Digital sovereignty – Take control of your data and technologies

Your Strategic Autonomy

Our teams of digital sovereignty experts support you in gaining complete control over your critical infrastructure and sensitive data.

With our PASSI and PASSI LPM (Information Systems Security Audit Provider – Military Programming Law) and PACS (Information Systems Security Support and Consulting Provider) – witness audit phase – issued by ANSSI, we support you in every phase of your digital sovereignty process.

Our approach strengthens your resilience to geopolitical risks while highlighting your commitment to protecting national and European data.

Our preferred technology partners:

Our qualifications:

Information system security audit provider - PASSI LPM
- Architecture audit
- Configuration audit
- Source code audit
- Penetration testing
- Organizational and physical audit

Information system security support and consulting providers - PACS (witness audit phase)
- Consulting services for information system security certification
- Consulting services for information system security risk management
- Consulting services for information system architecture security
- Consulting services for cyber crisis management preparedness

Audit and Consulting

Sovereign diagnostics - PASSI & PACS
- In-depth audits (PASSI-qualified)
- Assessment of compliance with French and European regulatory requirements
- Mapping of critical processes and data requiring sovereign protection
- Intrusion tests specific to strategic threats targeting sovereign infrastructures

Strategic consulting - PACS
- Development of strategies for transition to technological autonomy
- Risk analysis using the EBIOS RM method
- Support for compliance with sovereignty regulations
- Development of governance plans and digital sovereignty policies
- Monitoring and anticipation of changes in French and European standards

Support for certification - PACS
- Complete preparation of RGS/LPM/IGI1300 certification files
- Establishment and coordination of the Approval Commission
- Development of Security Assurance Plans in accordance with ANSSI requirements
- Risk analysis specific to sensitive and classified environments

Design and Implementation

Sovereign architecture
- Design of infrastructures meeting DR and/or classified requirements (PACS)
- Creation of secure administration zones
- Verification through intrusion testing, architecture and configuration auditing (PASSI) of defenses against strategic and systemic threats

Classified systems
- Deployment of DR and/or classified IS compliant with IGI1300, II901, II920, etc. standards.
- Implementation of solutions qualified by ANSSI
- Development of compliance verification procedures/scripts

Critical sovereign and embedded industrial systems
- Specialized auditing and consulting for critical and embedded industrial systems (SCADA, ICS, OT) - IEC62443, ISO21434
- Design of secure architectures for national industrial infrastructures
- Protection of industrial controllers and protocols against advanced threats
- Compliance with sector-specific standards (energy, defense, transportation)

Continuous Improvement and Resilience

Maintaining security conditions
- Developing MCO/MCS strategies adapted to sovereignty constraints
- Managing patches in accordance with ANSSI recommendations
- Periodic security reviews by our PASSI-certified auditors
- Support for the renewal of certifications
- Support for strategic technological transitions

Preparation for crisis management - PACS
- Design of sovereign and autonomous crisis response systems
- Development of crisis management starter kits (reflex sheets, guides, etc.)
- Development of continuity plans
- Organization of simulation exercises incorporating embargo scenarios
- Training on the challenges and specificities of sovereign crisis communication

Our synergistic PASSI-PACS image approach

Our PASSI-PACS synergistic approach

Our dual high-level PASSI and PACS certification enables us to offer unique and consistent support throughout your sovereignty process:
- Our PASSI audits precisely identify your non-compliance issues and/or vulnerabilities
- Our PACS consultants use these results to develop relevant recommendations
- The EBIOS RM method is applied consistently between the audit and consulting phases (risk-based approach)
- Penetration tests to validate architectures are conducted with in-depth knowledge of the issues identified during the consulting phases
- Control audits validate the effectiveness of the measures deployed on the recommendation of our consultants

This synergy ensures continuity in your approach, avoiding methodological disruptions and ensuring that each step builds on the previous ones to strengthen your digital autonomy in the face of geopolitical challenges.

Would you like to learn more about Squad Group's expertise?

Check out our job openings or request a call back from one of our sales representatives.

