French government announced on May 17th its cloud strategy and "embraces Google, Microsoft in quest to safeguard sensitive data" (Reuters).
This strategy promotes the use of cloud services from OVH Cloud, Orange and Cap Gemini based on licensed cloud technologies from Google and Microsoft. It introduces new certification constraints which tend to exclude most French and European cloud technologies from most public tenders. It introduces a new "cloud first" principle which tends to exclude open source implementation projects from public tenders. Overall, French government's cloud strategy creates a market distorsion in favour of US cloud technologies instead of accelerating open source software or existing EU cloud technologies.
The table below provides a summary and an analysis of the key announcements.
French government ministers have advertised as "Trusted Clouds" the future services based on Google or Microsoft technologies which are being prepared by OVHCloud, Orange and Cap Gemini, although none of them has obtained the SecNumCloud certification.
French government ministers have not advertised a single cloud service based on European cloud technologies as "Trusted Cloud" (Cédric O. advertised startup companies which are not cloud providers and mentioned OVHCloud, which SecNumCloud offering is based on VMWare).
Only four cloud brands were mentioned on May 17th by French government ministers: Amazon, Google, Microsoft and OVHCloud.
Guillaume Poupard, who is a civil servant and not a minister, provided accurate information on SecNumCloud and mentioned the names of two local cloud brands not mentionned by ministers : Outscale and Oodrive
In essence, French government announced to the market: "feel free to use US cloud technologies and follow the path of the Health Data Hub which is based on Azure PaaS. Within 12 months, you will be able to use the same technology through the trusted clouds of OVHCloud, Orange or Cap Gemini".
At the same time, the only definition of "trusted cloud" which appears in this strategy is "SecNumCloud". And the French government is announcing that all government IT project must migrate to trusted cloud within 12 months (after now? after they exist?).
Combined together, French government announcements are creating a powerful market distorsion:
This market distorsion creates an unfair advantage in favour of Google or Microsoft based clouds because in a risk averse market, few buyers will take the risk of using European cloud technologies or open source software which may not receive in time the SecNumCloud certification and are not advertised as trusted "best technologies" by the ministers.
This market distorsion has an impact beyond government tenders. We are already observing that private companies or local governments are requesting the use of either Google or Microsoft cloud technologies, or SecNumCloud certified services, in the name of trust or sovereignty.
French government strategy also creates a de facto exclusion of most European cloud technologies from government tenders and beyond.
Of course, this exclusion is not explicit. Any cloud provider is free to start a SecNumCloud certification process.
But based on the current experience, it takes about 12 months to obtain the SecNumCloud certification for IaaS and about 24 months for PaaS. SecNumCloud is not a "per company" certification. Each new service has to go through the SecNumCloud certification process. The certification process is quite heavy since it covers all sorts of management aspects of a cloud company. SecNumCloud is a useful template to design the security policy in a cloud company and could be useful in very specific cases. However, it is so detailed that it imposes needless reorganisations to existing cloud companies and hinders their innovation due to the extra cost of certifying each new service. The cost of SecNumCloud is thus too high in terms of cash or innovation slowdown to be profitable for most European cloud providers.
As of today, there is no SecNumCloud PaaS. Yet, French government advertises the Health Data Hub developed around Microsoft PaaS technology as being compatible with their "trusted cloud" strategy. Who is then going to take the risk of waiting 24 months for the PaaS of Bunnyshell, Clever cloud, Outscale, Platform.sh, Rapid.Space, Scalingo, etc. to become SecNumCloud certified?
This is how French government strategy implicitly excludes European cloud technologies from government tenders and beyond.
Action 1. Companies that provide PaaS, SaaS or open source can deploy their services on trusted clouds (Microsoft, Google) advertised by the French government or on SecNumCloud certified IaaS (Outscale). They can pretend that this is sufficient to meet "trust requirements" which are still fuzzy. This is the approach chosen by Scalingo.
This approach has multiple risks:
Action 2. Companies that provide IaaS can sell their technology so that it gets hosted on premise by the government. On premise clouds do not all need to be SecNumCloud certified.
Action 3. Other possible actions include moving away from government tenders, from the French cloud market or inventing new approaches for cloud which make the current "trusted clouds" no longer competitive.
Action 4. It may also be useful to promote a European equivalent of SecNumCloud which can be amortised on the entire EU market. The "trusted cloud" certification could also be simplified for cloud companies with European values, which means that SecNumCloud would only be one way among others to become a "trusted cloud".
Action 5. The use of SecNumCloud certification to create a general market exclusion may be incompatible with EU's Competition Law and open the door to litigation.
Action 6. Not all political parties in EU and not all government in EU agree with the approach of French government to promote US technology and exclude EU technology in their cloud strategy. This opens the door to national, bilateral or communautary political tactics backed by a European alliance of NGOs.
The table below provides some examples of EU cloud services and the origin of their technology. Feel free to suggest more entries.
The notion of technology origin is obviously questionable since any provider uses a combination of technologies from different origin. It would also make no sense to exclude a technology due to its origin. However, ensuring that there is no strong dependency to a foreign technology which is hard to replace is something which makes sense for applications such as government or critical industries. Stories of NSA spying EU allies shows the importance of using EU technologies in the context of FISA.
Regarding open source technology which is used, we consider that its origin is defined by the nationality of the publishing organisation (company or foundation) or by the nationality of the largest group of sponsors or by the nationality of the largest group of residents. This may be questionable but relates to the idea of dependency. Open source software which is developed or controlled outside the EU does not bring much independance and could even be subject to export restrictions.
The column "Hyper Open" refers to companies supporting FDL's Hyper Open Initiative to promote cloud services based on open source, open hardware and open service.
We added figures for full time employee and revenue in 2020. Some cloud companies have a strong focus on DC and hardware, and thus a high revenue, whereas others are mostly software based on leverage existing infrastructure. They actually often act as partners.