This hearing is part of the process of extending Article 31 of the SREN Act (Securing and Regulating the Digital Space) to local authorities and public bodies — a major issue for French digital sovereignty.
A Piece of Legislation Long Awaited by the French Industry
Proposed legislation no. 2258, adopted by the Senate, aims to extend to large local authorities (with more than 30,000 inhabitants) and public bodies the obligations for protecting sensitive data already applicable to the State.
In practical terms, this text requires public purchasers to favour sovereign solutions, hosted in Europe and not subject to extraterritorial laws such as the American Cloud Act, for contracts relating to the hosting and processing of sensitive data.
This legislative development responds to a reality we witness daily in the field: cyber attacks are multiplying, ransomware is paralysing hospitals and local authorities, and internal communication tools remain all too often the poor relation of public organisations’ cyber strategies.
Whaller’s Position: Pragmatism and Ambition
During our hearing, we highlighted two essential points.
- First observation: the French industry is ready.
Solutions exist, they are operational, and they can quickly meet the real needs of local authorities. Whaller, like other French players present at this hearing (Linagora, eXo Platform, Jamespot, Jalios, Netframe, Wimi, Talkspirit), is proof of this. - Second observation: we must be realistic about what “meeting needs” actually means.
As Thomas Fauré, President of Whaller, stated during the hearing:
“No French or European service is currently on a par with American solutions in terms of functional comprehensiveness. French solutions can meet 100% of real needs, but only 50% of current specifications, because those specifications are calibrated on GAFAM functionalities.”
This gap raises a fundamental question: should the race for functionality be the selection criterion for public procurement? We believe it should not — security, sovereignty, and resilience must take precedence over functional comprehensiveness.
The Structural Obstacles Identified
The hearing shed light on several obstacles that are slowing the adoption of sovereign solutions by local authorities.
Biased Specifications
A shared observation among all the parties heard: public procurement specifications are too often drafted by consulting firms funded by American players, which introduces a structural bias in favour of foreign solutions. This phenomenon distorts competition and prevents French players from competing on a level playing field.
The Ambiguous Role of DINUM
The Interministerial Directorate for Digital Affairs (DINUM), with an annual budget of €12 million funded by the State, finds itself in direct competition with the French private sector. The LaSuite project — the collaborative suite led by the State — is in direct competition with French software publishers in their own field of expertise. This blurring of the line between the State’s role as regulator and its role as operator raises serious questions.
The Vague Definition of “Sensitive Data”
The implementing decree for Article 31 of the SREN Act, which is supposed to define precisely what constitutes “sensitive data”, remains nowhere to be found. This absence of a clear legal framework leaves the door open to interpretation and exemptions, potentially undermining the very purpose of the legislation.
Whaller’s Recommendations
Based on our field experience and our position as a sovereign collaborative platform qualified under SecNumCloud 3.2, we put forward 2 key recommendations.
1. Direct Public Procurement Towards the French Industry Through Legislation
As Thomas Fauré stated:
“Why not buy French? Quite simply because it will allow us to close the gap. The timescales for implementing this legislation must be shortened. Public purchasers must accept that they will not have all the functionalities of American solutions, but that they will gain in sovereignty and security.”
2. Drastically Shorten the Timescales
The implementation timescales proposed in the legislation are considered too lengthy by the industry as a whole. Local authorities too often use the pretext of change management to buy time, when it is technically possible to move much faster. The French industry is capable of responding swiftly if the legislative framework is clear and binding.
Whaller DONJON and RESILIENCE: Concrete Responses
Our participation in this hearing is underpinned by two concrete solutions we offer to local authorities and public bodies.
Whaller DONJON, our collaborative platform qualified SecNumCloud 3.2 by ANSSI, precisely meets the requirements of this proposed legislation. It is designed for ministries, Operators of Vital Importance (OIV), Essential Entities (EE) and Important Entities (EI) within the meaning of the NIS2 directive, healthcare establishments, defence organisations, and any structure handling sensitive data.
Whaller RESILIENCE, meanwhile, addresses the often-overlooked issue of business continuity in the event of a cyber crisis. This secure collaborative platform, which can be activated within minutes, operates in complete isolation from the main infrastructure. In the event of a cyber attack or major outage, teams can continue to communicate and coordinate their actions.
A Matter of Collective Sovereignty
This parliamentary hearing marks an important milestone in the recognition of the structuring role played by the French digital industry. The consensus is clear: a binding piece of legislation is needed, timescales must be shortened, and public procurement must be explicitly directed towards sovereign players. But beyond the legislative framework, this is ultimately a matter of political choice. France and Europe must decide whether they are willing to remain structurally dependent on non-European players for their critical digital infrastructure, or whether they will invest in their own industry.
At Whaller, we are convinced that digital sovereignty is a strategic necessity. This hearing reinforces our commitment to offering solutions that meet the real needs of public organisations, without compromise on security or data control.
0 Comments