The National Cloud Strategy, unveiled in May 2021, places the cloud at the heart of the French State’s digital transformation. It also implies demanding conditions for access to the data market in Europe. Here is an analysis of the challenges of a document that acknowledges the strategic predominance of cloud technologies.
Three ministers, three axes, and one national cloud strategy. On 17 May, Bruno Lemaire (Minister for the Economy, Finance and Recovery), Amélie de Montchalin (Minister for Transformation and Public Service) and Cédric O (Secretary of State for Digital Transition and Electronic Communications) specified what the French ‘trusted cloud’ should be. In short: a sovereign cloud, protected from American extraterritorial laws (first axis); a cloud at the best level of existing services on the market (second axis); and finally a cloud developed in line with European initiatives in this area.
This national strategy is echoed, on the one hand, by the first operational steps of the European Gaia-X project and, on the other hand, by the announcement of the “Bleu” industrial project, jointly initiated by Orange and Cap Gemini, in partnership with Microsoft. Gaia-X was born of a Franco-German initiative in June 2020. It now has clear governance and, despite delays, this framework for the development of secure, interoperable clouds is becoming a reality: its first technical specifications, the “GAIA-X Federation Services”, were presented in May 2021. Bleu, for its part, must provide its solutions to Operators of Vital Importance (OIVs), to Operators of Essential Services (OESs), to the French State, to the public service, to hospitals, and to local authorities requiring the implementation of a trusted cloud. It should join the Gaia-X framework. Above all, the services provided by Bleu should allow it to obtain the “Trusted Cloud” label awarded by the public authorities, since they will meet all the criteria required by the SecNumCloud label of the French National Agency for Information Systems Security (ANSSI), as well as the legal provisions confirming its status as a “Trusted Cloud” operator.
France seems on the right track to claim to have the industrial tools to give substance to its trusted cloud, and to be able to guarantee its qualities.
“Cloud at the centre”: key challenge for the digital transformation of the State
Was France lacking in capabilities before the new strategy was announced? Yes, according to the comments of Bruno Lemaire when he presented the strategy in May 2021. “Why is this trusted cloud so strategic for all of us? Simply because data is strategic and will represent a large share of the economic value made in the 21st century. And because, consequently, protecting data is as essential as protecting SMEs, technologies, and companies,” the Minister for the Economy recalled. Before acknowledging that “there have already been many attempts to build trusted clouds, or sovereign clouds. In my view, they failed simply because we had not taken into account either the technological realities or the expectations of companies or administrations.”
In fact, the State did not wait until 2021 to set a precise framework for the deployment and use of cloud technologies. The previous doctrine on the “use of cloud computing by the State,” presented in November 2018, defined three “circles” for cloud offerings. The first circle was based on an internal State cloud, for “sensitive data, processing, and applications” and to “meet State needs in terms of digital infrastructure.” The second circle was based on a “dedicated” cloud, developed by an industrial partner but adapted to the State’s needs “of lesser sensitivity, but requiring a certain level of sustainability.” Finally, the third circle defined the use of generic external cloud offerings from external providers. This doctrine was to be an essential component of the State’s digital transformation. The stated objective was to “massively develop the use of cloud computing within the administration and eventually make it the norm.”
This objective is once again at the heart of the doctrine stated in 2021 and is intended to take the State’s digital transformation further in practice. “The cloud is now a central issue for the excellence and quality of the State’s digital services. While the 2018 doctrine structured the cloud offer that could be used by the administration, the 2021 doctrine aims to develop the cloud demand and culture within the State’s administrations. In addition, the regulatory context has changed with the end of the Privacy Shield: the concept of a trusted cloud—combining ANSSI’s “SecNumCloud” label, immunity to law outside the European Union, and reversibility of the solutions chosen—takes on its full meaning,” explains Vincent Coudrin, head of the Cloud Project at DINUM (Interministerial Directorate for Digital Affairs).
In practice, with the “cloud at the centre” doctrine as a central element of the new strategy, the cloud becomes the default target for the State’s digital services. “This doctrine is in line with the efforts of private players, notably Cigref, and those coordinated at European level by ENISA to find a common reference framework for security and sovereignty. A common framework increases the size of the addressable market, the challenge being to reach the critical size that will enable European trusted cloud offerings to improve in quality. The doctrine also allows the French government to play its part, through public procurement,” says Vincent Coudrin.
The State already has two internal clouds, operated by the Ministry of the Economy and the Ministry of the Interior. These two clouds, each supported by two ‘regions’ (currently in the Paris region), will be expanded and should incorporate new services and technologies, particularly containerisation technologies. “Very concretely, there is a very important training and skills development issue here: we need agile and responsive DevOp teams working as closely as possible to the business needs,” continues Mr Coudrin.
