AMF and ACPR Outsourcing — VDRs in France

The French Autorité des marchés financiers (AMF) supervises asset managers, investment firms, and capital markets activity; the Autorité de contrôle prudentiel et de résolution (ACPR) supervises banks and insurers. Both follow the EBA / EIOPA / ESMA outsourcing frameworks at EU level and add specific French expectations.

The most-cited French source for cloud-related outsourcing is AMF Position-Recommendation 2013-23, which has been updated for cloud computing. ACPR has its own analysis published under the EBA framework.

When a French regulated firm uses a virtual data room, the engagement is treated as an outsourcing. The firm must perform a documented risk assessment, sign a written outsourcing agreement granting audit and information rights, document sub-processor flow, and prepare an exit / reversibility plan.

Last updated: May 2026.

AMF Position-Recommendation 2013-23

The position-recommendation sets AMF expectations for cloud computing by asset managers and investment firms. Required elements: documented risk assessment, contractual audit rights, sub-processor transparency, exit / reversibility plan, and notification of material changes.

ACPR Expectations Under EBA Framework

ACPR applies the EBA's outsourcing guidelines to French banks and insurers. The institution must record the VDR in its outsourcing register, perform a criticality assessment, and ensure audit rights flow through to the institution, ACPR, and the institution's external auditor.

Providers Aligned with French Expectations

  • [Drooms](/providers/drooms) — DE/CH hosting, French UI, French project management.
  • [Papermark](/providers/papermark) — open-source self-hosting on French IaaS gives a clean SecNumCloud / French sovereignty answer.
  • [Virtual Vaults](/providers/virtual-vaults) — Benelux + France.
  • [EthosData](/providers/ethosdata) — multilingual project management.

Frequently Asked Questions

Does AMF require EU hosting?

Not strictly, but combined with CNIL guidance on Schrems II, EU hosting is the practical norm for French regulated firms.

What is SecNumCloud and how does it interact?

SecNumCloud is the ANSSI-defined trust mark for sovereign-cloud services. For state-influenced or sensitive transactions, French counsel may push for SecNumCloud-certified IaaS underneath the VDR — a clean answer is self-hosting Papermark on a SecNumCloud-certified IaaS.

Further Reading