France: Draft Decree on the protection of strategic and sensitive data in the cloud computing market under Article 31 of Law on Securing and Regulating the Digital Space was published

On 24 January 2025, the Government of France published the draft Decree implementing Article 31 of the Law on Securing and Regulating the Digital Space (SREN Law/ LAW No. 2024-449). The decree establishes measures for the protection of strategic and sensitive data in the cloud computing market for administrations and State operators, as well as designated public interest groupings. The draft decree requires private service providers to have documented policies on information security and risk management. These must cover subcontracting, secure HR management, safe tools and procedures for equipment and systems, physical and logical security (like encryption and access control), incident response, business continuity, and safeguards against unauthorised access by non-EU public authorities, including rules on ownership, voting rights, and provider establishment. It mandates that administrations use cloud services from providers qualified under the Decree of 27 March 2015 or holding equivalent European certification, with certain systems excluded from scope. Providers may meet the criteria under the Decree of 27 March 2015 if they are compliant with the security and protection under the “SecNumCloud” reference framework established by the National Cybersecurity Agency of France (ANSSI) in cooperation with the Interministerial Directorate for Digital Affairs (DINUM) for state information systems. It also sets conditions for temporary derogations of up to 18 months, or one year if no acceptable national offer exists, with acceptability assessed on functional, financial, operational, security, contractual, and independence criteria, and requires public disclosure of such derogations. The draft was notified to the European Commission (EC) 2025/0041/FR under Directive (EU) 2015/1535.