The SecNumCloud evaluation grid (SNC), a tool to help you prepare for qualification

The SecNumCloud standard is considered one of the most demanding in Europe. Its expectations cover technical, operational and legal criteria. It is based on the ISO/IEC 27001 standard, but with a depth of investigation four times greater on average.

The standard also includes additional requirements, notably concerning the management of the contract with the client (the future customer, who may use these cloud services to host sensitive data) and extraterritoriality.

Version 3.2 of the SecNumCloud reference framework, published in 2022, has effectively strengthened requirements relating to the extraterritoriality of data. This version includes a major legal component on company formation and shareholding. The aim is to ensure that the sponsor's data does not leave French territory (for hosting, support and administration activities) or the European Economic Area (EEA).

The evaluation grid is an operational tool that lists, one by one, the requirements of the SecNumCloud standard and each of the minimum checks that the evaluation center must carry out to verify the service provider's compliance with the standard.

The content of the assessment framework includes the checks recommended by ANSSI, but is not exhaustive. Based on its accredited methodology and the technical specifics of the architecture being audited, the assessment center applies the checks required to rule on compliance. The audit team is thus provided with a strict formal framework that can be adapted to the technological environment. As part of the regulatory process, the Evaluation Manager (ER) is responsible for producing an evaluation plan, which is then validated by the service provider's qualification officer appointed within ANSSI.

The SecNumCloud evaluation form is a technical document. Once completed, it lists the findings and any deviations from the qualification requirements. It is completed by the assessment center during the audit, then sent to ANSSI for analysis. It contains the audit results, the findings, any non-conformities, and the references of the evidence linked to the findings. A summary report is associated with the framework. It includes :

• A managerial summary,
• An organizational summary,
• A technical summary.

The SecNumCloud qualification process requires the cloud service provider to provide a strong documentary and technical response to the various requirements.

These elements are then studied by ANSSI, which takes the qualification decision on the basis of all these elements, according to several criteria.

Enabling applicants to better prepare for qualification

For a cloud service provider, obtaining SecNumCloud qualification for one of its offerings involves presenting its project to ANSSI. The service qualification process includes 4 milestones, the first of which corresponds to acceptance of the application by the Agency (milestone 0).

Before ANSSI decided to make the SecNumCloud evaluation framework public, qualification applicants could only access this document after passing Milestone 0. They could have been surprised by the depth of the controls required by ANSSI. Now that the assessment grid is public, candidates are aware of the minimum controls required by the Agency, in particular those listed in the "IT Hygiene Guide" tab. The minimum controls in this tab have been imposed on candidates since publication of the framework.

By having access to the evaluation grid even before entering the qualification process, candidates have a basis for self-assessment. They can take a longer time to "mature" their ideas, before submitting an application to ANSSI. This means that, in theory, the applications examined by ANSSI are of higher quality.

Aligning SecNumCloud with other ANSSI standards

The publication of the SecNumCloud evaluation framework by ANSSI is also part of a drive for transparency and consistency. The Agency had already made public the evaluation frames of several other qualification programs (PACS, PASSI, PRIS, for example). A way of standardizing its practices.

This change also introduces greater equity between all assessment centers working on ANSSI's SecNumCloud qualification. LSTI previously used its own assessment framework, validated by ANSSI. The company is now using the ANSSI's, with a more substantial investment in audit time to carry out the checks. For ANSSI, the objectives of this approach remain unchanged: to support cloud service providers as they mature and strengthen their security.

French and European regulations (Cyber Resilience Act, Cyber Security Act, etc.) are evolving rapidly on the subject of data sovereignty. Principals, particularly in certain sensitive sectors, are increasingly encouraged, or even obliged from a regulatory point of view, to use SecNumCloud-qualified cloud services.

Decree nᵒ 2026-272 of April 14, 2026 (application of article 31 of the SREN law) makes it enforceable for the State to use solutions qualified SecNumCloud by the ANSSI for hosting certain sensitive data.

The reform of electronic invoicing also illustrates the growing role played by SecNumCloud qualification. Partner Dematerialization Platforms" (PDPs), now called "Authorized Platforms" (APs), using a cloud hosting provider are, for example, required to choose a SecNumCloud-qualified offering.

For cloud service providers, SecNumCloud qualification is tending to become a standard, and even a competitive differentiator. It can also be supplemented by requirements stemming from sector-specific decrees or specific regulations. This is the case, for example, with HDS (Healthcare Data Hosts) certification .