Notification Detail | TRIS - European Commission

Projet de décret relatif à la protection des données stratégiques et sensibles sur le marché de l'informatique en nuage

Notification Number:

2025/0041/FR (France)

Date received:

24/01/2025

End of Standstill:

28/04/2025

Draft Text:

FR BG HR CS DA NL EN ET FI GA DE EL HU IT LV LT MT PL PT RO SK SL ES SV

Click here for a printable version of this page

Message

Message 001

Communication from the Commission - TRIS/(2025) 0212

Directive (EU) 2015/1535

Notification: 2025/0041/FR

Notification of a draft text from a Member State

Notification – Notification – Notifzierung – Нотификация – Oznámení – Notifikation – Γνωστοποίηση – Notificación – Teavitamine – Ilmoitus – Obavijest – Bejelentés – Notifica – Pranešimas – Paziņojums – Notifika – Kennisgeving – Zawiadomienie – Notificação – Notificare – Oznámenie – Obvestilo – Anmälan – Fógra a thabhairt

Does not open the delays - N'ouvre pas de délai - Kein Fristbeginn - Не се предвижда период на прекъсване - Nezahajuje prodlení - Fristerne indledes ikke - Καμμία έναρξη προθεσμίας - No abre el plazo - Viivituste perioodi ei avata - Määräaika ei ala tästä - Ne otvara razdoblje kašnjenja - Nem nyitja meg a késéseket - Non fa decorrere la mora - Atidėjimai nepradedami - Atlikšanas laikposms nesākas - Ma jiftaħx il-perijodi ta’ dewmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Nu deschide perioadele de stagnare - Nezačína oneskorenia - Ne uvaja zamud - Inleder ingen frist - Ní osclaíonn sé na moilleanna

MSG: 20250212.EN

1. MSG 001 IND 2025 0041 FR EN 24-01-2025 FR NOTIF

2. France

3A. Ministères économiques et financiers
Direction générale des entreprises
SCIDE/SQUALPI/PNRP
Bât. Sieyès -Teledoc 143
61, Bd Vincent Auriol
75703 PARIS Cedex 13
d9834.france@finances.gouv.fr

3B. Direction interministérielle du numérique (DINUM)
Mission juridique
20 avenue Ségur
75007 PARIS

4. 2025/0041/FR - SERV - INFORMATION SOCIETY SERVICES

5.
Draft decree on the protection of strategic and sensitive data in the cloud computing market

6. Protecting strategic and sensitive data in the cloud computing market

7.

8.
The purpose of the draft decree is to
– List the public interest groups, including the administrations or operators whose list is annexed to the draft finance law, that are subject to the requirements laid down in Article 31 of the aforementioned law;
– Specify the aforementioned security and protection criteria, including in terms of shareholding;
– Specify the conditions under which a derogation may be granted for projects already initiated;
– Set the criteria for considering a cloud computing offer available in France as acceptable under the derogation procedure.

More specifically, Article 2 of the draft decree aims to specify the requirements for cloud computing services provided by a private provider, as necessitated under the conditions of the aforementioned Article 31(I).
This point I lays down the security and protection criteria, providing for their operational implementation within a ‘SecNumCloud’ reference framework established by the French Cybersecurity Agency (ANSSI) in conjunction with the Interministerial Digital Directorate (DINUM) as regards the State’s information system.
Point II provides for the use, by the administrations concerned, of a private service provider that is qualified according to this standard, or a European certification of at least an equivalent level, based on R9 of the Prime Minister’s circular of 5 July 2021 on the doctrine of the use of cloud computing by the State (‘cloud at the centre’).

9.

Article 31 of Law No 2024-449 of 21 May 2024 on securing and regulating the digital space (SREN Law) lays down provisions to ensure the protection of strategic and sensitive data in the cloud computing market. These provisions concern State administrations, some of their operators, and certain public interest groups, the list of which must be established by decree in the Council of State.
Thus, in cases where these administrations resort to a cloud computing service provided by a private service provider for the processing of data that is particularly sensitive, the breach of which is likely to result in disturbing the public order, public security, the health or life of individuals, or the protection of intellectual property, the service they use must implement security and data protection criteria guaranteeing, in particular, the protection of data against any access by the public authorities of third countries not authorised by European Union or Member State law.

10. References to basic texts:

11. No

12.

13. No

14. No

15. No

16.
TBT aspects: No

SPS aspects: No

**********
European Commission
Contact point Directive (EU) 2015/1535
email: grow-dir2015-1535-central@ec.europa.eu

Disclosed messages

message-id	Year	Number	Country	Type	Title	Date received	Is answer to
110723	2025	0213	COMEuropean Commission	003	Receipt of the draft text	24-01-2025
110724	2025	0214	COMEuropean Commission	037	Competitiveness analysis	24-01-2025
110904	2025	0394	COMEuropean Commission	301	Request for supplementary information	10-02-2025
110994	2025	0484	FRFrance	201	Answer of the notifying Member State	19-02-2025	2025-394

Languages

Stakeholders Contributions

The TRIS website makes it easy for you or your organization to share your views on any given notification.

Due the notification’s status or the end of standstill, we are currently not accepting any further contributions for this notification via the website.

No contributions were found for this notification