TMT 2025

FRANCE Law and Practice Contributed by: Clara Hainsdorf, Bertrand Liard, Saam Golshani and Guillaume Vitrich, White & Case LLP

2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Cloud Computing CNIL defines cloud computing as the use of the memory and computing capabilities of comput - ers and servers that are distributed around the world and are linked by a network. Applications and data are no longer located on a specific computer, but in a cloud with many intercon - nected remote servers. Cloud computing service providers offer several deployment models, such as infrastructure as a service, software as a service or platform as a service. They allow a client to switch part or all its IT infrastructure and resources to the cloud, rather than managing it locally or internally. Under French law, there is no contractual law category related to cloud computing contracts. As such, they are subject to common French contract law. The SREN Law imposes stringent security requirements on cloud service providers to protect hosted data. Providers must imple - ment strong encryption protocols, conduct regu - lar security audits and ensure the confidential - ity of user data. They must also be transparent about the locations of their data centres and their data back-up and recovery policies. Par - ticular attention should be given to the content of the contract, notably regarding data integrity and security, service level agreements (SLAs), the clear division of the responsibilities of each party, and compliance with data protection laws and regulations (Data Act, GDPR). In addition, the termination of the contract should be antici - pated, with the use of precise clauses such as notice periods, chain termination of contracts, reciprocal restitution and reversibility.

In March 2022, the National Cybersecurity Agen - cy for France (ANSSI) published version 3.2 of its certification framework for cloud service providers (SecNumCloud), to promote a pro - tective digital environment in line with techni - cal developments. The SecNumCloud identifies trusted cloud services and gives them a label that confirms they comply with the security and regulatory standards set out in the framework. In particular, the framework ensures that the cloud service provider and the respective data that they process are subject to European laws, in order not to undermine the level of protection provided by them. After the opinion of the French Competition Authority on potentially anti-competitive prac - tices concerning cloud computing companies, the French Parliament adopted the “Secure and Regulate the Digital Space” bill. This law pro - vides for the interoperability of cloud services, the prohibition of data transfer fees and the time limitation of cloud credits, to align with the provi - sions of the Data Act. Cybersecurity Implications The NIS1 and NIS2 directives apply to cloud services and aim to strengthen the security of networks and information systems. NIS1 established security standards for Opera - tors of Essential Services and Digital Service Providers, including cloud service providers, while enhancing co-operation among EU mem - ber states. Building on NIS1, NIS2 was adopted in 2022 and expands its scope to cover more sectors and entities, addressing sophisticated cyber threats and formalising the European Cyber Crisis Liai - son Organisation Network (EU-CyCLONe). It introduces stricter cybersecurity requirements,

CHAMBERS.COM