Full Report
France is already moving on from Zoom and Microsoft Teams in favor of homegrown alternatives. Other countries are quickly following suit.
Analysis Summary
# Regulation/Compliance: French Digital Sovereignty Mandate (LaSuite & SecNumCloud)
## Overview
This compliance initiative represents a strategic shift by the French government to decouple its public administration from "extra-European" (primarily US-based) technology providers. The mandate requires government agencies to migrate from American SaaS platforms (Zoom, Microsoft Teams, Office 365) to sovereign, homegrown, or open-source alternatives to ensure data security and jurisdictional autonomy.
## Key Details
- **Issuing Authority:** DINUM (Interministerial Digital Directorate) and ANSSI (National Cybersecurity Agency of France).
- **Effective Date:** Immediate rollout (phased adoption currently underway).
- **Jurisdiction:** France; specifically the central government, civil service, and healthcare sectors.
- **Status:** In Effect / Final (with multi-year migration milestones).
## Requirements
### Mandatory Requirements
1. **Sovereign Hosting:** All data must be processed within France and stored with providers holding **SecNumCloud** qualification (e.g., Scaleway, Outscale).
2. **De-offshoring Data:** State health data and defense data must be moved away from US-based cloud providers (e.g., Microsoft Azure).
3. **Migratory Planning:** All central government agencies must submit formal plans to replace US-based office software, antivirus, and databases by Fall 2026.
4. **Tool Transition:** Government employees must migrate from Teams/Zoom to **Visio** and from Gmail/Outlook to **Messagerie** (Tchap).
### Recommended Practices
1. **Open Source Adoption:** Prioritize software built on open-source code to allow for transparency and community contribution.
2. **On-Premise Code Hosting:** Follow the Dutch precedent of moving code repositories from GitHub to self-hosted "Forge" instances.
3. **Sovereign AI:** Utilize localized AI models for transcriptions and data processing.
## Affected Organizations
- **Industries:** Public Administration, Healthcare (Health Data Hub), Defense, and Cybersecurity.
- **Organization Size:** All central government agencies and the vast French civil service (approx. hundreds of thousands of users).
- **Geographic Scope:** France (national level), with influence extending to EU-wide procurement.
## Compliance Timeline
- **April 2026:** Announcement of Health Data Platform migration from Microsoft to Scaleway.
- **Fall 2026:** Deadline for all central agencies to submit technology "break free" plans.
- **May 2026:** 40,000+ staff migrated to Visio; Tchap reaches 420,000 active users.
- **2027 (Final Deadline):** Full decommissioning of Zoom and Microsoft Teams across the French government.
## Implementation Guidance
### Assessment Phase
- Audit all current SaaS and cloud dependencies (Microsoft 365, Slack, Zoom).
- Identify data categories (Sensitive, Defense, Health) and current storage jurisdictions.
### Implementation Phase
- Deploy **"LaSuite"** modules: Tchap (Messaging), Visio (Video), Grist (Sheets), and Docs.
- Migrate health and sensitive datasets to **SecNumCloud** certified environments.
- Transition codebases from GitHub to sovereign hosting platforms (Forgejo/Forge instances).
### Validation Phase
- Verify that no data is routed through systems subject to the US Cloud Act.
- Ensure all video conferencing uses French-certified end-to-end encryption or local relay servers.
## Technical Requirements
- **Local Interoperability:** Systems must use open-source protocols to prevent vendor lock-in.
- **Hosting Standards:** Providers must meet the **SecNumCloud** 3.1 criteria (limiting the reach of extra-European laws).
- **Authentication:** Integration with French government identity providers for access control.
## Penalties & Enforcement
- **Fines:** While internal government fines are not specified, agencies failing to submit transition plans face budgetary and administrative sanctions.
- **Other Consequences:** Loss of access to government networks for non-compliant software; political and security-based audits.
- **Enforcement:** Managed by DINUM through the "Sovereign Digital" steering committee.
## Related Standards
- **SecNumCloud (ANSSI):** The high-security cloud label required for all sovereign SaaS.
- **GDPR:** Specifically focused on preventing illegal cross-border data transfers to the US.
- **NIS2 Directive:** Aligning with broader EU cybersecurity resilience requirements.
## Resources
- **Official Documentation:** [numerique.gouv.fr/souverainete-numerique] (Defanged)
- **Guidance Documents:** DINUM "LaSuite" Implementation Guide.
- **Tools:** Visio, Tchap, Scaleway Cloud Services, Forgejo.
## Practical Recommendations
1. **Immediate Pivot:** Shift to open-source file-sharing (Fichiers) to avoid US-managed document storage.
2. **Contract Review:** Review all software licensing for "Change of Control" or "Change of Law" clauses regarding jurisdiction.
3. **Monitor EU Trends:** Expect similar mandates from the EU Commission and Dutch government, suggesting a standard "European-first" procurement policy.