Defense & sovereignty 2026: SecNumCloud becomes mandatory

The French "Cloud at the centre" doctrine, set out in 2021 and reinforced in May 2023, became a clear modus operandi in 2026. For administrations, OIVs (Operators of Vital Importance), OSEs (Essential Service Operators), and BITD (Defense Industrial and Technological Base) industrialists, any sensitive-data processing must be hosted on an ANSSI-qualified SecNumCloud cloud, or an equivalent on-site cloud. The 2024-2030 Military Programming Law (LPM) anchored this requirement long-term.

What SecNumCloud changes in 2026

SecNumCloud is the highest-level security visa issued by ANSSI for cloud services (IaaS, PaaS, SaaS). To be qualified, a provider must prove: European headquarters (with immunity to extraterritorial laws like the US CLOUD Act), technical team located in France/EU, deep security audit (ISO 27001, ANSSI), controlled subcontracting chain. Qualified providers in early 2026 are few: Outscale (3DS), OVHcloud (on certain offers), Cloud Temple, Numspot, and S3NS (Thales-Google collaboration still pending final qualification).

For BITD industrials (Thales, Safran, Naval Group, MBDA, Dassault Aviation, and their tier-1 to tier-4 subcontractors), SecNumCloud is now a contractual requirement. DGA (French defense procurement) contracts contain clauses imposing SecNumCloud hosting of digital tools used on the program. For a tier-3 subcontractor delivering a mechanical part with its CAD plans, the stake can be: "no standard Microsoft 365 cloud for the plans — SecNumCloud or nothing".

The Microsoft 365 / Google Workspace trap

Most French SME-mid-caps use Microsoft 365 or Google Workspace for daily productivity. Both, while partly hosted in France or the EU, are not SecNumCloud-qualified — they are subject to the CLOUD Act and US extraterritoriality. For a BITD industrialist, this means no classified or merely sensitive document (non-public information on a military program, technical data under NDA) can transit through M365 or Workspace.

The solution isn't to migrate all productivity to SecNumCloud — the SecNumCloud Office offering remains limited. The practical solution adopted by advanced industrialists: a two-tier setup. M365/Workspace for non-sensitive productivity (admin, HR, non-classified internal communication). SecNumCloud for sensitive business tools (PLM, shared CAD, tender response files, projects under DGA contract).

Three practices that structure advanced industrials

Programmatic compartmentalization

Rather than partitioning by software solution (M365 on one side, SecNumCloud on the other), advanced industrials partition by program. Each military program (Rafale, Scorpion, Aster, Barracuda) has its dedicated digital environment, with its access rights, tools, digital boundary. An engineer works on 2-3 programs and has 2-3 distinct environments that don't talk to each other except via audit-trail gateways.

Bring-your-own-laptop forbidden

BITD industrials forbid using personal hardware for programs. Workstations are company-supplied, hardened (locked BIOS, USB ports disabled unless justified, BitLocker or equivalent encryption, strict MDM). Remote work on personal hardware via VPN is no longer accepted — it's company hardware with sovereign connection, or no remote work on sensitive programs.

Traced clearance and decision traceability

For classified programs (Defense Confidential, Defense Secret), engineers are personally cleared by the French Armed Forces ministry. This clearance is named, dated, attached to a program. The IS must be able to prove who accessed what, when, in what context. PLM and document-management tools must support this traceability level — few standard SaaS do.

The 2027-2030 scenario

Three evolutions will frame what comes next. First, SecNumCloud extension to tier-3-4 subcontractors — the DGA pushes for responsibility to flow down the chain. Second, the EUCS (European Cybersecurity Certification Scheme for Cloud Services) creating an equivalent European framework: "high+" level planned for 2027-2028, expected to align with SecNumCloud. Third, classified AI — the massive arrival of generative AI in design (engineer assistance, training datasets) demands models themselves hosted in SecNumCloud, which de facto eliminates standard OpenAI, Anthropic, Google.

For an industrial SME wanting to enter or stay in the BITD, the 2026-2028 program is legible: (1) map sensitive data and tools processing it, (2) migrate to a partitioned M365/Workspace + SecNumCloud combo per program, (3) harden workstations and formalize clearances, (4) trace accesses and decisions. It's a €100k-300k investment over 18-24 months for a 50-100-person SME, but it's the condition for access to the French defense market.