Glossary

A model for the provision of IT resources (computing, storage, networking, software) on demand, shared and billed on a pay-as-you-go basis, and operated by a third party. Three levels: IaaS (raw infrastructure), PaaS (execution platform), SaaS (ready-to-use software). The higher up the levels you go, the more you delegate operational management, and the more access to your data you entrust to others.

The ability of an organisation or a state to maintain control over its data, data processing and technological dependencies, free from the constraints of foreign law and the risk of disruption imposed by a third party. It is not measured by a brand’s nationality, but by verifiable characteristics: applicable law, location, conditions of access and reversibility.

The application of a legal framework beyond national borders. The CLOUD Act (United States, 2018) authorises US authorities to require a service provider falling within their jurisdiction to disclose data in its possession, regardless of where it is stored. Direct consequence: locating one’s servers in Europe is not sufficient to protect against foreign access; it is the operator’s legal domicile that determines the outcome.

A very large-scale cloud operator, whose scope (number of services, capacity, global reach) exceeds that of regional players by one or more orders of magnitude. The term refers primarily to AWS, Microsoft Azure and Google Cloud. This should be distinguished from an integrated provider such as OVHcloud: despite the shared term ‘cloud’, they are not in the same line of business.

Infrastructure as a Service, as defined by NIST (SP 800-145). The service provider supplies the basic virtualised resources: virtual machines, block or object storage, virtual networks and firewalls. The customer retains control over everything else: operating system, middleware, runtime environments, data and applications. Examples: EC2 (AWS), Compute Engine (Google), vSphere and Cloud (VMware), Dedibox and Elements (Scaleway).

The National Institute of Standards and Technology, a US federal agency under the Department of Commerce. Its publication SP 800-145 (2011) establishes the global definition of cloud computing based on five cumulative criteria: on-demand self-service, broad network access, resource sharing, rapid elasticity and metered service. A service that does not meet all five criteria is not cloud computing in the strict sense, but rather hosting or managed services. The definition remains the benchmark in 2026; no official revision of SP 800-145 has replaced it as of that date.

Platform as a Service, as defined by NIST (SP 800-145). The service provider manages the infrastructure, the runtime environment and the middleware. The customer retains ownership of their code, data and application configuration, without having to manage the underlying system or hardware. Examples: Cloud Run (Google), Elastic Beanstalk (AWS), Heroku, Scalingo, Clever Cloud.

Software as a Service, as defined by NIST (SP 800-145). The service provider manages the entire stack: infrastructure, platform and application. The customer simply configures and uses the service, without access to the code or the system. Examples: Microsoft 365, Google Workspace, Salesforce, Notion, Slack.

A security qualification issued by ANSSI (standard 3.2). It certifies that a cloud service (IaaS, PaaS or SaaS) meets the highest technical, operational and legal standards, including immunity from extraterritorial laws. It is a qualification (a security endorsement), not merely a certification. The CNIL regards it as the only recognised marker of a sovereign cloud; the SREN Act (Article 31) makes it mandatory for government cloud projects involving sensitive data.

Law of May 21, 2024, aimed at securing and regulating the digital space, which transposes several European texts and adds national provisions. Article 31 requires government agencies and their service providers to use a SecNumCloud-certified cloud service to host particularly sensitive data, which effectively reserves a portion of public cloud procurement for providers certified by ANSSI.