The bill extends to major local authorities the data protection obligations introduced by the SREN Act, thereby reinforcing the “cloud-first” doctrine. It also provides for derogation mechanisms for projects already underway or in cases of technical difficulties or significant additional costs. These provisions underline the need for pragmatic implementation while maintaining the central objective of effectively securing sensitive public data.
As an engaged actor within the French cloud ecosystem, we welcome this initiative, which aims to involve all stakeholders in the public debate on securing digital public procurement.
The Law Committee will examine the bill on 25 February. At the initiative of Philippe Latombe, Member of Parliament for Vendée (1st constituency) and rapporteur of the text, a roundtable discussion organised on 20 February will bring together several cloud providers operating in France, including Clever Cloud, OVHcloud, Orange Business Services, Scaleway, Outscale, Cloud Temple and Numspot.
Cloud obligations extended at the territorial level
Article 31 of the Act of 21 May 2024 on securing and regulating the digital space (SREN Act) already governs the use of cloud services by the State and its operators when processing sensitive data. It requires that such data be effectively protected against any access by foreign public authorities not authorised under European Union law.
The bill inserts Article 31-1 to make this mechanism applicable to regions, départements, municipalities with more than 30,000 inhabitants, urban communities, metropolitan authorities, and other major inter-municipal public establishments.
This provision builds upon Article 31 of the SREN Act and aligns with broader European developments, notably the entry into application of the Data Act in September 2025. It aims in particular to limit public authorities’ exposure to the effects of extraterritorial legislation, thereby extending to the territorial level a mechanism previously centred on the State.
A collective responsibility
Clever Cloud welcomes the opportunity to contribute to the parliamentary work on this bill.
“This hearing reflects a crucial awareness: the protection of public data can no longer be considered solely at the level of central government. Local authorities hold and process significant volumes of sensitive data that are essential to the continuity of public services and the protection of citizens. Supporting them in adopting solutions that ensure genuine legal security is not optional — it is a collective responsibility,” said Quentin Adam, CEO of Clever Cloud.
Clever Cloud intends to actively contribute to the legislative debate and to support local authorities in implementing technically reliable and legally secure solutions.