Are open source and EU cloud technologies excluded from French tenders?
French government announced on May 17th its cloud strategy and "embraces Google, Microsoft in quest to safeguard sensitive data" (Reuters).
This strategy promotes the use of cloud services from OVH Cloud, Orange and Cap Gemini based on licensed cloud technologies from Google and Microsoft. It introduces new certification constraints which tend to exclude most French and European cloud technologies from most public tenders. It introduces a new "cloud first" principle which tends to exclude open source implementation projects from public tenders. Overall, French government's cloud strategy creates a market distorsion in favour of US cloud technologies instead of accelerating open source software or existing EU cloud technologies.
The table below provides a summary and an analysis of the key announcements.
| Key Message |
Says who |
Source |
| Everything should become cloud based |
Amélie DE MONTCHALIN |
le cloud est le mode d'hébergement par défaut des projets numériques des administrations (p. 4) |
| Public tenders will require Trusted Cloud for anything significant |
Amélie DE MONTCHALIN |
les cloud éligibles à l'hébergement de tous nos projets sensibles, c'està-dire tous ceux qui contiennent des données personnelles ou des données stratégiques de citoyens français ou d'entreprises, soient hébergés soit dans le cloud interne de l'Etat, je vais y revenir, soit par un cloud externe de confiance qui respecte les critères qu'a présenté Bruno LE MAIRE à l'instant. t. Cela signifie donc un cloud externe qui devra impérativement être qualifié par l'ANSSI, et je tiens à remercier le travail de ses équipes, et donc protégé contre toute règle de portée extraterritoriale. (p. 4) |
| Existing projects must adopt Trusted Cloud within 12 months |
Amélie DE MONTCHALIN |
ces projets devront donc se mettre en conformité et notamment annuler tout risque de transfert de données en dehors du territoire de l'Union européenne sous un délai de 12 mois à partir du moment où des offres de cloud de confiance existeront. (p. 3) |
| Trusted Cloud Services will exist within 12 months |
Amélie DE MONTCHALIN |
Dans quelques mois, nous devrions voir arriver ces solutions labellisées Cloud de confiance et dans les 12 mois qui suivront au maximum, le Health Data Hub, mais comme d'autres solutions aujourd'hui hébergées dans le cloud, auront à migrer vers ces solutions de confiance. (p. 11) |
| SecNumCloud is a way for Trusted Cloud |
Bruno LE MAIRE |
ce cloud de confiance, il repose sur trois piliers novateurs et trois choix politiques que nous revendiquons avec Amélie DE MONTCHALIN et avec Cédric O. Le premier pilier, c'est garantir la protection maximale des données aux entreprises et aux administrations qui feront le choix de ce cloud de confiance. La protection maximale, ça veut dire quoi ? D'abord, ça veut dire un niveau de protection technique qui est un des meilleurs au monde. Et je veux remercier l’ANSSI pour le travail considérable qu'elle a fait depuis maintenant des années pour garantir, avec ce label qui est connu de toutes les entreprises (SecNumCloud), le niveau de protection technique des données parmi les plus élevées au monde. (p. 1) |
| US is the best |
Bruno LE MAIRE |
Les meilleures entreprises de services mondiaux aujourd'hui, elles sont américaines. (p. 2) |
| Licensed versions of Microsoft and Google cloud will be Trusted Cloud |
Bruno LE MAIRE |
Nous avons donc décidé que ces meilleures entreprises de services américaines, je pense en particulier à Microsoft ou à Google, pourraient licencier tout ou partie de leur technologie à des entreprises françaises de façon à ce que, dans ce cloud de confiance, on puisse conjuguer ce que nous n'étions jamais arrivés à conjuguer protection maximale et valorisation maximale des données. (p. 2) |
| Google + OVHCloud is Good |
Cédric O |
Le meilleur exemple de cette alliance et l'accord qui a déjà eu lieu entre OVH et Google sur l'offre de Services Anthos. (p. 5) |
| Microsoft + Orange + Cap Gemini is Sovereign |
Cédric O |
Je me félicite de voir notre écosystème national collaborer avec Microsoft afin de proposer une offre susceptible de répondre pleinement aux enjeux de souveraineté numérique (Twitter) |
| Outscale, OVHCloud and Oodrive are SecNumCloud |
Guillaume POUPARD (not a minister) |
On a eu Oodrive d'abord pour des solutions logicielles dans le cloud, et ensuite Outscale et OVH Cloud, qui ont reçu une qualification sur certaines de leurs offres. (p. 10) |
Text analysis
French government ministers have advertised as "Trusted Clouds" the future services based on Google or Microsoft technologies which are being prepared by OVHCloud, Orange and Cap Gemini, although none of them has obtained the SecNumCloud certification.
