The French player Outscale announces that it has become the first cloud computing operator to obtain the ANSSI Security Visa for SecNumCloud 3.2 qualification on its Public Cloud services. According to the operator, this positions it “as the only sovereign and sustainable operator of trusted experiences as a service in the cloud”.
“The SecNumCloud 3.2 qualification ensures maximum protection of sensitive digital data of public institutions, health, and vital operators, with reinforced criteria such as protection against extra-European law” indicates Outscale, which specifies “This qualification represents the highest security standard in Europe, including in this new version, the strengthening of cybersecurity, the principle of composition and immunity to extraterritorial laws.
Furthermore, version 3.2 of the SecNumCloud repository complies with the level required by the future European certification scheme (EUCS project).
“GPUs on a sovereign cloud”
In June 2023, Prime Minister Elisabeth Borne announced through the “Cloud at the center” Doctrine, the obligation for “digital services of administrations to be hosted on a Cloud qualified SecNumCloud by ANSSI and protected against any extra-community regulation ”. Outscale claims to be “aligned with the French government’s “Cloud at the Center” Doctrine.”
The operator also claims to be able to offer “GPUs available on a sovereign Cloud qualified SecNumCloud 3.2” on the AI side.
French players have been in strong competition for several months to offer sovereign cloud offers. OVHcloud, Cloud Temple or S3NS, the alliance between Thales and Google Cloud, claim this name.
Last September, Scaleway, to distinguish itself from American hyperscalers Amazon Web Services (AWS), Microsoft Azure, Google Cloud, announced the availability of NVIDIA DGX systems installed at DC5, a data center located in the Paris region and operated by OpCore, the data center subsidiary. from Iliad.
Furthermore, last week, the European Commission approved the principle of an Important Project of Common European Interest (IPCEI) aimed at supporting research, development and industrial deployment of advanced technologies in the cloud and edge computing. Coordinated by Germany and France, it aims to build the next generation of cloud infrastructure, both sovereign and “compliant with European values”.
What is SecNumCloud?
The notion of trusted cloud is the most precise since it covers a delimited framework. Only providers with SecNumCloud qualification can (normally) claim this. Issued by the National Agency for Information Systems Security (Anssi), this framework attests to a very high level of requirements in terms of digital security and the protection of sensitive data, from a technical point of view, operational or legal.
The cloud service provider also guarantees that the data it processes cannot be subject to non-European laws. Starting with the American Cloud Act which, like the Patriot Act before it, introduces the principle of extraterritoriality.
Cloud in the center, what is it?
The trusted cloud label is also supported by the government’s cloud strategy which reaffirmed, in a circular of May 31, 2023, its “cloud at the center” doctrine. Its founding principle is simple: the cloud is the default mode of hosting and production of state digital services. Each digital product handling sensitive data must be hosted on the State’s internal cloud or on a qualified SecNumCloud commercial cloud.
What is sovereignty?
The notion of sovereignty is more vague and old. We can, in fact, go back to 2012 and the launch of the two sovereign clouds Cloudwatt and Numergy under the Fillon government. A bitter failure which left a bill estimated at 450 million euros. Since then, a large number of offers have claimed this sovereignty without any definition achieving real consensus.
In the broadest sense, a sovereign cloud is a cloud environment controlled by a state or a local service provider. This sovereignty applies at different levels. We will talk about data sovereignty when they are located on national soil, technical sovereignty when the provider ensures the computing power necessary for their processing or operational sovereignty when only European citizens operate in its data centers.