France SecNumCloud — ANSSI Cloud Security Certification
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
SecNumCloud is a French cloud security certification scheme developed by ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) to qualify cloud service providers for handling sensitive and classified information for French government and critical sector organizations. The qualification provides assurance that cloud services meet rigorous security standards required for sensitive public sector workloads.
Issued by ANSSI, SecNumCloud applies to cloud service providers seeking to offer services to French government agencies, public sector organizations, and operators of vital importance (OIV). The qualification covers infrastructure as a service, platform as a service, and software as a service offerings, with requirements addressing sovereignty, security controls, and organizational independence.
Cloud providers achieve SecNumCloud qualification through rigorous ANSSI assessment including security architecture review, penetration testing, and organizational audits. The qualification is renewable and requires ongoing compliance with ANSSI requirements.
Why it Matters
SecNumCloud qualification is essential for cloud providers seeking to serve French government and sensitive sector markets requiring the highest levels of cloud security assurance.
Key benefits include:
- Access French government market
Achieve qualification required for cloud services to sensitive French government and public sector customers.
- Demonstrate sovereignty compliance
Meet French requirements for cloud sovereignty ensuring data remains under French and European law.
- Provide highest security assurance
Offer government-level security validation supporting the most sensitive cloud workloads.
- Support critical sector requirements
Meet security requirements for operators of vital importance and other sensitive sector organizations.
- Align with EU cloud sovereignty
Position services within the emerging EU cloud sovereignty and GAIA-X ecosystem requirements.
How it Works
SecNumCloud qualification requires cloud providers to meet comprehensive security requirements across governance, operations, infrastructure, and organizational independence. ANSSI evaluates providers through document review, technical assessment, and audit activities, with qualification renewed periodically.
Key requirements include data sovereignty (ensuring data remains under EU law), organizational independence from non-EU law jurisdiction, comprehensive security controls, and transparency regarding subcontractors and data processing locations.
Within SmartSuite, cloud providers track SecNumCloud requirement implementation, manage ANSSI audit evidence, coordinate technical security reviews, and maintain compliance documentation supporting qualification maintenance.
Key Elements
- Data Sovereignty Requirements
Ensures hosted data remains subject to French and European law, preventing foreign jurisdiction access.
- Organizational Independence
Requires cloud providers to be independent from non-EU legal jurisdictions and foreign government influence.
- Comprehensive Security Controls
Mandates rigorous technical and organizational security controls across infrastructure and operations.
- ANSSI Technical Assessment
Requires ANSSI-conducted technical evaluation including architecture review and penetration testing.
Framework Scope
SecNumCloud applies to cloud service providers (IaaS, PaaS, SaaS) seeking to serve French government, public sector, and sensitive sector organizations requiring maximum cloud security assurance.
Framework Objectives
SecNumCloud qualification certifies cloud providers meeting the highest French government security and sovereignty standards for sensitive workloads.
- Ensure cloud services meet French government security and sovereignty requirements
- Protect sensitive and classified information processed in cloud environments
- Maintain data sovereignty under French and EU legal frameworks
- Provide rigorous independent validation of cloud security capabilities
- Support operators of vital importance accessing secure cloud services
Common Framework Mappings
Mapped frameworks include:
EU Cloud Code of Conduct
FedRAMP (US equivalent)
France HDS
ISO/IEC 27001
NIS2 Directive
- ClassicifationCategoryCloud SecurityDomainCloud SecurityFramework FamilyOther
- Regulatory ContextTypeCertification / Assurance ProgramLegal InstrumentProgramSectorTechnology SectorIndustryCloud & Technology Providers
- Region / PublisherRegionEuropeRegion DetailFrancePublisherAgence nationale de la sécurité des systèmes d'information (ANSSI)
- VersioningVersionSecNumCloud v3.2Effective Date2019Issue Date2019
- AdoptionAdoption ModelCertificationImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
SecNumCloud certification requirements are published by the French National Cybersecurity Agency (ANSSI) and are publicly available through official government resources.
How SmartSuite Supports France ANSSI
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
ANSSI Guidance-to-Control Mapping
Translate ANSSI expectations into operational controls with clear ownership.
Risk Assessments and Treatment Tracking
Run security risk assessments and manage mitigations with documented decisions.
Secure Architecture and Standards
Centralize architecture artifacts, standards, and verification evidence.
Monitoring and Incident Response Workflows
Capture telemetry proof, incident timelines, and post-incident improvements.
Supplier and Third-Party Oversight
Manage vendor safeguards, reviews, and accountability evidence.
Governance Reporting
Report posture, open gaps, and improvement progress for leadership.
Related frameworks
CSA STAR is a cloud security assurance program helping organizations assess and demonstrate cloud security and compliance.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.
ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.
Frequently Asked Questions For France SecNumCloud (ANSSI Cloud Security Certification)
SecNumCloud is a cloud security certification framework designed to ensure that cloud service providers meet stringent cybersecurity, data protection, and resilience requirements as defined by ANSSI, the French National Cybersecurity Agency. It is used to demonstrate a provider’s ability to securely handle sensitive data and comply with French and European regulatory expectations, particularly for regulated sectors.
SecNumCloud certification is not legally mandatory for all cloud providers in France, but it is required for those aiming to serve certain regulated sectors, such as government agencies or operators of critical infrastructure. Certification provides assurance to customers and regulators and is often a prerequisite for cloud providers that wish to participate in specific public sector procurement or high-security projects.
The scope of SecNumCloud certification applies to any cloud service or environment, public or private, offered by a provider within France or to French customers handling sensitive or regulated data. The certification covers technical, organizational, and legal aspects, requiring a defined boundary and clear documentation of all components, technologies, and processes in scope.
SecNumCloud requires the implementation of comprehensive controls, including risk assessments, access management, data protection measures, incident response capabilities, and operational monitoring. Key artifacts include documented security policies, evidence of implemented controls, risk registers, and incident management logs, all of which must be regularly updated and maintained.
To implement SecNumCloud, organizations perform a detailed gap analysis against ANSSI’s requirements, integrate the prescribed security controls into their cloud environments, and establish governance processes for continuous risk management, policy enforcement, and incident handling. Specialized internal teams coordinate evidence collection, remediation activities, and audit preparations.
SecNumCloud aligns with international security standards such as ISO 27001 but includes more specific requirements tailored to the French regulatory context. Many cloud providers leverage existing ISO 27001 management systems to support SecNumCloud compliance, but must address SecNumCloud’s additional control areas regarding legal compliance, operational sovereignty, and data protection.
Maintaining SecNumCloud certification requires organizations to continuously monitor security controls, conduct periodic compliance assessments, update risk and incident records, and demonstrate ongoing improvement. Recertification audits and regular internal reviews are essential to ensure sustained alignment with ANSSI requirements.
SmartSuite assists organizations in managing SecNumCloud compliance by providing structured control libraries, risk tracking registers, and incident management workflows. It supports evidence collection, centralizes compliance documentation, facilitates audit readiness, and offers automated reporting and dashboards, helping organizations effectively monitor and maintain continuous compliance with ANSSI’s cloud security requirements.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.