Frequently Asked Questions

1. What is digital sovereignty and why is it important?

Digital sovereignty refers to the ability of a state, organization, or company to control its digital destiny by controlling its data, technological infrastructure, and strategic choices in information technology. It is crucial because it enables:

Ensuring technological independence from foreign players

Protecting sensitive data from the extraterritoriality of foreign laws

Ensuring business continuity even in times of geopolitical tension

Strengthening resilience in the face of supply disruptions or international sanctions

Protecting national or European economic and strategic interests

2. What are the main regulations related to digital sovereignty?

Several regulatory frameworks govern digital sovereignty in France and Europe:

SecNumCloud - ANSSI repository defining security requirements for cloud service providers wishing to host sensitive data.

Cybersecurity Act - European regulation that strengthens the role of ENISA and establishes a European certification framework for digital products and services.

PSEE (Prestataires de Service Essentiels à l'État) - French framework governing providers of critical services to government agencies.

Cloud de Confiance - French initiative aimed at certifying cloud offerings that meet strict sovereignty and security criteria.

3. How does digital sovereignty differ from traditional cybersecurity?

Digital sovereignty and cybersecurity are complementary but distinct:

Cybersecurity focuses primarily on the technical protection of systems against threats (malicious acts, errors, accidents).

Digital sovereignty addresses broader issues such as:

Independence from foreign suppliers

Protection against the extraterritoriality of laws

Complete mastery of the technological chain

The ability to operate independently in the event of a geopolitical crisis

Preserving national economic and strategic interests

A comprehensive sovereignty approach necessarily incorporates robust cybersecurity measures, but goes beyond that by also addressing legal, economic, and geopolitical dimensions.

4. How can we assess our current level of digital sovereignty?

Your digital sovereignty can be assessed in several ways:

Technical dimension:

Dependence on foreign technologies that cannot be replaced

Ability to maintain and upgrade your systems without external intervention

Mastery of source codes and critical data

Legal dimension:

Exposure to extraterritorial legislation (Cloud Act, FISA, etc.)

Location of data and processing

Nationality of service providers and subcontractors

Organizational dimension:

Internal expertise in sovereign technologies

Digital sovereignty governance

Supplier qualification process

Strategic dimension:

Visibility into your technology supply chain

Continuity plans in the event of disruption to access to foreign technologies

Supplier diversification and reduction of critical dependencies

Our assessment methodology systematically examines these dimensions to establish an accurate map of your level of sovereignty and identify priority actions to be taken.

5. What are the concrete benefits of a digital sovereignty approach?

A digital sovereignty approach brings many tangible benefits:

Strategic advantages:

Greater decision-making independence

Reduction of geopolitical risks

Preserving competitive advantages

Complete control over your intangible assets

Operational benefits:

Better business continuity

Enhanced resilience in the face of crises

Ability to operate even in the event of sanctions or restrictions

Improved traceability and infrastructure control

Regulatory advantages:

Compliance with sector-specific requirements (defense, healthcare, OIV/OSE)

Protection against extraterritorial access requests

Alignment with national and European public policies

Favorable positioning for public procurement requiring sovereignty guarantees

Image benefits:

Competitive differentiation

Strengthened trust among sensitive customers and partners

Recognizing commitment to the protection of national data

Attractiveness to talent sensitive to sovereignty issues

6. How can digital sovereignty and economic performance be reconciled?

There is a common misconception that sovereignty necessarily means higher costs and lower performance. Here's how to reconcile these two aspects:

Progressive and targeted approach:

Prioritize the systems and data that are truly critical to your business

Adopt a differentiated approach depending on the level of sensitivity

Plan a phased transition to spread out investments

Pooling and ecosystems:

Relying on shared sovereign clouds to reduce costs

Participate in sectoral or national initiatives

Collaborating with the ecosystem of sovereign actors

Hybrid models:

Design hybrid architectures combining sovereign solutions for critical functions and global solutions for less sensitive functions.

Establish secure gateways between environments

Organize data governance according to their level of sensitivity

Valorization of indirect benefits:

Reduction in potential costs associated with security incidents

Reduction of legal and regulatory risks

Privileged access to certain markets requiring sovereignty guarantees

Development of valuable internal skills

Our approach aims to identify the right balance between sovereignty, performance, and costs, tailored to your specific context.

