SecNumCloud and data sovereignty: the new trusted cloud baseline for regulated projects in France
For a long time, cloud adoption in construction was seen primarily as a question of performance, collaboration and cost efficiency. That framing no longer holds.
For regulated infrastructure projects in France, cloud strategy has become a strategic risk and eligibility decision. Questions of cybersecurity, operational control, and data sovereignty now directly influence whether projects can be approved, procured, and delivered.
SecNumCloud is at the centre of this shift. No longer a niche security label or a future aspiration, it is rapidly becoming the reference point for trusted cloud usage in regulated infrastructure environments.
This article explains why SecNumCloud has become unavoidable, how this change is already reshaping procurement and delivery expectations, and what organisations should understand now to move forward with confidence.
SecNumCloud and the changing reality of regulated infrastructure projects
The digitalisation of construction and infrastructure has accelerated rapidly: BIM platforms, CDEs, digital twins and collaborative SaaS tools are now central to project delivery. At the same time, cyber threats targeting strategic infrastructure have increased in frequency and sophistication.
This combination has fundamentally changed how authorities view cloud usage. The question is no longer whether cloud tools are useful, but whether they are trustworthy.
What is SecNumCloud?
SecNumCloud (short for ” Sécurité Numérique Cloud “) is ANSSI’s highest cloud security qualification for trusted cloud services used in France.
Created in 2016 by ANSSI (France’s national cybersecurity agency), SecNumCloud applies to cloud services including IaaS, PaaS, SaaS, and SecaaS. Qualification is granted only after an independent, in‑depth evaluation.
The framework defines strict requirements across security, governance, resilience and data sovereignty. Cloud providers must demonstrate that:
- Data centres and operations comply with ANSSI security standards
- Administrative access, support, and customer service are handled within the EU
- The provider is not subject to non‑EU legal control that could expose customer data
Why infrastructure projects are under particular scrutiny
Certifications such as SecNumCloud are highly relevant for infrastructure projects, as they:
- Often qualify as critical or regulated assets
- Involve long lifecycles, sometimes spanning decades
- Rely on complex ecosystems of contractors, operators, suppliers etc.
- Generate large volumes of shared data
These characteristics significantly expand the potential surface of a cybersecurity attack. Cybersecurity in construction is no longer limited to internal IT systems, but it extends across collaborative platforms used daily by dozens (sometimes hundreds) of stakeholders.
From "nice to have” to “must have”: How SecNumCloud becomes unavoidable
Across the market, the conversation has shifted. Regulated infrastructure actors are no longer asking if SecNumCloud is necessary, but how to achieve it without disrupting projects.
Increasing expectations from ANSSI and public authorities
ANSSI has progressively clarified its expectations around cloud security, resilience, and operational control. SecNumCloud translates these expectations into a concrete, auditable framework covering areas such as:
- Protection against cyber threats
- Operational resilience and continuity
- Strict control over administrative access
- Legal and technical safeguards against extraterritorial laws
While SecNumCloud is not always explicitly mandated, it is sometimes referenced in guidance, audits, and procurement criteria. For many public-sector stakeholders, it has become the default reference for “trusted cloud”.
Data sovereignty as a procurement and trust requirement
Data sovereignty is no longer just a theoretical concern, but a practical procurement requirement. Project owners now expect clear answers to fundamental questions:
- Where is project data hosted?
- Who can technically and legally access this data?
- Under which jurisdiction does it fall?
For infrastructure projects, this data is highly sensitive: detailed plans, asset models, schedules, security-related documentation, and operational information. As a result, IT security in construction is increasingly inseparable from sovereignty considerations. SecNumCloud provides a recognised framework to address both.
The consequences of non-compliance
Failing to anticipate data sovereignty requirements can have concrete consequences:
- Exclusion from tenders or loss of strategic opportunities
- Project delays caused by late-stage remediation
- Reputational damage with public authorities and partners
- Increased operational risk during delivery and operation
For project owners and CIOs, these risks are no longer hypothetical; they are being observed across the market.
Self-Diagnosis: Are your projects exposed to SecNumCloud requirements?
Before asking how to implement SecNumCloud, many organisations first need to understand whether it applies to them. The checklist below offers a practical starting point.
Key takeaway: if SecNumCloud is not already a formal requirement, it is very likely becoming one in practice.
