S3NS receives SecNumCloud qualification: a turning point for trusted cloud solutions
© 123RF
By leveraging the cloud to host their applications and information, organisations have become more agile. However, the sensitive nature of the data involved—and the growing risks from cyber threats and extraterritorial legal pressures—have heightened the need for robust security and strict compliance. Many stakeholders now seek to harness the benefits of cloud performance while maintaining full control over their data. This is the equation addressed by the PREMI3NS offering, S3NS’s trusted cloud solution, which has received SecNumCloud qualification.
For a long time, organisations facing these challenges had to choose between two options. On the one hand, so-called ‘sovereign’ solutions, operated by French or European providers, but often lagging behind in terms of performance, range of features, or pace of innovation. On the other hand, the abundant offerings from non-European cloud providers who invest several billion dollars a year in their infrastructures, but whose services may be subject to extraterritorial laws.
“For the past fifteen years, American players have taken a clear lead. They first built these infrastructures for their own needs, before turning them into commercial offerings available to everyone. Europe and France entered this market much later and, faced with such colossal investments, it is now very difficult to compete…” notes Victor Vuillard, Technical and Security Director at S3NS.
Between these two models, a new generation of solutions is emerging, aiming to combine the performance of American clouds with European data sovereignty.
© 123RF
This is exactly the positioning claimed by S3NS. Created three years ago, S3NS is a joint-venture between Thales et Google that employs nearly 200 people in France. It offers companies and public institutions an equivalent of the Google Cloud, but one that is secured by Thales solutions and in full compliance with the SecNumCloud requirements of ANSSI (the French National Agency for the Security of Information Systems). The approach hinges on a unique coordination of roles. Google, usually the integrated operator of its own cloud, provides the technology, software, and analytics and AI components, while S3NS operates and secures the cloud infrastructure as well as the data centers. “Google Cloud helps us to operate their services completely independently, breaking all possible dependencies with the rest of their environment. We retain control over operations, data storage, location, and who can access the data,” explains Victor Vuillard. The American giant has agreed to a level of transparency that is rare for a cloud provider. S3NS notably has access to the source code, which facilitates its in-depth audits of all software and hardware layers. This openness is at the heart of the relationship of trust between the two groups.
SecNumCloud: a security seal for trusted cloud solutions
ANSSI pays particular attention to the role played by any potential non-European ‘third-parties’ in qualified services. Its SecNumCloud qualification provides a framework that guarantees the highest levels of security and sovereignty. Before receiving its qualification on December 17, 2025, the S3NS cloud solution needed to meet hundreds of particularly stringent requirements.
S3NS has achieved the remarkable feat of obtaining qualification for an unparalleled range of services in record time. This is the first time that ANSSI has granted SecNumCloud qualification simultaneously for IaaS, CaaS, and PaaS scopes, covering more than twenty services. Operating a Google Cloud region autonomously is also a world first successfully accomplished by Thales.
Victor Vuillard - Technical and Security Director at S3NS
From a technical point of view, the qualification requires a strict compartmentalisation of systems, widespread encryption, continuous monitoring, regular penetration testing, and robust business continuity and recovery measures. “We have our own internal SOC (Security Operations Center) to define detection scenarios and identify abnormal behaviour within the infrastructure. We also rely on Thales' SOC, which has P10 certification from ANSSI. This dual monitoring gives us an extremely robust overview. At this level, we are the only ones among the SecNumCloud qualified offerings to operate in this way,” explains Victor Vuillard.
ANSSI also oversees the way these systems are operated, covering the profile and location of administrators, dedicated and isolated workstations, use of subcontractors, incident management, and data reversibility. Legally, the service must be operated under European law and protected against extraterritorial legislation. The qualification, which is limited in duration, includes annual audits and a comprehensive review every three years, thereby providing one of the highest levels of security for the hosting of sensitive data in France.
Updates under strict surveillance
To keep pace with Google’s innovations while remaining within the framework of SecNumCloud, the S3NS teams have put in place security mechanisms that systematically intercept each update. The company operates in two distinct cloud environments. The first, referred to as the “quarantine” environment, does not contain any customer data. The second is the production environment, which users access. “Each time Google releases an update, it is intercepted and redirected to the quarantine environment,” explains Victor Vuillard. “We analyse the code using automated reverse-engineering techniques. Specifically, we open each binary, check a series of security criteria, then observe how the new version behaves compared to the previous one. Only after these tests do we decide whether or not to allow the update to be installed in the customer environment,” he adds. On average, five million system components are updated each year.
A central priority for the State and critical sectors
Among the stakeholder required to choose SecNumCloud qualified cloud provider are operators of vital importance or essential services, as well as public administrations. "The State now understands that it can no longer, on its own, maintain data centers at the expected level of resilience. New systems must be designed natively for the cloud, provided that it is SecNumCloud-qualified," explains Victor Vuillard. Beyond the regulatory requirement, many companies see it as a tool for risk control and reassurance. In the health sector in particular, mutual insurers and insurance companies rely on SecNumCloud to demonstrate to their members and the authorities the very high level of security of the cloud infrastructure that hosts them.
Obtaining the SecNumCloud qualification marks a key milestone, while also paving the way for other certifications (ISO 27001, HDS) and for expanding the PREMI3NS offering, notably with managed artificial intelligence services. It provides a protective framework for businesses and European citizens, which is expected to strengthen over time. In this way, S3NS is positioning itself to host its clients’ most sensitive data and to give them access to an unprecedented portfolio of sovereign technologies and expertise.