In recent years, digital sovereignty has become a key issue. The Covid-19 crisis notably reminded us of our dependence on foreign technological solutions when it was necessary to generalize teleworking overnight. This predominance is particularly significant in the public cloud. According to the research firm Markess by Exægises, the three American hyperscalers – Amazon Web Services (AWS), Microsoft Azure and Google Cloud – have captured 70% of the French market in 2022, including 45% for AWS alone.
A growing number of French providers are contesting this hemogenic position by increasing the number of trusted cloud or sovereign cloud offers. The often undifferentiated choice of one or the other name sows confusion, especially since they designate very different realities.
SecNumCloud, the precious sesame
The notion of trusted cloud is the most precise since it covers a delimited framework. Only providers with SecNumCloud qualification can (normally) claim this. Issued by the National Agency for Information Systems Security (Anssi), this framework attests to a very high level of requirements in terms of digital security and the protection of sensitive data, from a technical point of view, operational or legal.
The cloud service provider also guarantees that the data it processes cannot be subject to non-European laws. Starting with the American Cloud Act which, like the Patriot Act before it, introduces the principle of extraterritoriality. “We are witnessing a race among cloud providers to obtain this SecNumCloud certification,” observes Meriem Berkane, CTO at OCTO Technology. OVHcloud, Outscale, Cloud Temple or S3NS, the alliance between Thales and Google Cloud, claim this name of trusted cloud.
The trusted cloud label is also supported by the government’s cloud strategy which reaffirmed, in a circular of May 31, 2023, its “cloud at the center” doctrine. Its founding principle is simple: the cloud is the default mode of hosting and production of state digital services. Each digital product handling sensitive data must be hosted on the State’s internal cloud or on a qualified SecNumCloud commercial cloud.
Sovereignty, a vague notion
The notion of sovereignty is more vague and old. We can, in fact, go back to 2012 and the launch of the two sovereign clouds Cloudwatt and Numergy under the Fillon government. A bitter failure which left a bill estimated at 450 million euros. Since then, a large number of offers have claimed this sovereignty without any definition achieving real consensus.
In the broadest sense, a sovereign cloud is a cloud environment controlled by a state or a local service provider. This sovereignty applies at different levels. We will talk about data sovereignty when they are located on national soil, technical sovereignty when the provider ensures the computing power necessary for their processing or operational sovereignty when only European citizens operate in its data centers.
Providers like Scaleway claim to be sovereign due to their ability to control their platforms end-to-end. To add even more to the confusion, American hyperscalers are adding sovereign cloud offerings to their catalogs, independent of their public cloud, such as Microsoft Cloud for Sovereignty and more recently AWS European Sovereign Cloud.
The NumSpot consortium, which brings together four French players – Bouygues Telecom Entreprises, Banque des Territoires, Dassault Systèmes and Docaposte – is positioning itself on both the issues of sovereignty and trusted cloud. A subsidiary of Dassault Systèmes, Outscale provides, in fact, the IaaS layer already certified SecNumCloud by Anssi.
Strong market demand
Such an excitement of offers naturally responds to strong market demand. “The notions of trust and sovereignty are on the agenda of all the large organizations that we support and particularly the regulated professions, in finance or pharmacy, and public actors,” observes Meriem Berkane.
“The question before them is how to reconcile a certain number of legal, regulatory and geopolitical issues,” she continues. They cannot manipulate and store personal data of European citizens on American clouds. How can we therefore work on data and AI subjects while respecting these constraints? »
In this context, it is appropriate, according to her, to seek the best target architecture. “An organization will use a trusted cloud or a sovereign cloud or even a private cloud while moving towards the public cloud for a certain number of innovative use cases in generative AI or data. » This hybrid model involves working on a policy of segregation by typology of data or use cases.