What is the SecNumCloud Qualification?
The SecNumCloud qualification is the strictest French requirements baseline for cloud computing service providers. Established by ANSSI, it aims to guarantee a maximum level of security and trust for cloud computing services. As an independent Conformity Assessment Body (CAB), LSTI is authorised by ANSSI to evaluate providers for this qualification, ensuring that the service provider meets very high technical, organisational, and legal requirements.
These requirements include security measures for the provider's information system and quality and security processes based on the ISO/IEC 27001 standard. The primary objective of SecNumCloud is to protect the most sensitive data of public and private organisations (such as OIVs and OSEs), particularly against espionage threats and the application of non-European laws.
What are the challenges of SecNumCloud Qualification?
Choosing a SecNumCloud-qualified service evaluated by LSTI is imperative for the sovereignty and security of your sensitive data:
- Sovereign Trust: Guarantee of a cloud computing service compliant with ANSSI's strictest French requirements, ideal for strategic data.
- Maximum Security: Assurance of compliance with a very high level of technical and organisational requirements to protect the information system and hosted data.
- Resistance to Non-European Laws: Legal and data localisation requirements provide protection against the application of extraterritorial, non-European laws (such as the Cloud Act).
- ISO 27001 Alignment: The baseline integrates quality and security requirements based on the international standard ISO/IEC 27001.
- Simplified Compliance: Facilitates the choice of a cloud infrastructure for organisations subject to strict regulations (such as OIVs, OSEs, and Health Data Hosting - HDS) regarding the hosting of their critical data.
- Annual Surveillance Audit: The qualification is maintained through strict annual surveillance audits, ensuring long-term and continuous compliance.
Who is the SecNumCloud Qualification Intended For?
A Benchmark for All Cloud Service Providers
The SecNumCloud qualification is intended for all cloud computing service providers (SaaS, PaaS, IaaS) wishing to offer a trusted environment for hosting and processing sensitive data. This "Security Visa" constitutes the highest level of recognition for the security and sovereignty of cloud services operating on the French market.
Sovereign Cloud: A Critical Challenge for Strategic Sectors
This qualification has become imperative for entities providing services to organisations whose data is strategic or vital:
- Public Administrations: To comply with State doctrines (such as the "Cloud at the Centre" strategy) mandating the use of qualified cloud solutions for sensitive data.
- Operators of Critical Importance (OIV) and Operators of Essential Services (OSE): To protect the country's critical infrastructure against cyberattacks, espionage, and service disruptions.
- The Healthcare Sector: For providers wishing to offer a higher security guarantee than the HDS (Health Data Hosting) certification.
- Financial and Legal Services: To ensure the absolute confidentiality and resilience of client data in the face of international threats.
SecNumCloud: A Lever for Sovereignty and Differentiation
The SecNumCloud qualification is aimed at providers who want to transform regulatory constraints into a major competitive advantage. It guarantees end users (the data subjects) that their data benefits from total protection:
- Legal Immunity: Guarantee that data is not subject to non-European laws with extraterritorial effects (such as the Cloud Act).
- European Localisation: Assurance that service hosting and administration are carried out entirely within the European Union.
- Technical Excellence: Proof of a security level audited in an impartial and rigorous manner by LSTI, covering all technical and organisational layers of the service.
How does the SecNumCloud Evaluation Process Work?
Obtaining the SecNumCloud Security Visa relies on a rigorous and transparent evaluation process overseen by ANSSI. This demanding pathway ensures that your cloud service (SaaS, PaaS, or IaaS) meets the highest cybersecurity and sovereignty standards.
A Tripartite Relationship for Enhanced Trust
The SecNumCloud evaluation takes place within a tripartite framework involving three key stakeholders:
- The Cloud Service Provider: The applicant seeking qualification for its service offering.
- ANSSI: The national authority that reviews the application, validates milestones, and issues the final qualification decision.
- LSTI: An independent third-party evaluation body, authorised by ANSSI to conduct technical, organisational, and legal audits.
The 4 Key Milestones of the SecNumCloud Qualification Process
In accordance with the ANSSI requirements baseline, the pathway to qualification is structured around four fundamental stages:
-
M0: Validation of the Application by ANSSI
The process begins by submitting an application file to ANSSI. The authority analyses the maturity of the offering, its scope, and its compliance with sovereignty criteria. The validation of this "Milestone 0" is the indispensable prerequisite to officially launch the evaluation with LSTI.
-
M1: Definition of the Evaluation Strategy
Once the application is validated, LSTI's specialised auditors collaborate with you to elaborate a precise evaluation strategy (audit plan). This document defines the methodology, schedule, and targets of the audit. This plan must be formally approved by ANSSI before moving to the next stage.
-
M2: Execution of the Initial Evaluation
This is the operational phase conducted by LSTI. It is broken down into several components:
- Documentary Audit: An in-depth examination of your security policies, operating procedures, and technical architecture.
- On-Site Audit: Physical verification of the implementation of security measures within your data centres and operational centres.
- Penetration Testing: Rigorous technical testing performed by experts to test the robustness of the infrastructure and applications against compromise attempts.
-
M3: Qualification Decision
Following the investigations, LSTI drafts an exhaustive evaluation report. This report is presented during a formal meeting with ANSSI. Based on these conclusions and the remediation of any potential non-conformities, ANSSI makes the decision to grant the SecNumCloud Security Visa.
Maintenance and Surveillance of the SecNumCloud Qualification
The SecNumCloud qualification is issued for a duration of 3 years. To guarantee that the security level is maintained over time, annual surveillance audits are mandatory. These controls verify that changes to your service remain in total compliance with the baseline and newly identified threats.
