Requirements framework for the qualification of cloud computing and hosting service providers (PINH) (Ministerial Order No. 2026-59 of 5 February 2026)

Ministerial Order No. 2026-59 of 5 February 2026 (JDM No. 8786 of 13 February 2026) governs the qualification of cloud computing and hosting providers by the Director of the Monegasque Digital Security Agency (AMSN). The Principality's new requirements framework for the qualification of PINHs is set out in the appendix, pursuant to Article 6, f) of Sovereign Order No. 8.504 of 18 February 2021 and Article 24 of Law No. 1.435 of 8 November 2016 on combating technological crime (information system security).

It repeals and replaces Ministerial Order No. 2018-1108 of 26 November 2018, which previously governed the classification of PINHs.

* * *

Scope and content of the Principality's requirements framework for PINH certification

The requirements framework for PINH certification applies to all types of shared external hosting.

The four types of activity covered by the framework are as follows:

• Infrastructure as a Service (IaaS): provision of abstract IT resources (CPU power, memory, storage, etc.). The IaaS model provides the customer with outsourced, potentially virtualised resources. The customer retains control over the operating system (OS), storage, deployed applications and certain network components (e.g. firewalls).
• Container as a Service (CaaS): provision of tools enabling the deployment and orchestration of containers. The customer does not have control over the underlying technical infrastructure (network, storage, servers, operating system), which is managed and controlled by the service provider. However, the customer does have control over the system tools, libraries, middleware, and application code.
• Platform as a Service (PaaS): provision of application hosting platforms by the service provider. The customer does not have control over the underlying technical infrastructure, which is managed and controlled by the service provider (network, servers, OS, storage, etc.). However, the client has control over the applications deployed on this platform. They may also have control over certain services that make up this platform or certain configuration elements, depending on the distribution of roles defined in the service. Examples: Apache, Tomcat, PHP and MySQL frameworks for developing web applications.
• Software as a service (SaaS): provision by the service provider of applications hosted on a cloud computing platform. The customer does not have control over the underlying cloud platform. The service provider transparently manages all technical aspects requiring IT skills on behalf of the customer. The customer retains the ability to configure certain business settings in the application. Examples: CRM (customer relationship management software), collaborative tools, messaging, business intelligence, ERP (enterprise resource planning software), etc.

The Principality's framework is based in particular on the international standard [ISO27001] for information security management systems (ISMS), with additional requirements that differentiate it from the existing standard and do not imply equivalence between the two sets of rules.

It is aligned with the French ANSSI SecNumCloud version 3.2 reference framework (8 March 2022), which incorporates protection criteria with regard to non-European law (e.g. Cloud Act, FISA 702):

• The provider's registered office, central administration and principal place of business must be located in Monaco or within a Member State of the European Union (EU);
• Limitations on the ownership of share capital and voting rights in the provider's company;
• Use by the service provider of a company outside Monaco/the EU: prohibition on this company (including subcontractors or controlling entities) from having technical access to service data (customer data, sensitive technical data); guaranteeing the service provider continued operational autonomy in the provision of the cloud computing services it operates or being PINH-qualified.
• Respect for fundamental rights, human rights, democracy and the rule of law. The fact that the service provider has links with a foreign government or public body may be taken into account when assessing compliance.

In addition to technical requirements, service providers must identify the legal, regulatory and contractual requirements applicable to the service. In Monaco, service providers must take into account at least the following texts:

• personal data protection [Law No. 1.565 of 3 December 2024 on personal data protection and implementing texts];
• professional secrecy [Article 308 of the Criminal Code], where applicable, without prejudice to the reporting of offences to a judicial authority [Article 61 of the Code of Criminal Procedure];
• breach of trust [Article 337 of the Criminal Code];
• confidentiality of private correspondence [Article 344 of the Criminal Code];
• invasion of privacy [Article 308-2 of the Criminal Code];
• fraudulent access to or maintenance of an information system [Article 389-1 of the Criminal Code].

