France: Prime Minister signed Decree No. 2026-272 on sensitive data protection in cloud services provided to state administrations

On 14 April 2026, the French Prime Minister signed Decree No. 2026-272 on the protection of particularly sensitive data of state administrations, operators, and public interest groups processed by a private cloud service provider, implementing Article 31 of Law No. 2024-449 of 21 May 2024 on securing and regulating the digital space. The Decree designates six public interest groups subject to Article 31 obligations: the digital health agency, the secure data access centre, the radicalisation prevention resources centre, the data collector-analyser, the social declarations modernisation body, and the national social housing demand registration system. It requires the National Information Systems Security Agency (ANSSI) to develop a reference framework setting out security requirements across ten domains, covering information security organisation, human resources, third-party management, physical security, cryptology, access control, incident management, use of the French language, service convention clauses including data reversibility, data localisation, and protection against unauthorised access by third-country public authorities. Compliance must be attested by a qualification under Decree No. 2015-350 or an equivalent EU or European Economic Area certification. The Decree establishes a derogation mechanism for projects already underway using non-compliant providers, permitting a derogation of up to 18 months once a compliant French offer is available, or a renewable one-year derogation until such an offer exists.