SecNumCloud: the highest level of French security
The highest level of French cloud security, issued by ANSSI. Wimi is committed to this rigorous process to guarantee its customers maximum protection of their data and total immunity from extraterritorial laws. Expected to be obtained Q1 2026.
What is SecNumCloud?
As the national authority for the security and defense of information systems, ANSSI grants ANSSI Security Visas to solutions, products or services that demonstrate a high level of security and trust.
As part of this approach, in 2016, the agency developed the SecNumCloud framework to allow the qualification of cloud computing service providers, known as cloud.
Its objective: to promote, enrich and improve the offer of cloud providers for public and private entities wishing to outsource, to trusted providers, the hosting of their data, applications or information systems.
Only 3 offers are qualified SecNumCloud on the entire French market. Wimi is committed to this demanding process to offer its customers a sovereign collaborative suite that complies with the highest security standards (qualification expected in Q1 2026).
Information taken from the SNC 3.2* Repository
What threats does the SecNumCloud qualification protect against?
The SecNumCloud qualification meets specific security objectives in the face of threats. It offers a high level of protection and allows you to:
Your data is exposed to the American Cloud Act with foreign solutions. Take back control of your strategic information and protect your digital sovereignty.
Your teams are juggling emails, scattered files and poorly adapted tools. Facilitate their digital transition with an intuitive platform designed for the public sector.
Local authorities are prime targets for cyberattacks (ransomware, phishing). Secure your infrastructures with a solution qualified SecNumCloud by ANSSI.
Budgets are tightening and licenses are piling up. Opt for transparent pricing tailored to your size, with free external guests and no hidden fees.
The SecNumCloud qualification aims to ensure confidence in the resilience of the qualified cloud service in the face of a possible injunction from a non-EU state that would rely on the extra-territoriality of its law. In particular, the qualification process assesses the factors that will allow the qualified service provider to resist an injunction of this type.
It should be noted that the SecNumCloud qualification does not prejudge the security level of a customer's digital service that will be hosted on the SecNumCloud qualified cloud offer (example: a website hosted on a SecNumCloud qualified offer).
Source: The SNC 3.2 standard
Summary of the 14 chapters of requirements of SecNumCloud 3.2
- Distinction between public areas, private areas and sensitive areas
- Physical access control by at least 1 factor for private areas, 2 factors for sensitive areas and logging and monthly review of accesses to sensitive areas
- Protection against physical and natural disasters
- Electrical and climate continuity measurements
- Documented and up to date operating procedures
- Change management with information to sponsors
- Physical separation of development and production environments
- Measures against malicious code
- Daily backup policy with sufficient remote storage and event logging for a minimum of 6 months
- Synchronizing clocks on reliable sources
- Event analysis and correlation infrastructure
- Capacity to inspect and remove incoming and outgoing infrastructure
- Up-to-date information system mapping
- Separation of networks according to the sensitivity and nature of flows
- Application firewall for administration interfaces exposed on a public network
- Probes for detecting security incidents on interconnections
- Documented secure development policies
- Procedure for controlling and validating changes in pre-production
- Secure and protected development environment
- Security and compliance testing during development
- Protection and anonymization of test data
- Extensive list of third party participants up to date
- Equivalent security requirements in contracts with third parties
- Audit clauses in contracts with third parties
- Regular monitoring of measures put in place by third parties
- Procedure for responding to incidents quickly and effectively
- Prompt communication to incident sponsors
- Documentation of any personal data breach and notification to the CNIL if necessary
- Classification of incidents including personal data breaches
- Continuous improvement process
- Business Continuity Plan documented and reviewed annually
- Procedures for maintaining and restoring service
- Regular continuity plan testing
- Offline backup of infrastructure configuration
- Identification of applicable legal, regulatory and contractual requirements
- Three-year audit program including at least one qualified PASSI audit per year
- Independent initial review prior to qualification
- Independent review in case of major changes
Service agreement
- Mandatory agreement with each sponsor defining obligations, rights and responsibilities
- Application of the law of an EU Member State
- Reversibility clause for data recovery
- Review clause with cancellation without penalty in case of loss of qualification
Data location
- Data storage and processing within the European Union
- Administration and supervision operations from the EU
- Support possible from outside the EU with documented control mechanisms
Regionalization
- Interfaces available in French
- First-level support in French
End of contract
- Secure deletion of all data with 21 days' notice
Protection of personal data
- Justification of compliance with data protection principles (purposes, traceability, minimization, etc.)
- Respect for the rights of the persons concerned
Protection from extra-European law
- Registered office established in the EU
- Limited share capital and voting rights for entities outside the EU (24% individually, 39% collectively)
- Third-party companies outside the EU should not be able to access data technically
- Continued operating autonomy guaranteed
- Compliance with EU fundamental rights legislation
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore and dolore magna aliqua. Ut enim ad minimim veniam, qui nostrud exercising ullamco laboris nisi ut aliquip ex ea commodo consequat. Duvet high grain color wine Reprehenderit In voluptate velit esse illum dolore eu fugiat nulla pariatur.
“Wimi is a solution perfectly suited to collaboration in project mode. Its ease of handling and the flexibility offered according to uses convinced us. Covid-19 and the periods of teleworking have only amplified the need for such a solution to maintain exchanges and continue our projects.”
"Wimi nous permet de centraliser notre processus de création et de planification de contenus. La plateforme nous apporte une vision claire et centralisée de notre production. Je le recommande sans hésiter aux équipes qui veulent gagner en agilité et optimiser leur processus de création de contenus."
