What is SecNumCloud?
The SecNumCloud label is managed by Anssi (Agence Nationale de la Sécurité des Systèmes d'Information) and aims to provide a common reference framework for good security practices, based on the ISO 27001 standard. The SecNumCloud label is awarded for a period of 3 years.
In addition to security best practices, SecNumCloud requirements call for extensive process documentation and network segmentation. The requirements of the standard are numerous and cover a wide range of aspects, from the physical security of premises to personnel authorized to work on the qualified offering.
SecNumCloud also specifies protection criteria with regard to non-European laws. These requirements ensure that the cloud service provider and the data it processes cannot be subject to non-European laws. Obviously, this goes hand in hand with the GDPR, which is specific to Europe.
What does it mean for SPS Commerce?
As you know, SPS Commerce (formerly TIE Kinetix) advocates 100% digitalization of your data, which means storing your data in the cloud.
For our French VAT-registered customers, SPS Commerce had to rethink its hosting of invoicing data to comply with French law and qualify for PDP (Plateforme de Dématérialisation Partenaire [de l'Etat] – Official Partner Platform of the State) status.
As the Microsoft Azure cloud is not SecNumCloud certified, an alternative was found specifically for the application of this law.
The security of our customers' data is a priority. We have already obtained ISO 27001, ISO 27017 and ISO 27018 certifications, which, as mentioned above, cover the main principles of information security, particularly with regard to Personally Identifiable Information (PII).
SPS Commerce remains at the forefront of any legal requirements that may be planned in the future. This is the case with SecNumCloud, which will be required for reform in France, but we can expect a drive for European sovereignty when it comes to sensitive data processed by companies in Europe.
What does it mean for our customers
Our customers subject to VAT in France can rest assured that they are in compliance with the law. But there are also a number of advantages to using a SecNumCloud provider. While the security of a SecNumCloud-qualified cloud is beyond question, there are other advantages too:
- Highlighting your level of security: SecNumCloud certification is proof of your commitment to security and the quality of your services. It enables you to promote your level of security to your customers and partners.
- Access to tenders from strategic players : SecNumCloud qualification is increasingly required by strategic players, particularly public administrations. It gives you access to tenders reserved for SecNumCloud-qualified cloud service providers.
- Demonstrate your expertise at European level : SecNumCloud qualification is in line with the European Union's Cybersecurity Act. It enables you to demonstrate your expertise at European level, and to offer a service that meets the high level of security required by the Cybersecurity Act.
Does my company need to qualify for SecNumCloud?
We understand that SecNumCloud certification is very complicated to obtain. That's why we can advise you to use qualified cloud providers for your sensitive data, particularly e-invoicing data.
On the other hand, this qualification is specific to Europe, in the same way as the GDPR. If you deal with the United States, you'll need to carefully analyze which data in your possession is eligible or ineligible for this qualification.
Even if this certification can help you for tenders, you must above all assess the sensitivity of your data. In all likelihood, using a qualified cloud to handle only your e-invoicing data will be more than sufficient, without having to migrate your entire structure. As we mentioned earlier, you can also rely on specialists like SPS Commerce to manage your e-invoicing processes. This way, your company won't have to worry about compliance and legal issues.
We're keeping a close eye on the SecNumCloud subject, and the evolution of e-billing legislation, notably ViDA, which will also determine the importance of these security certifications. For the time being, qualification is only required in France, so stay tuned for the latest news!