# SecNumCloud — Dossier d'Homologation > Draft the Dossier d'Homologation for ANSSI SecNumCloud certification. Map infrastructure to the Référentiel, validate EEA data sovereignty for sub-processors, and structure evidence for France's public-sector cloud qualification. Tags: Cybersecurity, France, ANSSI, SecNumCloud, Compliance, Public Sector ## Example Prompts - Draft the Dossier d'Homologation for our cloud offering targeting SecNumCloud - Map our architecture document to the Référentiel SecNumCloud control domains - Check that all sub-processors in our list are inside the EEA - Structure the homologation dossier with evidence per ANSSI domain URL: https://rakenne.app/skills/secnumcloud-dossier-homologation/index.md Try this skill: https://rakenne.app/a/?skill=secnumcloud-dossier-homologation ## Overview Draft the Dossier d'Homologation for ANSSI SecNumCloud certification. Map infrastructure to the Référentiel (ISO 27001 Annex A / 27002), validate EEA data sovereignty for sub-processors, and structure evidence for France's public-sector cloud qualification. Includes **anssi_compliance_mapper** to map your architecture to control domains and **data_sovereignty_enforcer** to flag sub-processors outside the EEA. ## Example conversation > **You:** We're preparing the Dossier d'Homologation for our IaaS offering. We have an architecture doc and a sub-processor list — can you map the architecture to the Référentiel and check data sovereignty? > > **Agent:** I'll run **anssi_compliance_mapper** on your architecture document to get the SecNumCloud domain mapping (A.5–A.18), then **data_sovereignty_enforcer** on the sub-processor list. That will show which domains to cover in the dossier and which sub-processors, if any, are outside the EEA and need to be moved or justified. > > **You:** One sub-processor is in the UK — we have a transfer agreement. Can you still draft the dossier structure? > > **Agent:** **data_sovereignty_enforcer** will flag the UK as hors EEE. I'll draft the dossier using the structure in the skill (context, architecture mapping, sub-processors, measures per domain, risks). In the sub-processor section I'll note the UK entry and the need to document the transfer/derogation for the homologation. > > **You:** Run the mapper on `docs/architecture.md` and the enforcer on `docs/subprocessors.txt`, then give me the first two sections of the dossier. > > **Agent:** *(Runs both tools.)* The mapper shows applicable domains: A.9 (contrôle d'accès), A.10 (cryptographie), A.11 (sécurité physique), A.12 (opérations), A.13 (communications), A.15 (fournisseurs). The enforcer reports 4 sub-processors in the EEA and 1 in the UK — I'll list that one in the dossier with a note to attach the transfer agreement. Here are the opening sections of the Dossier d'Homologation: *(drafts context and architecture mapping as below).* ## Excerpt of a draft Dossier d'Homologation The agent structures the dossier so each section can be backed by evidence and tool outputs. Example opening: ```markdown # Dossier d'Homologation — [Nom du service] ## 1. Contexte et périmètre - **Service** : IaaS (calcul, stockage, réseau) à destination des OIV et acteurs publics. - **Périmètre** : Région France ; datacenters en France (Île-de-France, Bretagne). - **Acteurs** : Prestataire titulaire ; sous-traitants listés en section 3. ## 2. Architecture et cartographie au Référentiel Cartographie des domaines du Référentiel SecNumCloud applicables (issue de l’analyse de l’architecture) : | Domaine | Thème | Applicable | Preuves / remarques | |---------|--------|------------|---------------------| | A.9 | Contrôle d'accès | Oui | SSO, MFA, gestion des droits | | A.10 | Cryptographie | Oui | TLS 1.3, chiffrement at-rest | | A.11 | Sécurité physique | Oui | Datacenters France, accès contrôlé | | A.12 | Sécurité des opérations | Oui | Sauvegardes, logs, gestion des vulnérabilités | | A.13 | Communications | Oui | Segmentation, firewall | | A.15 | Relations fournisseurs | Oui | Liste sous-traitants, cf. section 3 | ## 3. Sous-traitance et souveraineté des données - **Dans l’EEE** : [Noms et pays — conforme]. - **Hors EEE** : [Nom], Royaume-Uni — transfert encadré (accord signé) ; à joindre en annexe pour homologation. ``` The agent uses **anssi_compliance_mapper** to populate the domain mapping and **data_sovereignty_enforcer** to separate in-EEA vs outside-EEA sub-processors before writing this section. ## Extension tools and validations The skill provides two tools: one for mapping architecture to the Référentiel, one for validating sub-processor locations. ### anssi_compliance_mapper **Purpose:** Map an architecture or infrastructure description to Référentiel SecNumCloud control domains (A.5–A.18, ISO 27001 Annex A / 27002). | What it does | Detail | |--------------|--------| | Input | Path to a document (Markdown, YAML, or text) describing infrastructure (datacenters, network, access control, crypto, backups, sub-processors, etc.). | | Logic | Scans the document for keywords aligned to each domain (e.g. "datacenter", "TLS", "backup", "sous-traitant") and marks which domains are suggested as applicable. | | Output | A report listing each domain (A.5–A.18) with a checkmark when the content suggests applicability. Use this to structure the dossier and collect evidence by domain. | Not a strict validator — it suggests which domains to address; the author remains responsible for completeness and accuracy. ### data_sovereignty_enforcer **Purpose:** Ensure sub-processors are in the EEA (EU 27 + Iceland, Liechtenstein, Norway) for SecNumCloud / data sovereignty. | Check | Requirement | |-------|-------------| | Country per sub-processor | Each line (name + country) is parsed; country is normalised and matched against the EEA list (full names or ISO 3166-1 alpha-2, e.g. France, FR, Germany, DE). | | In EEA | Sub-processors in an EEA country are listed under "Dans l'EEE (conforme)". | | Outside EEA | Sub-processors in UK, US, Switzerland, or any other non-EEA country are listed under "Hors EEE (à traiter ou justifier)". | | Pass/fail | Report passes when no sub-processor is outside the EEA; otherwise it recommends remediation or documented derogation (e.g. transfer agreement) for the dossier. | **Input format:** One sub-processor per line, e.g. `Name, Country` or `Name | Country` or `Name: Country`. Comments (lines starting with `#`) are ignored. ## Getting Started Add your architecture description and sub-processor list to the project workspace, then activate the *SecNumCloud — Dossier d'Homologation* skill. The agent will map architecture to the Référentiel, validate EEA data sovereignty, and help structure the homologation dossier with references to the ANSSI control domains. --- Back to [Skill Library](https://rakenne.app/skills/index.md)