LSTI: A SecNumCloud Evaluation Body Authorised by ANSSI
As an evaluation body authorised by ANSSI, LSTI ensures the verification of cloud services' compliance with the SecNumCloud baseline. Our mission is to provide an impartial and rigorous evaluation, built on technical expertise forged by more than 20 years of intervention in the cybersecurity field.
LSTI has supported the evolution of French State requirements since the creation of the earliest security baselines. As the first evaluation body to have conducted the very first SecNumCloud qualification, LSTI possesses unique hindsight on the operational application of this standard. Since the inception of this baseline, our teams have evaluated the majority of currently qualified actors, guaranteeing perfect mastery of ANSSI's expectations and absolute neutrality in judging security evidence.
Your Questions About the SecNumCloud Qualification
-
What is the difference between ISO 27001 certification and the SecNumCloud qualification?
The difference between ISO 27001 certification and the SecNumCloud qualification lies primarily in the requirement level and the nature of the verification. While ISO 27001 focuses on implementing an Information Security Management System (ISMS) without imposing specific technical security thresholds, SecNumCloud mandates rigorous technical controls and sovereignty obligations. In summary, SecNumCloud builds upon the foundation of ISO 27001 while adding more than 300 additional requirements, particularly concerning protection against extraterritorial laws. -
What are the major updates in version 3.2 of the baseline?
The major updates in version 3.2 of the baseline feature a significant strengthening of legal sovereignty criteria. This version mandates that the provider's statutory headquarters and data centres must be located within the European Union, and that the organisation must be immune to non-European laws with extraterritorial effects. It also integrates enhanced requirements regarding software layer security, privileged access management, and the protection of cryptographic secrets within cloud environments. -
What is at stake regarding legal sovereignty in SecNumCloud?
The core issue of legal sovereignty in SecNumCloud is to ensure that hosted data cannot be seized or consulted by third-country authorities via extraterritorial laws such as the US Cloud Act. The baseline requires that the service agreement be governed by French or European law and that the provider demonstrate its independence from foreign entities. This protection guarantees clients that their strategic data remains under the exclusive control of European jurisdictions, thereby avoiding any risk of economic or industrial espionage. -
How should the Trame-d-evaluation-secnumcloud-v3.2_V1.0 document provided by ANSSI be used to prepare for an audit?
To effectively prepare for your audit, the Trame-d-evaluation-secnumcloud-v3.2_V1.0.xlsx document should be treated as your central steering tool. This file consolidates all the requirements of the SecNumCloud baseline that will be evaluated by LSTI. By filling out each line of this grid, you structure the demonstration of your technical, organisational, and legal compliance relative to the security and sovereignty requirements mandated by ANSSI. This allows you to identify gaps in advance and consolidate the necessary evidence to meet qualification requirements. -
What are SecNumCloud's requirements regarding the security of service administration and maintenance?
Regarding SecNumCloud requirements for administration and maintenance security, the ANSSI baseline mandates a strict isolation of management systems from the public internet. The administration of the cloud service must imperatively be carried out from secure zones and via encrypted communication channels, utilizing strong multi-factor authentication for each privileged access. These measures guarantee that maintenance operations cannot be intercepted or compromised by third parties, thereby ensuring the global integrity of the service infrastructure. -
Why is the location of the headquarters and data centres a sine qua non condition for qualification?
To understand why the location of the statutory headquarters and data centres is a sine qua non condition, one must examine the sovereignty criteria carried by version 3.2 of the baseline. The SecNumCloud qualification requires that data be stored and processed within the European Union and that the provider's statutory headquarters be established there as well. This geographical requirement aims to guarantee that the provider is subject exclusively to European and French laws, thereby preventing any form of control or access by entities located in jurisdictions that do not guarantee the same data protection level. -
How does the SecNumCloud qualification protect data against the extraterritoriality of foreign laws like the Cloud Act?
To understand how the SecNumCloud qualification protects data against the extraterritoriality of foreign laws like the Cloud Act, one must analyze the legal independence requirements imposed by ANSSI. The baseline guarantees that the cloud service provider is immune to injunctions from third countries that might demand the disclosure of data hosted in Europe without passing through international judicial cooperation frameworks. This protection is reinforced by the provider's obligation to demonstrate that it is not controlled by an entity subject to extraterritorial legislations, providing clients with a total confidentiality guarantee against the risks of foreign interference or economic espionage. -
Are SecNumCloud requirements identical for SaaS, PaaS, and IaaS offerings?
Although the SecNumCloud v3.2 baseline serves as a common foundation for all cloud services, its technical application varies depending on the nature and depth of the evaluated offering. The audit adapts directly to the provider's scope of responsibility:
- For an infrastructure (IaaS): The evaluation focuses extensively on the security of the lower layers. Requirements are particularly strict regarding physical and network isolation (hypervisors, storage arrays), preventing any compromise from one tenant to another at the hardware level.
- For an application (SaaS) or a platform (PaaS): The requirements shift toward the higher layers. The baseline imposes enhanced guarantees regarding the logical isolation of data between clients (multi-tenancy) within the same application or database. Furthermore, secrets management and the robustness of encryption mechanisms (cryptographic key management) are scrutinized using specific criteria at the application level.
Thus, during the definition of the evaluation strategy (Milestone M1), the audit teams precisely calibrate these technical requirements depending on whether you operate an IaaS, PaaS, or SaaS, in order to ensure full compliance with ANSSI's expectations.
Find out more
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




