France: Implemented Bill Securing and Regulating the Digital Space including measures regarding cloud sovereignty

On 1 July 2025, the Bill Securing and Regulating the Digital Space, including measures regarding cloud sovereignty, comes into force. The Bill aims to transpose obligations outlined in the European Digital Service Act (DSA) and the Digital Markets Act (DMA) to align national laws with these regulations. The Bill includes measures for protecting sensitive and strategic data hosted in the cloud, especially when used by state administrations or their operators. Specifically, if the system in question processes data of particular sensitivity and if their breach is likely to cause a disruption of public order, public security, or endanger the health or life of individuals, the cloud computing service provided by the private service provider is obliged to implement security and data protection criteria. These criteria must ensure, in particular, the protection of data processed or stored against any access by public authorities of third states not authorised by the law of the European Union or a member state. Furthermore, the Bill imposes transparency obligations on cloud service providers, requiring them to publish information on jurisdiction over data processing, data protection measures, and the environmental footprint of their services.