Trusted service providers
In its mission to promote and guarantee digital confidence and information security, ANSSI has set up the General Security Reference System (RGS) as well as a set of standards for trusted products and services. As far as service providers are concerned, these standards cover in particular :
Cyber defence service providers :
- Information systems security auditors (PASSI)
- Security incident detection services (PDIS)
- Security incident response service providers (PRIS)
- Cloud computing service providers (SecNumCloud).
- And coming soon (currently in experimental phases):
- Secure administration and maintenance service providers (PAMS)
- Information systems security support and consultancy services (PACS)
Digital trust service providers :
- Electronic Certification Service Providers (ECSPs)
- Electronic time-stamping service providers (PSHE)
- Providers of electronic signature and seal validation services
- Service providers for storing electronic signatures and stamps,
- Registered mail service providers
For a service provider or Digital Service Provider (DSP), embarking on qualification against one or more of these demanding standards is a strong indication of a desire to demonstrate to its markets and customers in France and Europe the quality of its offering and the skills of its teams in providing a secure and trusted service.
The SecNumCloud repository
History of the reference system
SecNumCloud was presented in its first official version in 2016, and was revised in 2018 to arrive at version 3.1, which is currently in use. This qualification is an evolution of the Secure Cloud label presented by ANSSI in 2014. The label is based on on ISO 27001which defines the requirements and best practices for information security management, but adds new requirements specific to cloud players.
What does qualification mean for a service provider?
Qualification is the recommendation by the French government of services that have been tested and approved by ANSSI. The qualification of a service provider attests to its compliance with the requirements of the Agence nationale de la sécurité des systèmes d'information (ANSSI). It assesses a service provider's competence over the long term and demonstrates its ability to identify and control threats and risks in order to meet the requirements set out in the business standards.
What does qualification bring?
Qualification gives consumers of qualified services the assurance that they are choosing solutions whose level of security and confidence have been verified. It is the guarantee that they are using solutions recommended by the French government and used by the French administration, operators of vital importance (OIV), operators of essential services (OSE) and companies in the most sensitive sectors.
For qualified service providers, it gives them the ability to compete in regulated French and European markets, making qualification a competitive advantage in terms of safety requirements.
SecNumCloud qualification
SecNumCloud qualification is a long and demanding process, requiring considerable financial and human effort to meet the technical challenges of complying with the requirements of the standard. The process itself is strictly supervised by ANSSI.
The process is broken down into milestones:
- D0: Acceptance of the application for qualification following submission of a compliant file
- Day 1: Acceptance of the assessment strategy and choice of a COFRAC-accredited assessment centre
- D2: Acceptance of the assessment work and therefore of the assessment centre's report by the ANSSI
- J3: Qualification decision (issued with or without reservations in the light of the level of compliance reported)
What is the market for SecNumCloud?
The trusted cloud market is expected to be worth more than €250 million in 2019. What's more, the government's announcements on 17 May 2021 can only increase the size of this market in the years to come.
Today, it appears that :
- Using the trusted cloud becomes a government priority
- SecNumCloud-qualified services will be compulsory for public authorities wishing to host their activities elsewhere than in the cloud provided by the State.
- SecNumCloud-qualified services will be the services of choice for OIVs, OSEs and, more generally, players subject to the European NIS Directive because of the prerequisites required by these regulations, which are already met by SecNumCloud's demanding compliance.
- Companies handling highly sensitive data (strategic, health-related, etc.) who want their operations to be hosted with confidence from a security and sovereignty point of view (particularly with regard to protection against extraterritorial laws).