ANSSI, HDS, and SecNumCloud, continuously evidenced.
CISGuard automates the technical-controls layer underpinning HDS (Hébergeurs de Données de Santé), SecNumCloud-aligned deployments, the French NIS2 transposition, and CNIL technical-measures expectations, deployed within French or EU sovereign infrastructure.
France compliance at a glance, for fast retrieval.
Atomic factual claims auditors and search engines can cite verbatim.
- Primary regulator
- ANSSI (Agence nationale de la sécurité des systèmes d'information)
- Privacy regulator
- CNIL (Commission nationale de l'informatique et des libertés)
- Frameworks
- HDS, SecNumCloud, RGS, ISO 27001, RGPD/LIL, NIS2 (LPM 2024-2030)
- HDS scope
- Mandatory for hosting French health data (référentiel 2024)
- SecNumCloud
- ANSSI sovereign-cloud qualification scheme
- OIV scope
- Opérateurs d'Importance Vitale (~250 critical operators)
- Deployment
- On-premises in France or EU sovereign cloud
- Sovereign cloud options
- OVH, Scaleway, Bleu (Microsoft/Capgemini/Orange), S3NS (Google/Thales)
Compliance in French Republic.
France has the most explicit sovereign-cloud doctrine in the European Union. ANSSI (Agence nationale de la sécurité des systèmes d'information) sets cybersecurity standards across government, critical infrastructure, and regulated sectors. HDS certification is mandatory for hosting French health data, with the latest revision (HDS v1.1 / référentiel 2024) tightening technical and organizational requirements. SecNumCloud is ANSSI's sovereign-cloud qualification scheme: the de facto requirement for hosting French state and OIV (Opérateurs d'Importance Vitale) workloads. The French NIS2 transposition (in the LPM 2024-2030 framework) implements 24-hour incident reporting via ANSSI. Underneath all of these sits RGPD (the French GDPR) supervised by CNIL with parallel enforcement authority. The technical-controls layer is largely common to all of these regimes (CIS benchmarks, ISO 27001, NIST derivatives) but the procedural and certification requirements are uniquely French.
Frameworks CISGuard maps for France.
Each scan generates per-framework reports showing satisfied / partial / not-met status.
| Framework | Scope | Authority |
|---|---|---|
| HDS Certification | Hébergeurs de Données de Santé (référentiel 2024) | ANSSI + Ministry of Health |
| SecNumCloud | Sovereign-cloud qualification scheme | ANSSI |
| RGS | Référentiel Général de Sécurité | ANSSI |
| LPM 2024-2030 | French NIS2 transposition (Loi de programmation militaire) | ANSSI |
| RGPD / Loi Informatique et Libertés → | EU GDPR + French data protection law | CNIL |
| ISO/IEC 27001 → | International ISMS standard | COFRAC-accredited certification bodies |
Sovereignty and residency, solved by architecture.
France operates the most explicit sovereign-cloud regime in the EU. SecNumCloud-qualified deployments are required for French state, OIV, and many regulated workloads, explicitly excluding US-controlled cloud providers under the FISA Section 702 / Cloud Act exposure framework. HDS certification mandates EU data residency with French regulatory authority. CNIL Schrems II guidance further restricts cross-border transfers. CISGuard's on-premises and EU sovereign cloud deployment (OVH, Scaleway, Bleu, S3NS) satisfies these requirements; no SaaS exposure to non-EU-controlled cloud.
Three ways to deploy in France.
On-premises in French data center
Single-tenant deployment in customer-controlled French infrastructure. Standard for OIV, hospitals, banks, and SecNumCloud-required workloads.
French sovereign cloud
OVH, Scaleway, Bleu (Microsoft/Capgemini/Orange joint venture), or S3NS (Google/Thales joint venture); all EU-controlled with French data residency. Aligned with ANSSI SecNumCloud expectations.
HDS-certified hosting
For French health data, deployment within an HDS-certified hosting environment. CISGuard's evidence layer integrates with HDS-certified hosters' compliance reporting flow.
France questions, answered directly.
Does CISGuard support HDS (Hébergeurs de Données de Santé) compliance?
Yes. HDS certification requires technical security measures aligned with ISO 27001 and additional health-data-specific controls. CISGuard's ISO 27001 Annex A mapping covers the bulk of HDS technical-controls requirements. EU sovereign-cloud deployment satisfies HDS data-residency obligations. The Framework Coverage Report is formatted for HDS auditor consumption during certification and surveillance audits.
How does CISGuard relate to SecNumCloud qualification?
CISGuard does not hold SecNumCloud qualification itself; qualifications attach to cloud service providers (OVH, Scaleway, Bleu, S3NS, etc.). CISGuard deploys cleanly within SecNumCloud-qualified environments, providing the compliance-evidence layer above the SecNumCloud-qualified infrastructure. For OIV and French state customers, this is the standard architecture.
Is CISGuard compatible with French sovereign cloud (OVH, Scaleway, Bleu, S3NS)?
Yes. CISGuard deploys cleanly on OVH, Scaleway, Bleu (Microsoft/Capgemini/Orange), and S3NS (Google/Thales). The architecture is portable across hypervisors and cloud platforms because scanning happens via native target control surfaces. No cloud-vendor lock-in, no SaaS dependency on non-EU-controlled cloud, no FISA Section 702 / Cloud Act exposure.
How does CISGuard support the French NIS2 transposition (LPM 2024-2030)?
The Loi de programmation militaire 2024-2030 transposes NIS2 into French law, with ANSSI as the operational authority. CISGuard automates Article 21 technical risk-management measures continuously, with drift detection feeding the 24-hour incident notification window via SIEM integration. OIV-specific obligations layer on top of NIS2: same technical evidence, additional process documentation.
Will CNIL accept CISGuard evidence during enforcement actions?
CNIL's enforcement methodology examines technical and organisational measures under RGPD Article 32 / LIL. CISGuard's continuous CIS benchmark posture, drift detection logs, and Framework Coverage Reports provide the technical-measures evidence CNIL investigators expect. The Article 30 records-of-processing supporting evidence and DPIA technical-measures sections both consume CISGuard output directly.
Ready to deploy in France?
Our compliance engineers have helped organizations across France achieve regulatory readiness in as little as one business day.