Compliance of a cloud computing service with this standard does not certify its compliance with the State Information Systems Security Policy (PSSIE).

Obligations of qualified PINHs

The Director of the AMSN verifies that PINHs comply with the requirements of the reference framework. In the event of non-compliance, he may suspend or even withdraw the PINH qualification for a specified period.

PINHs are required to notify the Obligations of qualified PINHs AMSN in writing and without delay of any of the following changes, information, modifications or discontinuations relating to the provision of qualified services:

• any significant change concerning the owner, capital, legal structure, organisation, premises, cessation of activity, etc.;
• any information that may suggest that the qualified service no longer meets the requirements applicable to it under the qualification granted;
• any modification of the measures taken to comply with the requirements set out in the appendix to this decree;
• any change in the information contained in the catalogue of qualified services published on the AMSN website;
• any discontinuation of marketing or support, in terms of both corrective maintenance and user support, for the qualified service.

These changes, information, modifications or discontinuations may result in the suspension or loss of qualification for one or all of the PINH services.

Ces changement, information, modification, arrêt peuvent entraîner la suspension ou la perte de qualification sur une des prestations ou sur la totalité des prestations PINH.

PINHs have the following obligations relating to the security of the qualified service:

• monitor the security of the qualified service in order to identify any vulnerabilities relating to the qualified service as early as possible;
• inform the AMSN and all users of the qualified service in writing and without delay of any cessation of monitoring the security of the qualified service and any cessation of marketing the qualified service or its support, both in terms of corrective maintenance and user support;
• inform the AMSN without delay and in writing of:
  • any discovery of a vulnerability affecting or likely to affect the qualified service;
  • any incident affecting or likely to affect the qualified service and in particular the information systems involved in the operation, administration, maintenance or technical support of the qualified service;
  • any loss of the skills necessary to carry out the activities covered by the qualified service;
  • a description of any temporary technical or organisational mitigating measures, where they exist, to prevent the vulnerability from being exploited or to limit its impact pending its remediation.

* * *

Related texts :

• Classification of information - national security: Arrêté Ministériel n° 2016-723 du 12 décembre 2016 portant application de l'article 18 de la loi n° 1.430 du 13 juillet 2016 portant diverses mesures relatives à la préservation de la sécurité nationale et fixant les niveaux de classification des informations, modifié ; Arrêté Ministériel n° 2022-125 du 9 mars 2022 portant application de l'article 8 de l'arrêté ministériel n° 2016-723 du 12 décembre 2016 portant application de l'article 18 de la loi n° 1.430 du 13 juillet 2016 portant diverses mesures relatives à la préservation de la sécurité nationale et fixant les niveaux de classification des informations, modifié.
• Service qualification process: Arrêté Ministériel n° 2025-611 du 12 novembre 2025 portant application de l'article 6 de l'Ordonnance Souveraine n° 8.504 du 18 février 2021 portant application de l'article 24 de la loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique, modifiée
• PASSI - Requirements framework applicable to an information system security audit provider: Arrêté Ministériel n° 2025-612 du 12 novembre 2025 portant application de l'article 6 c) de l'Ordonnance Souveraine n° 8.504 du 18 février 2021 portant application de l'article 24 de la loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique, modifiée.
• PACS - Requirements framework applicable to an information system security audit provider: Arrêté Ministériel n° 2025-613 du 12 novembre 2025 portant application de l'article 6, l) de l'Ordonnance Souveraine n° 8.504 du 18 février 2021 portant application de l'article 24 de la loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique, modifiée.
• PDIS - Requirements framework applicable to a security incident detection provider: Arrêté Ministériel n° 2019-525 du 18 juin 2019.
• PSSI - Security of State information systems: Arrêté Ministériel n° 2022-331 du 13 juin 2022 portant application de l'article 23 de la loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique, modifiée, fixant les mesures de sécurité des systèmes d'information de l'État.
  

* * *