version history

There have been several key stages in the development of the standard:

• 2016 : Initial creation establishing the fundamentals of cloud security in France. This first version laid the foundations for a structured approach to the security of cloud services, defining the essential requirements for data protection.
• 2018 Version 3.1 has brought the repository into line with the RGPD. For the sake of simplicity, the repository also removes the notions of "SecNumCloud Advanced" and "SecNumCloud Essential" guarantee levels to create a single SecNumCloud label.
• 2022 : The launch of version 3.2 marks a major change with the introduction of legal sovereignty.
• 2025 : A new version is expected this year. It should bring a number of changes to meet the new challenges of the market.

Major changes in version 3.2 of the SecNumCloud repository

The legal revolution in version 3.2

Article 19.6 is the cornerstone of the current version. It establishes a strict legal framework to protect European data against foreign interference. This protection is based on three fundamental principles:

• Legal immunity from extra-territorial legislation, particularly the American Cloud Act. This provision guarantees that hosted data remains under the exclusive control of European jurisdictions.
• The requirement for European ownership of service providers, ensuring genuine independence of decision-making.
• The introduction of robust contractual guarantees protecting the interests of European users.

Technical development of the reference system

Repository 3.2 has considerably expanded its technical scope to meet the modern needs of the cloud. The integration of CaaS and PaaS services now enables organisations to modernise their infrastructures while maintaining optimum levels of security.

The main technical innovations concern :

• Service architecture : service providers must now implement strict segregation of environments, with tighter controls on data flows and administrator access.
• Operational safety : Constant monitoring of systems and sophisticated incident management have become mandatory, including real-time threat detection and response mechanisms.
• Data protection : end-to-end encryption has become systematic, with rigorous management of encryption keys exclusively under European control.

The principle of composition

The principle of composition introduced by version 3.2 has radically changed the approach to qualification for solution publishers. This innovation enables software publishers to rely on infrastructures that have already been qualified, considerably simplifying their path to certification.

In practical terms, a SaaS vendor can now concentrate its qualification efforts on its application, provided it is hosted on a cloud infrastructure that has already been SecNumCloud-qualified. This approach offers several major advantages:

• Significant cost savings : the investment required for qualification is optimised.
• Speeding up the process : qualification time is considerably reduced.
• Focus on business value : publishers can concentrate on their core business rather than on infrastructure aspects.

SecNumCloud 3.2 therefore represents an important step in the construction of a sovereign and secure cloud ecosystem in France. By strengthening legal, technical and operational guarantees, this version significantly transforms the protection of digital data.