Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: ANSSI updates certification framework for cloud service providers to account for Schrems II requirements, endorsed by CNIL

The National Cybersecurity Agency for France ('ANSSI') annnounced, on 9 March 2022, that it had published version 3.2 of its certification framework for cloud service providers ('SecNumCloud'). In particular, ANSSI highlighted that the framework serves to promote, enrich, and improve the offer of trusted service providers intended for public and private entities wishing to outsource the hosting of their data, applications, or information systems. Notably, ANSSI outlined that the updated requirements aim to ensure that cloud service providers and the data they process cannot be subject to non-European laws. In this regard, ANSSI stated that the framework is compliant with European requirements relating to personal data protecton and the consequences of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').

Moreover, the French data protection authority ('CNIL') backed up this claim, stating that although the Schrems II Case calls for a case-by-case analysis which can be complex, the framework provides an answer which is compliant by design with the Court of Justice of the European Union's ('CJEU') requirements for data protection in the cloud. As such, CNIL outlined that it recommends the use of the framework for data controllers who want to guarantee a high level of protection of personal data.

You can read the press release here and the framework here, both only available in French.