“Sovereignty Requirements” in French—and Potentially EU—Cybersecurity Regulations: The Latest Barrier to Data Flows, Digital Trade, and Digital Cooperation Among Likeminded Partners
France’s national cybersecurity agency (known as ANSSI) is revising its cybersecurity certification and labeling program (known as SecNumCloud) to disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as 600-plus firms that operate “vital” and “essential” services. If put into place without changes, it would essentially make it impossible for foreign cloud firms, or firms using services from foreign cloud firms, to be considered “trusted.” The regulation includes severe, China-like restrictions that force foreign firms to store data locally and only use local support and technical staff, which makes it impossible for them to leverage system-wide security and functional services. It also imposes strict limits on foreign ownership and representation on a company’s board of directors. Similar to China, it would effectively only allow local firms to attempt for certification, and thus force foreign firms to set up a local joint venture to try to be certified as “trusted.” This post analyzes the problematic provisions in the proposed update to SecNumCloud.
ANSSI first launched SecNumCloud in 2016 as a label to show public agencies and firms in critical sectors which cloud services are “trusted.” It is based off ISO 27001, a globally recognized information security standard, and thus, its goal is genuinely good cybersecurity practices, like physical access controls, strong authentication protocols, encryption, and the use of hardware security modules.
However, baked into the latest update to SecNumCloud (French/unofficial English translation) is explicit protectionism against non-French cloud services providers. The window for submitting comments on the proposed revision just closed and it could go into effect as early as January 2022. These new explicitly protectionist provisions are in addition to its current use as a de facto discriminatory barrier as France has not certified firms from other EU member states and from outside the EU. Thus, it appear to breach the European Union’s (EU) trade commitments. Since 2016, only four companies, all French, have been certified (3DS Outscale (a subsidiary of Dassault Systems), OVHcloud, Oodrive, and Worldline Cloud services). Its discriminatory use is problematic given the policy’s broad impact. It is mandatory for public agencies to use SecNumCloud certified services. ANSSI is also pushing for its use by hundreds of health, energy, finance, transport, and other firms that are deemed Operators of Vital Importance (OVIs) and Operators of Essential Services (OESs).
French policymakers justify SecNumCloud’s protectionist restrictions on the fear of U.S. CLOUD Act’s potential extraterritorial reach (although this issue is not explicitly mentioned anywhere in the proposal). As otherwise, SecNumCloud’s protectionist restrictions have no legal basis in European privacy or cybersecurity law, in that, the EU’s General Data Protection Regulation has its various requirements, but this proposal’s explicit data localization, local staff requirements, and ownership and board caps aren’t reflected elsewhere. The protectionist measures do not contribute to the privacy or security of the data, and in fact, undermine cybersecurity best practices.
In moving ahead with these restrictions, France shows it is willing to disregard cooperation and constructive alternatives to address concerns over government access to data, including the use of technical measures and ongoing bilateral and G7 discussions and negotiations over law enforcement and government access to data. Given this, it’s hard not to see it as simply another attempt to use regulatory protectionism to target U.S. cloud firms and. Targeting U.S. firms is the clearest part of France and Germany’s vision of European tech and digital sovereignty. Most worryingly, France is advocating for these SecNumCloud “sovereignty requirements” in a Europe-wide cloud cybersecurity framework. It raises a new point of conflict just as the United States and Europe try to repair the transatlantic digital relationship via the Trade and Technology Council (TTC) and negotiate a successor to Privacy Shield. In the broader debate about global data governance and Japan’s “data free flow with trust” initiative, the French proposal effectively means no data flows, nor trust.