7. How should we approach the transition to greater digital sovereignty?

The transition to greater digital sovereignty must be methodical:

Assessment and strategy phase:

Map your current technology dependencies

Identify critical systems and data requiring sovereign protection

Define a target vision and a roadmap tailored to your challenges

Design phase:

Select the sovereign solutions tailored to your needs

Designing target architectures

Plan migrations in successive waves

Prepare teams for change

Implementation phase:

Deploy sovereign infrastructure

Gradually migrate workloads and data

Implement governance processes

Train teams in new technologies

Continuous improvement phase:

Regularly measure your level of digital sovereignty

Adapting to regulatory and technological changes

Continuously optimize your device

Develop your long-term independence

Our support covers all of these phases, with particular attention paid to ensuring the continuity of your activities during the transition.

8. What are the challenges frequently encountered in a sovereignty approach?

Several challenges are commonly identified when implementing a digital sovereignty strategy:

Technological challenges:

Finding sovereign alternatives that are as effective as established solutions

Ensure interoperability with the existing ecosystem

Maintain a comparable level of innovation

Organizational challenges:

Develop internal expertise in sovereign technologies

Managing resistance to change

Integrating sovereignty into decision-making processes

Economic challenges:

Justify investments to decision-makers

Maintaining competitiveness in the face of less constrained players

Balancing short-term costs and long-term benefits

Strategic challenges:

Anticipating geopolitical and regulatory developments

Maintain effective monitoring of emerging threats

Continuously adapt the level of sovereignty to the context

Our support approach incorporates proven methodologies to overcome these challenges, taking into account your specific context and constraints.

9. How do regulations such as NIS2 or DORA influence digital sovereignty?

New European regulations indirectly reinforce digital sovereignty requirements:

NIS2 :

Significantly expands the scope of entities concerned

Imposes supply chain risk management measures

Strengthens supplier control obligations

Requires robust IT governance that promotes control over systems

DORA (for the financial sector):

Requires strict management of third-party risks

Strengthens operational resilience requirements

Requires advanced penetration testing that requires a good knowledge of systems

Requires incident response capabilities that promote autonomy

Cybersecurity Act:

Establishes European certification schemes

Promotes the emergence of certified European solutions

Strengthens confidence in European products and services

These regulations create a favorable environment for digital sovereignty by promoting risk management, transparency, and resilience, which are key aspects of a sovereign approach.

10. How can we select suppliers that guarantee the sovereignty of our data?

Selecting suppliers that meet your sovereignty requirements requires a rigorous methodology:

Legal criteria:

Location of headquarters and subsidiaries

Legislation applicable to the supplier

Capital structure and shareholding

Contractual clauses protecting against extraterritorial access to data

Technical criteria:

Location of technical infrastructure

Control of update and support channels

Transparency regarding subcontractors and their location

Encryption and key management capabilities

Organizational criteria:

Nationality of teams with access to your data

Procedures for managing government access requests

Certification and qualification (SecNumCloud, ANSSI, etc.)

Data transfer policies

Strategic criteria:

Sustainability and supplier independence

Alignment with regulatory requirements in your industry

Ability to evolve with your sovereignty needs

Supplier partner ecosystem

Our supplier evaluation methodology incorporates these criteria into an analysis grid weighted according to your specific priorities.

11. What is certification and how does it contribute to digital sovereignty?

Security certification is a formalized process whereby an organization certifies that its information system is protected in a manner appropriate to the identified risks. This certification, issued by an internal authority (usually a senior manager), is an essential pillar of digital sovereignty for several reasons:

Managing sovereign risks: Certification requires an in-depth analysis of threats, particularly those related to foreign actors or the extraterritoriality of certain laws.

National regulatory framework: Mandatory for government information systems, OIVs/OSEs, and certain regulated sectors, it ensures compliance with French requirements defined by ANSSI.

A structured 9-step process ensuring a methodical approach to protecting strategic digital assets.

Independent control of supply chains: Certification involves identifying and controlling technological dependencies, thereby strengthening the autonomy of critical systems.

Limited duration (generally 3 years) requiring periodic reassessment to maintain an appropriate level of protection in light of evolving international threats.

Difference from certification: Unlike standardized international certifications, accreditation is contextualized and tailored to the specific characteristics of each organization, with a strong focus on geopolitical risk analysis.

Certification is therefore an essential lever for establishing and maintaining true digital sovereignty, ensuring that critical information systems are under control and that risks associated with external dependencies are identified and managed.