The SecNumCloud qualification, issued by ANSSI, the French national cybersecurity agency, applies to cloud services: IaaS, PaaS, CaaS and SaaS. It does not apply to data centers. ANSSI's official FAQ states it plainly: SecNumCloud recognizes a specific cloud offering, not a cloud provider, nor an infrastructure.
The choice of hosting site still has a direct impact on qualification. During the evaluation conducted by an ANSSI-licensed assessment body, the physical security of the hosting facility is audited, even when the data center belongs to a third party. For a cloud provider going through qualification, a poorly prepared colocation site translates into audit findings and months of delay. Here is what the standard actually requires from the data center, and how to choose your site accordingly.
What the SecNumCloud 3.2 standard requires from the data center
The standard currently in force is version 3.2, published on March 8, 2022. Four sets of requirements directly concern the physical hosting site.
Physical and environmental security (chapter 11)
The site must be divided into distinct zones (public, private, sensitive), with nominative, logged access control at each perimeter. Added to this are protection against external and environmental threats (fire, water damage, power outage), delivery areas isolated from hosting rooms, cabling security, supervised maintenance, traceability of asset removals and secure media disposal.
Location within the European Union (sections 19.2 and 19.3)
Customer data, backups, directories and technical data must be stored and processed within the EU. Administration and supervision of the service must also be carried out from the EU. A data center located in France meets this requirement by design.
Protection against non-European laws (section 19.6)
The qualified provider must demonstrate immunity from extraterritorial legislation such as the CLOUD Act or FISA 702: head office in the EU, minority non-EU ownership, strict control over the use of non-EU companies. This requirement extends to critical subcontractors. A colocation provider owned by non-European capital weakens its clients' qualification files.
Control of third parties (chapter 15)
The colocation provider is a third party within the meaning of the standard: it must be identified, bound by precise security agreements, and its services must be monitored and reviewed regularly. Third-party personnel are subject to the same background checks as the provider's own staff, or escorted during interventions (chapter 7). One last point, decisive for multi-site architectures: every secondary site must offer the same level of security as the main site.
Seven points to check before signing your colocation contract
The scope of the colocation provider's ISO 27001 certificate. SecNumCloud is built on Annex A of ISO 27001: a provider certified across all of its sites mechanically reduces your burden of proof. Check the exact scope of the certificate, not just its existence.
The location of the sites, including backup sites. All within the EU, ideally in France for public sector contracts governed by the French "cloud au centre" doctrine.
The colocation provider's ownership. Ask for the documented capital structure: it is part of your section 19.6 file.
Zoning and access traceability. Nominative badges, logged access to rooms and racks, video surveillance, visitor and delivery management compliant with chapter 11.
Auditability clauses. Your assessment body will need access to the site: the right to audit must be in the contract, along with incident notification and reversibility.
The personnel screening process. Who enters the rooms, and how external technicians are vetted or escorted.
Power and cooling continuity. Electrical redundancy, generators, and the ability to spread your infrastructure across several sites of the same operator for your disaster recovery plan.
Hosting your SecNumCloud infrastructure with DC2SCALE
DC2SCALE operates six data centers in France: PAR2, PAR3, PAR5 and PAR6 in the Paris region, MRS1 in Marseille and LIL1 in Lille. All six sites are covered by the group's ISO 27001 certification, and the company is 100% French-owned. For a cloud provider pursuing qualification, these two elements directly address the most discriminating points of the standard: an audited security baseline and zero non-European ownership exposure.
The geographical spread makes it possible to build a continuity plan within a single operator's scope: production in the Paris region, replication in Marseille, at the landing point of subsea cables to Southern Europe, the Middle East and Africa, or in Lille, with secondary sites at the same security level as the main site, as the standard requires.
Our teams provide clients going through qualification with the physical security documentation of each site and host the audits conducted by ANSSI-licensed assessment bodies.
Frequently asked questions
Can a data center be SecNumCloud qualified?
No. The qualification applies to cloud services (IaaS, PaaS, CaaS, SaaS), not to infrastructures. A data center can however be audited within the qualification scope of a cloud provider it hosts.
Does the data center have to be located in France?
The standard requires the European Union (section 19.2). In practice, hosting in France simplifies access to French government contracts, since the "cloud au centre" doctrine mandates SecNumCloud for sensitive data.
How long does qualification take?
Expect 18 months to 3 years between entering qualification (the J0 milestone) and obtaining the security Visa, depending on scope. Qualification is valid for 3 years, with annual surveillance audits. Preparing the hosting part upstream is one of the simplest levers to keep the schedule on track.
