Sources and bibliography.

Law authorising US authorities to require a provider subject to their jurisdiction to deliver data stored anywhere in the world.

US intelligence legal tool that permits, without an individual warrant, the collection of communications of non-US persons located outside the USA from US electronic service providers.

Historic framework for the right of access to data stored by communications providers. Amended by the CLOUD Act in 2018.

FBI administrative injunctions without prior judicial review, accompanied by a gag order. Primarily concern telecommunications records.

General Data Protection Regulation, applicable since 25 May 2018. Governs all processing of personal data of individuals located in the EU.

Data regulation adopted at the end of 2023 governing the sharing and portability of data generated by connected objects and cloud services. Includes switching obligations and protection against illicit transfers.

Digital Markets Act, which regulates the practices of large digital gatekeepers. Targets interoperability and the limitation of anti-competitive practices.

Regulation on electronic identification and trust services. Notably defines assurance levels for electronic signature, timestamping and archiving.

Strengthens the mandate of ENISA and establishes a European cybersecurity certification framework (legal basis of the upcoming EUCS).

Founding French law on personal data protection. Amended to align with the GDPR since 2018. Remains the national legal basis and confers powers to the CNIL.

ANSSI qualification for cloud service providers, March 2022 version. Includes explicit requirements of extraterritorial immunity and European capital control.

Prime Minister circular of 5 July 2021. Requires the use of a SecNumCloud-qualified service for the most sensitive State data.

General security reference framework applicable to the information systems of administrative authorities, transversal complement of sectoral qualifications.

Invalidates the Safe Harbor agreement between the EU and the United States. First signal on the limits of US law against the European data protection standard.

Invalidates the Privacy Shield and conditions any EU-US transfer via standard contractual clauses on an impact analysis taking US law into account. Unavoidable reference for cloud choices since 2020.

International standard for information security management. Minimum baseline required for most public and regulated markets.

Code of good practice for security controls specific to cloud computing. Complements ISO 27001 in the cloud services context.

Spanish national security scheme, functional equivalent of European national qualifications. Levels Low, Medium, High.

International audit standard applicable to service organisations, attesting to operational controls by an independent third party.

US audit report on security, availability, confidentiality and integrity controls of service providers. Very frequent among US actors and global SaaS players.

Reference framework of the German federal office for information security, frequently used as a baseline for German public procurement.

Mandatory French certification to host personal health data. Managed by the Agence du numerique en sante.

Official list of providers qualified SecNumCloud, HDS, PASSI, PDIS and others. Regularly updated by the agency.

Publications and inventories of the European Union Agency for Cybersecurity: guides, recommendations, sectoral studies.

Pivot EUR rates used for multi-currency price conversions in the cloud catalogue.

Open data on the hourly carbon intensity of European electricity grids. Used for the carbon footprint calculation per region.

Decisions, sanctions and recommendations of the French data protection authority, mobilised on the immunity and hosting criteria.

Opinions of the European Data Protection Board, notably recommendations 01/2020 on supplementary measures post-Schrems II.