Legal news
The new “hosting providers” decree aligns with the certification framework regarding the location of hosting
Decree No. 2026-209 of March 24, 2026 [1] published in the Official Journal on March 26, 2026, amends the regulatory part of the Public Health Code to incorporate obligations relating to the location of hosting and to transparency concerning transfers of personal health data outside the European Economic Area (hereinafter “EEA”), which had until now been governed by the HDS certification framework. It is adopted pursuant to Article 32 of the Law of May 21, 2024, aimed at securing and regulating the digital space (known as the “SREN” law).
The decree first establishes the principle of exclusive storage of health data within the territory of the European Union or the EEA. It allows transfers to third countries, including in the form of remote access, but subjects them to the existence of an adequacy decision by the European Commission within the meaning of Article 45 of the GDPR or, failing that, to the implementation of appropriate safeguards within the meaning of Article 46, which must be described in detail in the hosting contract.
On this point, the decree does not adopt the requirements of the SecNumCloud framework promoted by the SREN law, which adds to the aforementioned requirements a requirement of full territorial immunity of the hosting location as well as capital and governance constraints on the hosting entity.
Nor does it adopt the more sector-specific conclusions of the Court of Auditors in its report of October 31 on the challenges of digital sovereignty, nor those of the Lecornu circular of February 5, 2026, which require the health data platform managed by the State and the CNAM to apply the SecNumCloud framework.
It should be noted that the certification framework updated in 2024 provides for a new assessment of its requirements in 2027 for the benefit of the European scheme EUCS (European Cybersecurity Certification Scheme for Cloud Services).
The decree then strengthens the mandatory content of the hosting contract, which must now include all the rights of data subjects provided for in Articles 15 to 21 of the GDPR and specify information relating to any transfers outside the EEA. Where the host or one of its subcontractors is subject to non-European legislation, the contract must also specify the list of regulations likely to require access to the data within the meaning of Article 48 of the GDPR, the mitigation measures implemented, and the residual risks remaining despite those measures. If the host is not subject to any such legislation, this must be expressly stated in the contract.
Finally, the host is required to make public and keep up to date a mapping of transfers of health data outside the EEA and of the risks of unauthorized access, in accordance with the modalities set out in the certification framework.
As regards entry into force, the decree enters into force the day after its publication with respect to the provision relating to electronic archiving, which now expressly clarifies that the backup of health data includes their preservation within the framework of electronic archiving.
The other provisions, namely the obligation of localization within the EEA, the strengthening of the contract content, and the mapping of transfers, will only enter into force six months after this publication.