How to choose a secure cloud solution for public administrations

At the same time, in its  summary published earlier this year, the cybersecurity body CERT-FR, operated by the French National Cybersecurity Agency (ANSSI), reports that 218 cyber incidents were handled in 2024 involving local authorities. In its 2024 activity report,
ANSSI also describes the cyber threat as “systemic” for the public and social sectors.

In this context, choosing a secure cloud solution for public administrations has become a central concern for CIOs, CISOs, and digital project managers.

The objective is not simply to select a high-performance infrastructure, but to ensure that the chosen cloud solution meets the legal, regulatory, technical, and operational requirements specific to the public sector.

Understanding what cloud security means in the public sector

The data handled by public administrations — personal data, health data, financial information, and sensitive data related to public infrastructures — are subject to strict regulatory frameworks, notably enforced by the CNIL and the GDPR. In addition, the public sector is expected to rely on recognised security certifications, such as ISO/IEC 27001, HDS for health data, and, for the most critical environments, SecNumCloud.

These requirements demonstrate that a secure cloud goes far beyond firewalls or encryption alone. It requires a comprehensive, structured, and auditable approach to security.

Digital sovereignty: a criterion that has become essential

For a public administration, it is essential to know where data is hosted and under which jurisdiction it falls, in order to comply with the GDPR and to properly govern any potential data transfers outside the European Union.

A sovereign cloud implies not only that data is hosted within the European Union, but also that it is not subject to extraterritorial legislation, such as the US Cloud Act (2018), which allows a foreign government to request access to data stored by a provider under its jurisdiction.

Digital sovereignty also contributes to the resilience of information systems. By limiting technical, contractual, or legal dependencies on a single provider, public administrations retain the ability to react quickly when constraints arise—for example, by changing providers or relocating a service when regulatory, operational, or strategic conditions require it. This margin of manoeuvre is an important factor in maintaining control and ensuring the long-term sustainability of public digital services.

Sovereignty is therefore a key differentiating criterion when choosing between a European provider and a US-based provider.

Beyond compliance: essential technical requirements

To ensure a level of security appropriate for the public sector, a cloud solution must provide strong isolation between environments, systematic encryption of data in transit and at rest, host hardening, as well as continuous monitoring mechanisms (logs, metrics, alerts).

Identity and access management (IAM), multi-factor authentication, and the application of the principle of least privilege are part of a Zero Trust approach, now recommended by ANSSI to reduce the attack surface.

Security also relies on operational resilience: service continuity, recovery capabilities, high availability, and fault-tolerant architectures.

The role of automation in risk reduction

Automation is often seen as a convenience for developers; in the public sector, it is above all a lever for reducing human-related risks.

Automated deployments, automatic scalability, and self-healing mechanisms help limit operational errors, which account for a significant proportion of security incidents.

By reducing the number of manual operations, organisations lower the risk of misconfiguration and improve the overall availability of services.

Total cost of ownership and governance

Choosing a secure cloud is not just a matter of comparing list prices.

Public sector organisations must take into account the notion of total cost of ownership (TCO):

• Infrastructure costs,
• Internal staffing costs,
• Operational complexity,
• Maintenance,
• Time spent handling incidents,
• Effort required to migrate a service or ensure its reversibility.

A platform that automates most operational tasks and enables reproducible environments can significantly reduce internal workload, and therefore the overall cost.

How to objectively assess market solutions

To evaluate a cloud solution intended for the public sector, it is essential to rely on factual criteria: the level of sovereignty, available certifications, technical capabilities, reversibility, the availability of private cloud or on-premise options, the existence of air-gapped environments, the quality of support, and compatibility with existing tools.

The most common mistakes include choosing a provider out of habit, focusing solely on price, or confusing data localisation with legal sovereignty.

Another recurring mistake is overestimating the complexity of migration. In many cases, a test or a Proof of Concept is sufficient to validate feasibility.

A simple method for choosing the right cloud solution

The most effective approach consists in:

This approach provides a balanced view of security, compliance, performance, and sustainability.

What Clever Cloud brings to these challenges

Clever Cloud is a European hosting provider certified ISO/IEC 27001:2022 and HDS, offering public cloud, private cloud, on-premise and air-gapped environments. For highly regulated requirements, a zone already qualified SecNumCloud is available on request through our partnership with Cloud Temple. This makes it possible to meet “trusted cloud” requirements while benefiting from the Clever Cloud platform.

The platform follows a security-by-design approach based on environment isolation, system hardening, strong authentication, and built-in observability.

Automated deployments, automatic scaling (auto-scaling), and self-healing mechanisms reduce operational effort and limit human error.

Data remains hosted in Europe, and data portability is ensured, with no proprietary lock-in.

Support is human-led and provided from France.

Finally, for public organisations that rely on pooled public procurement frameworks, it is worth noting that Clever Cloud is listed on the “Nuage Public” (UGAP) framework. Public administrations can therefore subscribe to our services within an already validated public purchasing framework, simplifying administrative procedures and accelerating service deployment.

Towards a secure, sovereign, and sustainable public cloud

For a public administration, choosing a secure cloud solution means finding the right balance between sovereignty, compliance, technical security, productivity, and cost control.

By relying on clear criteria and official reference frameworks (ANSSI, ISO, GDPR, HDS), it becomes possible to select a solution genuinely suited to the needs of the public sector—one that can ensure both service continuity and the protection of citizens’ data.