French government ministers have not advertised a single cloud service based on European cloud technologies as "Trusted Cloud" (Cédric O. advertised startup companies which are not cloud providers and mentioned OVHCloud, which SecNumCloud offering is based on VMWare).
Only four cloud brands were mentioned on May 17th by French government ministers: Amazon, Google, Microsoft and OVHCloud.
Guillaume Poupard, who is a civil servant and not a minister, provided accurate information on SecNumCloud and mentioned the names of two local cloud brands not mentionned by ministers : Outscale and Oodrive
Market distorsion
In essence, French government announced to the market: "feel free to use US cloud technologies and follow the path of the Health Data Hub which is based on Azure PaaS. Within 12 months, you will be able to use the same technology through the trusted clouds of OVHCloud, Orange or Cap Gemini".
At the same time, the only definition of "trusted cloud" which appears in this strategy is "SecNumCloud". And the French government is announcing that all government IT project must migrate to trusted cloud within 12 months (after now? after they exist?).
Combined together, French government announcements are creating a powerful market distorsion:
- projects based on Google or Microsoft cloud technologies (such as the Health Data Hub) are advertised as "future proof" and based on the "best technologies";
- projects based on Outscale are "future proof" but are not advertised as using the "best technologies";
- projects based on other cloud technologies must move away unless their cloud providers obtain the SecNumCloud certification (within 12 months?);
- new projects must be cloud based (IaaS? PaaS? SaaS?).
This market distorsion creates an unfair advantage in favour of Google or Microsoft based clouds because in a risk averse market, few buyers will take the risk of using European cloud technologies or open source software which may not receive in time the SecNumCloud certification and are not advertised as trusted "best technologies" by the ministers.
This market distorsion has an impact beyond government tenders. We are already observing that private companies or local governments are requesting the use of either Google or Microsoft cloud technologies, or SecNumCloud certified services, in the name of trust or sovereignty.
Market exclusion
French government strategy also creates a de facto exclusion of most European cloud technologies from government tenders and beyond.
Of course, this exclusion is not explicit. Any cloud provider is free to start a SecNumCloud certification process.
But based on the current experience, it takes about 12 months to obtain the SecNumCloud certification for IaaS and about 24 months for PaaS. SecNumCloud is not a "per company" certification. Each new service has to go through the SecNumCloud certification process. The certification process is quite heavy since it covers all sorts of management aspects of a cloud company. SecNumCloud is a useful template to design the security policy in a cloud company and could be useful in very specific cases. However, it is so detailed that it imposes needless reorganisations to existing cloud companies and hinders their innovation due to the extra cost of certifying each new service. The cost of SecNumCloud is thus too high in terms of cash or innovation slowdown to be profitable for most European cloud providers.
As of today, there is no SecNumCloud PaaS. Yet, French government advertises the Health Data Hub developed around Microsoft PaaS technology as being compatible with their "trusted cloud" strategy. Who is then going to take the risk of waiting 24 months for the PaaS of Bunnyshell, Clever cloud, Outscale, Platform.sh, Rapid.Space, Scalingo, etc. to become SecNumCloud certified?
This is how French government strategy implicitly excludes European cloud technologies from government tenders and beyond.
Possible actions for open source and EU cloud technologies
Action 1. Companies that provide PaaS, SaaS or open source can deploy their services on trusted clouds (Microsoft, Google) advertised by the French government or on SecNumCloud certified IaaS (Outscale). They can pretend that this is sufficient to meet "trust requirements" which are still fuzzy. This is the approach chosen by Scalingo.
This approach has multiple risks:
- the PaaS or SaaS itself is not SecNumCloud certified;
- the open source software may not be "cloud first" if it is deployed and maintained by system administrators (as opposed to a true PaaS or SaaS);
- trusted clouds advertised by the French government may be too expensive and capture too much value;
- the approach does not apply to IaaS.
Action 2. Companies that provide IaaS can sell their technology so that it gets hosted on premise by the government. On premise clouds do not all need to be SecNumCloud certified.
Action 3. Other possible actions include moving away from government tenders, from the French cloud market or inventing new approaches for cloud which make the current "trusted clouds" no longer competitive.