"Wimi nous permet de faciliter la communication entre le staff et les joueurs, de fluidifier le partage des données et d’accélérer la planification de nos évènements sportifs. Le budget est aussi très attractif au regard du périmètre fonctionnel, riche et ergonome couvert par la solution."
"Wimi est un outil sécurisé et sécurisant qui répond clairement aux besoins d’une profession réglementée par le secret professionnel. Travailler sur nos dossiers depuis la plateforme est devenu une évidence pour nous. Nous sommes bluffés par la facilité avec laquelle nos clients et partenaires adoptent la solution."
Cybersecurity and compliance resources
Your questions about SecNumCloud
How do I know if my organization needs SecNumCloud?
You are legally concerned if:
- Vital Importance Operator (OIV) or Essential Services Operator (OSE)
- Subject to the NIS2 directive in a critical sector
- Work with defense, weapons, or classified data
- Public administration handling sensitive data
SecNumCloud is highly recommended if:
- You handle strategic data (R&D, patents, industrial secrets)
- Strict confidentiality obligations (health, justice, finance)
- You want to protect yourself from extraterritorial laws
- The sovereignty of your data is critical
In case of doubt, our experts can assist you in assessing your needs.
What is the difference between SecNumCloud and other certifications like ISO 27001?
ISO 27001 is a generic international standard for information security management. SecNumCloud goes much further:
- Cloud-specific repository with 19 chapters of precise technical requirements
- Legal protection against extraterritorial laws (mandatory European capital)
- Total sovereignty: infrastructure, administration and data in France/EU
- Mandatory annual audits by qualified PASSI service providers
- Full traceability and logging for a minimum of 6 months
In summary: ISO 27001 is a solid base, SecNumCloud is the top of the cloud requirement in Europe.
Why is SecNumCloud important for my organization?
If your organization handles sensitive or strategic data, SecNumCloud offers you several essential guarantees:
Maximum technical protection: The 360+ SecNumCloud requirements cover all aspects of cybersecurity, from encryption to intrusion detection to incident management.
Legal immunity: Your data is protected against American extraterritorial laws (Cloud Act, Patriot Act). No foreign government can access it.
Compliance made easy: SecnumCloud greatly facilitates your compliance with other regulations such as NIS2, the RGPD, or OIV/OSE obligations.Strengthened trust: For your customers, partners and supervisory authorities, the SecnumCloud label is a guarantee of seriousness and reliability.
Find out how Wimi helps you with NIS2
Does my organization have to use SecNumCloud?
C'est obligatoire pour :
- Opérateurs d'Importance Vitale (OIV) et de Services Essentiels (OSE)
- Administrations manipulant des données sensibles
- Organisations soumises à NIS2 dans des secteurs critiques
- Entreprises du secteur défense et armement
C'est fortement recommandé pour :
- Données stratégiques (R&D, brevets, secrets industriels)
- Obligations de confidentialité strictes (santé, justice, finance)
- Toute structure souhaitant se protéger des lois extraterritoriales
Même sans obligation légale, SecNumCloud est aujourd'hui la meilleure protection disponible pour vos données critiques.
Is Wimi already SecNumCloud qualified?
Wimi is in the process of qualifying SecNumCloud 3.2 with finalization scheduled for Q1 2026. Our infrastructure already meets the requirements of the standard:
- Datacenters in France, in compliance with SecNumCloud location requirements
- End-to-end encryption and keys under customer control
- Multi-factor authentication mandatory for sensitive accesses
- Extensive logging and real-time incident detection
- Regular security audits by qualified service providers
Even before final certification, Wimi already offers a level of security in accordance with SecNumCloud standards.
How much does a SecNumCloud solution cost?
SecNumCloud solutions are slightly more expensive than American public clouds due to the level of technical requirements and ANSSI audits. However:
Actual cost : Public clouds charge for security, compliance, and support as separate options
Legal protection: Full immunity against extraterritorial laws = invaluable value
Compliance made easy: Save time and money on NIS2, RGPD, OIV/OSE
Risks avoided: The cost of a data breach far exceeds the price difference
At Wimi, we offer transparent and scalable pricing, adapted to your organization.Discover our rates
What happens in the event of a French judicial requisition?
The SecNumCloud framework protects against extraterritorial laws (American Cloud Act), but remains subject to French and European law. In the event of a legitimate judicial requisition from a French authority, Wimi may be required to cooperate within the legal framework.
However, unlike American clouds, no foreign authority can require access to your data without going through international legal assistance channels.
Does SecnumCloud guarantee 100% availability?
No SecnumCloud imposes strict business continuity (PCA/PRA) and resilience requirements, but does not guarantee absolute availability.
Wimi is committed to 99.5% availability, with automatic backup mechanisms, datacenter redundancy and business recovery plans documented in accordance with Chapter 17 of the SecNumCloud repository.
Can I easily migrate to Wimi from my current cloud?
Yes. Wimi offers comprehensive support to secure your migration:
- Audit your existing infrastructure
- Customized migration plan with zero downtime
- Data recovery with end-to-end encryption
- Training your teams in SecNumCloud best practices
- Dedicated support during and after migration
Our experts support you every step of the way to ensure a risk-free transition to a sovereign cloud.
Ready to take back control of your data?
Wimi supports you in your transition to a sovereign and secure cloud. Our experts analyze your needs and offer you a tailor-made solution.