News

⚠️ANSSI sets the record straight
Senate report of 8 July 2025

Sources: official Senate minutes (hearing of V. Strubel), SecNumCloud v3.2 framework (ANSSI), inquiry commission report (Bleu/S3NS).

💬 Encryption won’t save you… and neither will your clauses.
“Nothing prevents a Texas judge or a Chinese agency from turning to OVH to demand the transfer of this or that data…”

• ANSSI (Vincent Strubel) before the Senate: no technical or contractual countermeasure is effective against extraterritorial laws (Cloud Act, FISA).
Only a European provider can qualify for SecNumCloud.
• SecNumCloud v3.2 requires immunity from extra-European law through EU-based governance, footprint, and ownership/control.
• The Bleu (Orange/Capgemini + Microsoft) and S3NS (Thales + Google) offerings aim at this objective: legal immunity may be achievable… technological dependency remains unresolved.

• 💬 “In the structure planned for Bleu, Microsoft provides the technology but has no access to the data, which are under the exclusive control of European actors.”

Key takeaway:
If a provider is exposed to non-EU law, no encryption/contract “neutralises” that legal risk according to ANSSI; the lever is the provider’s European governance (ownership, control, support, admin locations).