SREN
In brief
The 2024 French law governing the digital space. In particular, it requires the government to host its sensitive data on cloud services certified to the highest security standards.
▶ Precise definition
Law of May 21, 2024, aimed at securing and regulating the digital space, which transposes several European texts and adds national provisions. Article 31 requires government agencies and their service providers to use a SecNumCloud-certified cloud service to host particularly sensitive data, which effectively reserves a portion of public cloud procurement for providers certified by ANSSI.
Our analysis
The SREN Act, enacted on May 21, 2024, is a comprehensive piece of legislation that addresses the protection of minors online, the fight against illegal content, the regulation of games featuring monetizable digital items, and the regulation of the cloud market. It transposes several European regulations into French law, including the Digital Services Act and the Digital Markets Act, while adding provisions specific to France. The cloud section is of direct interest to executives making hosting decisions.
The most significant provision for the public sector is Article 31. It requires government agencies, their institutions, and their operators to use a SecNumCloud-certified cloud service when they entrust a third party with the hosting of particularly sensitive data. The practical implications are clear: within this scope, public cloud procurement is limited to service providers holding the certification issued by ANSSI, and any non-certified provider is excluded, regardless of its commercial or technical arguments.
However, it is important to understand what the law does not do. The requirement applies to sensitive data in the public sector, not to all public data or data from private companies, which remain free to make their own choices. Nor does the law create a new certification: it builds upon SecNumCloud, inheriting both its strengths and its shortcomings. It establishes a procurement requirement, but does not, on its own, guarantee that the resulting use will be truly sovereign.
Article 31 illustrates the shift in the debate from legal sovereignty to industrial sovereignty. Enacting a legal obligation creates captive demand, but does not generate supply: there must still be players capable of delivering these services at scale, over the long term, and at a level of maturity comparable to that of global providers. Strong legal protection backed by an insufficient industrial base would remain sovereignty on paper. This is the central challenge of the coming decade, and the reason why SREN should not be read in isolation, but rather as a signal of industrial policy as much as a rule of law.
See also