Action 4. It may also be useful to promote a European equivalent of SecNumCloud which can be amortised on the entire EU market. The "trusted cloud" certification could also be simplified for cloud companies with European values, which means that SecNumCloud would only be one way among others to become a "trusted cloud".
Action 5. The use of SecNumCloud certification to create a general market exclusion may be incompatible with EU's Competition Law and open the door to litigation.
Action 6. Not all political parties in EU and not all government in EU agree with the approach of French government to promote US technology and exclude EU technology in their cloud strategy. This opens the door to national, bilateral or communautary political tactics backed by a European alliance of NGOs.
Examples of EU cloud services
The table below provides some examples of EU cloud services and the origin of their technology. Feel free to suggest more entries.
The notion of technology origin is obviously questionable since any provider uses a combination of technologies from different origin. It would also make no sense to exclude a technology due to its origin. However, ensuring that there is no strong dependency to a foreign technology which is hard to replace is something which makes sense for applications such as government or critical industries. Stories of NSA spying EU allies shows the importance of using EU technologies in the context of FISA.
Regarding open source technology which is used, we consider that its origin is defined by the nationality of the publishing organisation (company or foundation) or by the nationality of the largest group of sponsors or by the nationality of the largest group of residents. This may be questionable but relates to the idea of dependency. Open source software which is developed or controlled outside the EU does not bring much independance and could even be subject to export restrictions.
The column "Hyper Open" refers to companies supporting FDL's Hyper Open Initiative to promote cloud services based on open source, open hardware and open service.
We added figures for full time employee and revenue in 2020. Some cloud companies have a strong focus on DC and hardware, and thus a high revenue, whereas others are mostly software based on leverage existing infrastructure. They actually often act as partners.
| Service |
Regional DC |
IaaS |
CaaS |
PaaS |
CDN |
SDN |
Big Data |
Edge |
vRAN |
Country |
Technology |
Hyper Open |
POPs |
FTE |
Revenue (M€) |
Sample Customer |
| OVHCloud |
✅ |
✅ |
✅ |
✅ |
✅ |
|
✅ |
|
|
FR |
US |
|
31 |
2,750 |
530 |
ADP |
| Scaleway |
✅ |
✅ |
✅ |
✅ |
|
|
|
|
|
FR |
FR |
|
5 |
350 |
82 |
Education Nationale |
| OutScale |
|
✅ |
✅ |
|
|
|
|
|
|
FR |
? |
|
20 |
20 |
2 |
Fujitsu |
| Ikoula |
✅ |
✅ |
|
|
|
|
|
|
|
FR |
FR |
|
5 |
|
7.6 |
Adecco |
| Hetzner |
✅ |
✅ |
|
|
|
|
|
|
|
DE |
? |
|
3 |
290 |
148 |
Bitdefender |
| IONOS |
✅ |
✅ |
|
|
|
|
|
|
|
DE |
? |
|
10 |
9,000 |
2,396 |
Lufthansa |
| Rapid.Space |
|
✅ |
|
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
FR |
FR |
✅ |
240 |
3 |
0.1 |
SANEF |
| BSO |
|
✅ |
✅ |
✅ |
|
✅ |
|
|
|
FR |
FR |
✅ |
230 |
120 |
65 |
SG |
| Clever Cloud |
|
|
✅ |
✅ |
|
✅ |
✅ |
|
|
FR |
FR |
|
|
20 |
3 |
Airbus |
| TeraLab |
|
✅ |
✅ |
✅ |
|
✅ |
✅ |
|
|
FR |
FR |
|
1 |
8 |
0.4 |
La Poste |
| Platform.sh |
|
|
|
✅ |
|
|
|
|
|
FR |
FR |
|
|
150 |
10 |
Daimler |
| Scalingo |
|
|
|
✅ |
|
|
|
|
|
FR |
? |
|
|
12 |
|
Hermès |
| Fuga |
|
✅ |
✅ |
|
|
|
|
|
|
NL |
US |
|
|
|
|
Dutch government |
| Bunnyshell |
|
|
|
✅ |
|
|
|
|
|
RO |
RO |
|
|
21 |
1.6 |
Gomag |
| APPUiO |
|
|
✅ |
✅ |
|
|
|
|
|
CH |
? |
|
|
|
|
Adcubum |
| Anynines |
|
|
✅ |
✅ |
|
|
|
|
|
DE |
? |
|
|
34 |
6.5 |
German Digital Library |