Trusted cloud providers: France and UK sharpen their strategies

Yesterday [17 May], France unveiled its national strategy for cloud. This includes a plan to ensure that sensitive data held by public administrations are stored in France and hosted by European companies.

In the meantime, the UK wants to impose new requirements on cloud providers and software companies to strengthen cybersecurity in the supply chain.

Please find below the links to the relevant documents (some are in French) and the key points from these two initiatives.

France: preventing extra-territorial access to French data

The French strategy relies on three pillars:

-label trusted cloud (“cloud de confiance”): the objective is 1) to ensure a high level of cybersecurity and 2) to prevent the risk of extra-territorial access. This label relies on the SecNumCloud visa delivered by ANSSI. With this label, companies can be sure that servers are located in France and that cloud providers are European companies owned by Europeans. This label still allows the use of non-EU software for the processing of data. France explicitly recognises that -for now- the best ones in this field are US companies. The use of this non-EU software takes place in the framework of a licence granted to a French company.

-“cloud in the centre” policy: this policy aims to accelerate the digitalisation of the French public administration. Cloud becomes a pre-requisite for every new digital project within the French administration. Public services will be hosted on the State cloud or on a cloud service that complies with security rules. Every product that deals with sensitive data (personal data or strategic data of French citizens or French companies) will be mandatorily stored on the State cloud or on an industrial cloud that must be qualified by ANSSI  with SecNumCloud (this includes protection against any extra EU rules).

-an industrial strategy to build new cloud tools: France will invest in projects that develop cloud technologies in France. This strategy particularly focuses on critical technologies such as PaaS solutions for the deployment of AI and big data, or software package offering collaborative tools. The strategy must ensure Europe and France’s sovereignty. A call for proposal already identified 5 projects for an amount over 100 million euros. The most important projects will be financed in the framework of Important Projects of Common European Interest gathering 11 EU Member States. The French government mentions Gaia-X. There is also a project to create a European collaborative office suite.

UK: strengthening the supply chain security

The UK is currently gathering views on its new plans to boost cyber resilience of UK’s critical supply chains. Under these proposed rules, “Managed Service Providers” (e.g. cloud providers) could be required to comply with the Cyber Assessment Framework -a set of 14 cybersecurity principles. This includes measures to:

-protect devices and prevent unauthorised access

-ensure data is protected at rest and in transit

-keep secure and accessible backups of data

-train staff and pursue a positive cyber security culture

Among the envisaged policies, the UK government mentions the establishment of a certification or assurance mark to guide customers in procuring Managed Service Provider services. Additionally, the UK government could set minimum requirements in public procurement, based on an assurance mark for instance.

Interested stakeholders can provide their views on these plans until Sunday 11 July.

If you have any questions on these issues, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com