#2026-272Decree on the Protection of Sensitive Government Data in Cloud Services Provided by Private Providers
AI-generated summary for informational purposes only. Not legal advice. See the original source for the authoritative text.
This decree establishes requirements for the protection of especially sensitive data managed by public administrations and associated entities using cloud services from private providers. It includes a compliance framework for ensuring data security and protection against unauthorized foreign access. Administrations using non-compliant cloud services prior to this decree must apply for special authorization to continue their projects until compliant solutions are available.
AI-generated summary. May contain errors. Refer to official sources for legal decisions.
Key Changes
- Definition of security and protection requirements for sensitive data in cloud services
- Establishment of a compliance framework for private providers
- Requirement of special authorization for pre-existing non-compliant projects
Obligations
What this law requires
Public administrations and public interest groups must use cloud services that comply with the security and protection requirements outlined in the framework established by the Agence nationale de la sécurité des systèmes d'information.
Cloud service providers must obtain a qualification or certification demonstrating conformity to the security requirements specified in the decree.
Any public administration that had initiated a cloud project using non-compliant services before the decree must apply for a derogation from the relevant minister within specified guidelines.
The derogation request must include specific documentation and is subject to validation by the Prime Minister as per the rules set in a future decree.
If a compliant cloud service becomes available in France, the approved derogation will expire after eighteen months from the availability date.