Curated collection

SecNumCloud-certified providers

European cloud and SaaS providers that hold (or are built to align with) ANSSI's SecNumCloud qualification, France's sovereign-cloud benchmark.

In short

SecNumCloud is ANSSI's sovereign-cloud qualification for France, covering both security controls and a corporate-structure requirement designed to limit non-EU extraterritorial legal reach. It is the reference standard in French public-sector cloud tenders and a shortlisting filter in regulated private-sector buys. OVHcloud and Oodrive hold formal qualifications; the list is short because the bar is high.

Last verified May 2026 DISCLOSURE Some links on this site are affiliate links. We may earn a commission at no extra cost to you. Editorial signals and rankings are never influenced by affiliate relationships.

SecNumCloud is the qualification issued by ANSSI, France's national cybersecurity agency, for cloud service providers. It started as a technical and organisational security standard, but the current 3.2 referential also adds criteria intended to keep the service and its data outside the reach of non-EU extraterritorial law. That is why French public-sector cloud doctrine treats it as the reference standard for sovereign cloud, not just a security badge.

This page lists the providers in our directory that hold a SecNumCloud qualification or operate infrastructure built to align with it. Each is benchmarked on the same procurement criteria as every other listing (hosting region, ownership, CLOUD Act exposure, sub-processors and DPA), so the qualification is one signal among several, not the whole story.

Why it matters

For a French procurement team, SecNumCloud increasingly appears as a written requirement in public tenders and a shortlisting filter in regulated private-sector buys. Its value is that it bundles two things a buyer would otherwise have to verify separately: a vetted security posture, and a corporate-structure test designed to limit extraterritorial legal exposure.

It is not a universal answer. The qualification is granted per service, so a vendor can be qualified for one product and not another. It also does not, on its own, settle every CLOUD Act question; that still depends on the specific operating entity, its owners and its sub-processors. We record those separately on each product profile so you can confirm the chain rather than rely on the badge alone. Treat SecNumCloud as a strong starting filter, then verify the details that matter for your transfer impact assessment.

Showing all 4 alternatives in this category updating

		Cert.	Pricing	Signals	Open
Lucca French sovereign-cloud HR platform (Nantes / Paris, est. 2002); SecNumCloud + ISO 27001; 1M+ users incl. AXA, Deezer.	FR France	ISO/IEC 27001 SecNumCloud	Paid	Public DPA Sub-processors Open source	→
OVHcloud French sovereign cloud (OVH Groupe, Roubaix, 1999), ANSSI SecNumCloud 3.2-qualified Bare Metal Pod; 46 DCs, public on Euronext Paris.	ROUBAIX · FR France	ISO/IEC 27001 SecNumCloud +2 more	Paid €5 /mo	Public DPA Sub-processors Open source	→
Scaleway French sovereign cloud (Iliad-owned, Xavier Niel), ANSSI SecNumCloud + HDS + ISO 27001; winner of €180M EU Cloud III tender.	PARIS · FR France	ISO/IEC 27001 SecNumCloud	Paid €2 /mo	Public DPA Sub-processors Open source	→
Tixeo Montpellier-based French secure video conferencing (founded 2003), ANSSI CSPN-certified, SecNumCloud-qualified, defense + government grade.	MONTPELLIER · FR France	SecNumCloud	Paid	Public DPA Sub-processors Open source	→

How to choose

Start from your binding constraint. If a tender names SecNumCloud explicitly, filter to formally qualified services and confirm the qualification covers the specific product you are buying, not just the provider's flagship IaaS. If you need sovereignty assurance but the qualification is not mandatory, a SecNumCloud-aligned provider with a clean ownership and sub-processor chain may serve you as well as a formally qualified one at lower cost. If your buyers sit outside France, weigh SecNumCloud against the German BSI C5 and the pan-European EUCS scheme; they overlap in intent but differ in legal framing and recognition. The comparison table above lets you sort the listed providers by compliance score, CLOUD Act exposure and hosting region so you can match them to whichever of those constraints is yours.

FAQ

Frequently asked questions

What is SecNumCloud?

SecNumCloud is a security qualification issued by ANSSI, France's national cybersecurity agency, for cloud service providers. Beyond technical and organisational security controls, the current 3.2 referential adds criteria intended to shield the service and its data from non-EU extraterritorial law, which is why it is treated as France's reference standard for sovereign cloud rather than a purely technical certification.

Is a SecNumCloud-qualified provider immune to the US CLOUD Act?

ANSSI's 3.2 criteria are designed to reduce exposure to extraterritorial jurisdiction, for example by requiring that the operating entity and its decision-making sit within the EU and outside non-EU control. Whether that produces full legal immunity in a given case depends on the specific corporate structure and contracts, so we still record each provider's ownership and sub-processor chain separately rather than treating the qualification as a blanket guarantee.

Who actually needs SecNumCloud?

French public-sector bodies and operators handling sensitive or regulated data are the primary audience; the qualification is referenced in French government cloud doctrine and increasingly written into public tenders. Private buyers in regulated sectors (finance, health, defence supply chain) use it as a shortlisting filter even when it is not strictly mandatory.

Why are some listings 'SecNumCloud-aligned' rather than qualified?

The formal qualification is granted per service and takes time to obtain. Some providers operate infrastructure built to the referential, or have a qualification in progress, without the final visa yet. Where a vendor is not yet formally qualified we say so explicitly and link the source, so the distinction is never hidden.

How does SecNumCloud compare to BSI C5 and ISO 27001?

BSI C5 is Germany's cloud-security baseline, ISO 27001 is a broadly held international information-security standard, and SecNumCloud is France's sovereign-cloud qualification. All three address security controls, but SecNumCloud 3.2 adds a corporate-structure test (requiring EU ownership and decision-making) that BSI C5 and ISO 27001 do not. For pan-European procurement, EUCS is the emerging common framework; its higher assurance levels are expected to converge with SecNumCloud and BSI C5 requirements.

Is SecNumCloud recognised outside France?

Not formally as a mandatory requirement, but it is increasingly cited as a reference in European sovereignty discussions and is recognised by procurement teams in other EU member states as a meaningful signal. French public-sector cloud doctrine makes it a written requirement for certain data classifications; other European national schemes (BSI C5, EUCS) serve comparable purposes in their respective markets. If your tender spans multiple EU jurisdictions, check which national schemes are named alongside EUCS.

Methodology

How we verified every listing here.

For each product we read the public DPA, sub-processors document, hosting region declaration, certifications, and corporate ownership records. Each is timestamped. Signals are editorial, re-verified quarterly. We never accept self-attestation.

Read methodology →