France: Signed Bill Securing and Regulating the Digital Space including measures regarding cloud sovereignty

On 21 May 2024, the Bill Securing and Regulating the Digital Space, including measures regarding cloud sovereignty, was signed into law. The Bill aims to implement in the national legislation the European Digital Service Act (DSA) and the Digital Markets Act (DMA). The Bill includes measures for protecting sensitive and strategic data hosted in the cloud, especially when used by state administrations or their operators. Specifically, if the system in question processes data of particular sensitivity and if their breach is likely to cause a disruption of public order, public security, or endanger the health or life of individuals, the cloud computing service provided by the private service provider will be obliged to implement security and data protection measures. These measures must ensure the protection of data processed or stored against any access by public authorities of third states not authorised by the law of the European Union or a member state. Furthermore, the Bill will impose transparency obligations on cloud service providers, requiring them to publish information on jurisdiction over data processing, data protection measures, and the environmental footprint of their services. The Council of State is required to issue a decree establishing security and protection criteria within 6 months.