FRANCE Law and Practice Contributed by: Clara Hainsdorf, Bertrand Liard, Saam Golshani and Guillaume Vitrich, White & Case LLP
requiring cloud service providers to implement enhanced risk management measures, adopt state-of-the-art cybersecurity practices, and ensure supply chain security. Significant security incidents must be reported within 24 hours, with follow-up reports submitted within 72 hours. In France, compliance involves the SecNum - Cloud certification mentioned above, and par - ticipating in the European cloud certification scheme (EUCS). The NIS2 transposition is still pending. The banking industry is subject to specific provi - sions regarding cloud computing. Indeed, on 25 February 2019, the European Banking Author - ity (EBA) adopted new guidelines on outsourc - ing, which are still applicable. These guidelines include specific provisions regarding the follow - ing, for instance: • the protection of confidentiality and personal or sensitive information; and • the need to comply with all legal requirements relating to the protection of personal data, banking secrecy or confidentiality obligations concerning customer data. The French supervisory authority for banks and insurance (the Prudential Supervision and Reso - lution Authority – ACPR) has published a notice to ensure that these guidelines are followed in France. In accordance with NIS2 and these EBA guide - lines, the Digital Operational Resilience Act (DORA) regulation entered into force on 17 Janu - ary 2025. It creates a stricter regulatory frame - work than NIS2 for financial entities, which will have to ensure that they can withstand, respond to and recover from any serious operational dis -
ruption linked to information and communication technologies. The insurance industry is also subject to similar requirements. On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers, which provides guid - ance to insurance and reinsurance providers on how outsourcing should be carried out to cloud service providers in order to comply with their industry-specific regulations. The ACPR has also published notices relating to the modalities for the implementation of the EIOPA guidelines in France. Cloud computing services usually involve storing and sharing data that may fall within the scope of regulations on the protection of personal data. Therefore, it is essential that any cloud project be compliant with data protection laws and regula - tions. As such, GDPR and the French Data Pro - tection Act of 1978, as amended in June 2019, will be applicable to the processing of personal data within a cloud project. Importantly, it is necessary to assess whether the cloud service provider will act as data con - troller or data processor regarding the personal data processed by the cloud service. In most cases, the cloud provider will be qualified as data processor and the client as data controller, but this may vary depending on the nature of the processing and the general cloud project. In addition, to ensure that any transfer of data outside of the EU is carried out with appropri - ate safeguards, a contractual framework must be put in place between the provider and the client, addressing the requirements provided for in Article 28 of GDPR regarding data processing.
83
CHAMBERS.COM
Powered by FlippingBook