A tool for controlling access to the European data market
Beyond the use of the cloud by the State’s digital services, the new National Cloud Strategy intends to go beyond past trial and error. The ambition is to provide France—and beyond that, European users of cloud technologies—with offers likely to compete, in terms of quality of service, with American offers, while preserving the European regulatory framework (first and foremost the GDPR) and the immunity of data to non-EU law.
This aspiration is reminiscent of the stance taken by the Fillon government in 2010. “We have to admit that the North American players dominate this market, which is nevertheless an absolutely major challenge for the competitiveness of our economies, for sustainable development and even, I dare say, for the sovereignty of our countries,” the Prime Minister warned at the time. Several industrial initiatives followed. A draft public-private partnership with Orange, Thales, and Dassault Systèmes was established in 2012 under the name ‘Projet Andromède’. Following disagreements, this initiative was split into two separate projects: on the one hand, Orange and Thalès launched Cloudwatt; on the other, Dassault Systèmes was joined by SFR and Bull to form Numergy. The State became a 33% minority shareholder in both companies. Unfortunately, commercial success did not follow. In 2015, Orange took control of Cloudwatt and SFR took control of Numergy. In January 2020, Cloudwatt’s services closed, while Numergy had been abandoned by SFR a few months earlier.
These failures should not mask the actual importance of the cloud—which is now well perceived by decision-makers—and the robustness of the fundamental work of Cigref and ANSSI, which prepared the reference frameworks that are essential for establishing a framework of trust. These frameworks are now available and have led to the adoption of a new strategy—better informed by industrial realities and more attentive than ever to data sovereignty issues. Now, the challenge is not so much for France and Europe to catch up with the Americans (see Box) as to build a space of trust and quality services for cloud players and users. This means that it is necessary to use technologies from outside the European Union—a position that distinguishes the strategy from previous approaches. “We have by no means lost our ambition […]. But it turns out that the best [cloud] service companies are American. We have therefore decided that these best American service companies—I am thinking in particular of Microsoft or Google—could license all or part of their technology to French companies to enable us to combine in this trusted cloud what we have never been able to combine: maximum protection and maximum value of data,” explained Bruno Lemaire. Unsurprisingly, this choice gave rise to many reactions from French players in the sector. Guillaume Champeau, Director of Ethics and Legal Affairs at Qwant, believes, for example, that “wanting to encourage the licensing of US technology by EU players is to encourage long-term dependence on technology that we do not control.” If French and European players defend the argument of technological control and can count on an operational and transparent framework that should grant them, a priori, privileged access to the European market, can they take such a clear-cut position on the quality of services? The future will tell. One thing is certain: for public decision-makers and industrial players alike, the cloud is a strategic priority technology. Already in 2019, the Committee of inquiry on digital sovereignty insisted on this, judging that “cloud computing is the foundation of a technological continuum integrating 5G, the Internet of Things (IoT), big data, machine learning, and artificial intelligence. […] At that stage, the identification and search for control of all the technologies essential for our digital security had focused on the priority need for a trusted cloud—for reasons of resources.” (Senate, Report made on behalf of the Committee of inquiry on digital sovereignty, No. 7, 2019-2020 ordinary session, submitted on 1 October 2019, p. 144.)
In 2020, the cloud market was worth $270 billion (up from $233.4 billion in 2019). The global market is dominated by four US players that totalled a market share of 65% at the end of 2020: Amazon (33%), Microsoft (18%), Google (9%), and IBM (5%); the others being Alibaba (5%), Salesforce (3%), Tencent (2%), Oracle (2%), NTT (1%), and SAP (1%). In Europe, it has grown by 27% per year between 2017 and 2019, is estimated to be worth €53 billion in 2020, and is expected to reach €300-500 billion by 2027-2030.
The United States dominates both the application services market (SaaS, or Software as a Service) and the European cloud market, with three major players (the “hyperscalers”) capturing 70% of the IaaS (Infrastructure as a Service) market: Amazon with AWS (53%), Microsoft with Azure (9%), and Google Cloud (8%). European cloud specialists and telecom operators are gradually gaining ground in their national markets. OVHcloud and Deutsche Telekom are ranked third and fourth in their respective countries in the infrastructure and platform markets. In France, we can also mention Atos, Orange Business Services, and Outscale. But in May 2020, Amazon had a 30% market share, Microsoft 20%, and OVHcloud over 10%. Amazon is more than three times the size of OVHcloud in terms of infrastructure cloud revenues in France.
 Senate, Report made on behalf of the Committee of inquiry on digital sovereignty, No. 7, 2019-2020 ordinary session, submitted on 1 October 2019, p. 144
 Sébastien MEURANT et Rémi CARDON, Rapport d’information fait au nom de la délégation aux entreprises, relatif à la cybersécurité des entreprises, june 2021, p.90