A practical checklist for regulated infrastructure projects
If you answer “yes” or “not sure” to any of the following, SecNumCloud is likely relevant:
Project and regulatory context
> You are a public-sector project owner or operator
> You deliver or operate highly regulated or critical infrastructure
> Your projects are subject to public procurement rules in France
Data
sensitivity
> Your projects handle sensitive technical or operational data
> You manage BIM models, plans, schedules, or asset data digitally
> Data must remain protected over long project lifecycles
Cloud
usage
> Cloud platforms are used to collaborate with multiple stakeholders
> SaaS tools support construction or infrastructure delivery
> You cannot clearly confirm where all project data is hosted
Sovereignty and control
> You are unsure which legal jurisdiction applies to your data
> Your cloud provider may be subject to non-EU legislation
> You cannot clearly demonstrate alignment with ANSSI expectations
Enabling a SecNumCloud-ready path for regulated Infrastructure projects
For regulated infrastructure, SecNumCloud readiness is not just a cloud decision. It is a governance and ecosystem decision.
Generic cloud offerings often struggle to meet both regulatory expectations and the operational realities of construction projects. Infrastructure organisations need environments that are secure, sovereign, and adapted to complex, multi‑party workflows.
This is the challenge the market is now working to address.
Thinkproject’s commitment to security and data protection
At Thinkproject, security is a fundamental part of how we design, build, and operate our digital solutions. Thinkproject’s security framework is underpinned by internationally recognised certifications, industry standards, and regulatory compliance requirements.
These include ISO 27001, ISO 19650, SOC 2, GDPR compliance, alignment with the NIST Cybersecurity Framework, Germany’s C5 cloud security standard, and UK government-backed Cyber Essentials and Cyber Essentials Plus certifications.
For over 15 years, the company has invested in the engineering, operational and governance capabilities required to support customers managing highly sensitive data at scale. These capabilities are embedded into the way the platform is designed, operated and governed, and align with regulatory expectations across Germany, the UK, the EU and New Zealand.
Thinkproject’s move towards SecNumCloud-qualified hosting is not a new direction, but a continuation of a long-term strategy.
Addressing SecNumCloud requirements: Thinkproject partners with Bleu & S3NS
As Trusted Cloud requirements continue to evolve across Europe, enabling SecNumCloud-qualified hosting is a practical and strategic step in supporting regulated customers who operate at the intersection of infrastructure, security and compliance.
While SecNumCloud qualification applies to cloud service providers’ offerings, Thinkproject will support its customers by enabling deployments of its platform on SecNumCloud-qualified environments through partnerships with Bleu and S3NS, taking a phased and responsible approach aligned with evolving Trusted Cloud requirements.
This reflects a broader shift in the French market, where some major industrial actors (e.g. EDF) have publicly announced Trusted Cloud / SecNumCloud-aligned choices for strategic workloads. Thinkproject is aligning with this Trusted Cloud operating model to support regulated project and asset data in France.
By combining Thinkproject’s deep expertise in infrastructure platforms with a SecNumCloud-aligned cloud foundation, these partnerships enable regulated project owners and delivery teams to address security, data sovereignty, and operational needs at the same time.
Read more about our latest partnership and SecNumCloud journey in this dedicated article.
Lay the right foundations for your projects or RFP.
Validate compliance and hosting first.
More insights
Innovation Series
Thinkproject CDE NextGen & Thinkproject Handover | Product Launch Live Webinar
Register nowJoin Thinkproject Product Leadership during this live webinar, in unveiling the reimagined Thinkproject CDE NextGen and the brand new Thinkproject Handover product.
-
Blog
Information Security
ISO 19650: A Practical Guide to BIM Information Management
Read moreLearn what ISO 19650 means for BIM, CDE workflows, information management, project delivery, handover, and built asset lifecycle data.
-
Blog
BIM
What is VDC? A Complete Guide to Virtual Design and Construction
Read moreWhat is VDC? Virtual Design and Construction is the process behind modern BIM workflows. Learn how VDC software supports projects from design to operations.
-
Blog
CDE, Contracts
Why disconnected project information leads to construction disputes
Read moreDiscover how disconnected contract and project information increases dispute risk, delays decisions and weakens commercial confidence in construction projects.
-
Blog
BIM
From BIM coordination to field execution: the case for one delivery environment
Read moreDiscover how connected delivery environments improve coordination, collaboration and field execution while reducing fragmentation and project risk.
-
Event
Built Asset Lifecycle Platform
Thinkproject Live London 2026
Register nowDiscover how AI and connected data are helping teams reduce risk, improve control, and make faster, smarter decisions across the project lifecycle.
Innovation Series
Field Management, BIM
Introducing the future of field execution and BIM collaboration
Watch recordingWatch this launch event recording to get an exclusive deep dive into Field Manager, VDC Collaboration, and VDC Manager, from Thinkproject's Product Leadership team.
-
Blog
CDE
A guide to construction document management: process, standards and best practices
Read moreUnderstand construction document management, key processes, standards, and how to improve compliance, collaboration, and project efficiency.
-
Blog
CDE, Contracts
The gap between contracts and project information: where risk starts
Read moreExplore how data silos between contracts and project information drive construction contract risk, inefficiency, and loss of commercial control.