Whaller | Digital Regulation

context

A Rapidly Evolving Regulatory Landscape

In just a few years, the European Union and France have profoundly reshaped the legal framework governing the digital tools used by organizations. GDPR, NIS2, DORA, CRA, SREN, REC… each regulation imposes new obligations and increases the responsibilities of management, CIOs, and CISOs.

These regulations are not burdens to be endured: they reflect a collective awareness of the risks associated with technological dependence and digital sovereignty. Choosing Whaller means choosing a platform designed to address these issues natively.

2018

GDPR

European Framework for the Protection of Personal Data.

2023

SREN

French law governing digital technology, sovereign cloud, and public procurement.

2024-2025

NIS2 ∙ DORA ∙ REC

NIS2 extends cybersecurity to 18 sectors. DORA mandates financial resilience. The REC Directive strengthens the physical resilience of critical entities.

2025

CRA ∙ AI Act

The CRA imposes cybersecurity requirements on digital products from the design stage onward.

key figures

Why act now?

20M€

Maximum GDPR fine or 4% of global revenue.

18

Critical sectors covered by NIS2 (compared to 7 for NIS1).

+22,000

Financial institutions subject to DORA in Europe.

72 hours

Maximum time limit for reporting a data breach.

key texts

For every regulation, a Whaller solution

Whaller natively incorporates the requirements of the main European and French regulations. Here's how.

EU Regulation 2016/679

GDPR

General Data Protection Regulation

● Effective since May 2018

The GDPR governs the collection, processing, and retention of personal data of all European residents. It requires data controllers to adhere to the principles of data minimization, purpose limitation, and transparency.

👉 Learn more

EU Directive 2022/2555

NIS2

Network and Information Security — Version 2

● Transposed · Effective 2024

NIS2 extends cybersecurity requirements to 18 critical sectors (energy, healthcare, transportation, public administration, etc.) and mandates measures for risk management, incident reporting, and supply chain security.

👉 Learn more

EU Regulation 2022/2554

DORA

Digital Operational Resilience Act

● Effective as of January 2025

DORA requires financial institutions (banks, insurance companies, investment funds, payment service providers, etc.) to adhere to a framework for digital operational resilience: ICT risk management, resilience testing, incident reporting, and governance of third parties and cloud providers.

👉 Learn more

EU Regulation 2024/2847

CRA

Cyber Resilience Act

● Adoption in 2024 · Phased implementation 2025–2027

The CRA imposes cybersecurity requirements throughout the lifecycle of products and software that contain digital components: security by design, vulnerability management, transparency, and incident reporting.

👉 Learn more

Law No. 2024-449 · France

SREN

Law on Securing and Regulating the Digital Space

● Enacted in May 2024

The SREN Act adapts the French legal framework to the challenges of the digital age: a sovereign cloud for government agencies, combating cyberthreats, protecting minors online, and regulating platforms. Article 31 of the Act directly concerns digital public procurement.

👉 Learn more

U.S. Law · Extraterritorial Risk

Cloud Act & FISA

Clarifying Lawful Overseas Use of Data Act · Foreign Intelligence Surveillance Act

● In Effect · Permanent Risk

The Cloud Act (2018) and FISA authorize U.S. authorities to access data hosted by companies subject to U.S. law, including their foreign subsidiaries—without prior notice. This applies to GAFAM services, even those hosted in Europe.

👉 Learn more

EU Directive 2022/2555

REC

Resilience of Critical Infrastructure

● In effect · To be implemented in Oct. 2024

The REC Directive strengthens the physical, organizational, and digital resilience of critical entities in 11 strategic sectors (energy, healthcare, transportation, government, digital infrastructure, etc.). Any critical entity as defined by the REC is automatically classified as an essential entity under NIS2.

👉 Learn more

detailed analysis

What every text requires, what Whaller guarantees

For each regulation: key requirements and Whaller's solutions.

What the GDPR Requires

Lawfulness, Fairness, and Transparency in Data Processing
Purpose Limitation and Data Minimization
Defined and adhered-to retention periods
Individual Rights: Access, Correction, Deletion, Portability
Mandatory notification in the event of a breach (within 72 hours to the CNIL)
Appointment of a DPO and Maintenance of a Record of Processing Activities
Privacy by design and by default from the outset
Regulations Governing Transfers Outside the EU (Model Contractual Clauses)

What Whaller Guarantees

DPA (Data Processing Agreement) available and ready to sign
A structured record of processing activities that is communicated to clients
Built-in data deletion and export features
100% France-based hosting — no data transfers outside the EU
AES-256 encryption at rest, TLS 1.3 in transit
CNIL: No transfer orders may be issued outside the scope of French law
Contractually guaranteed incident notification within 72 hours

What NIS2 Requires

Cybersecurity Risk Analysis and Management
Security measures commensurate with the identified risks
Reporting of Significant Incidents Within 24 Hours
Business Continuity and Disaster Recovery Plan
Securing the ICT Supply Chain
Governance and Accountability at the Highest Level
Expanded to 18 critical sectors

What Whaller Guarantees

100% French-based hosting (OVHcloud)
CSIRT Whaller for Incident Notification and Management
AES-256 encryption at rest, TLS 1.3 in transit
MFA required via Whaller DONJON
Time-stamped, searchable, and exportable logging
Whaller RESILIENCE (PCA-PRA) Offer
Documented Compliance and CISO/Legal Support

What DORA Requires

ICT Risk Governance at the Board Level
Risk Management for Critical ICT Service Providers
Operational Resilience Tests (TLPT)
Reporting Major Incidents to the Authorities
Business Continuity in Digital Finance
Contracts and Terms with Cloud Providers
Mapping and Inventory of ICT Assets

What Whaller Guarantees

SecNumCloud 3.2 Certification by Composition (SaaS + IaaS)
DPA and DORA-aligned contractual provisions
Hosting in France, Independence from the Cloud Act
Active CSIRT and Notification Procedures
End-to-end encryption
Documentation for Audits and Regulatory Authorities
Transparent and well-documented supply chain

What the CRA Requires

Security by design and by default
Vulnerability Management Throughout the Entire Lifecycle
Mandatory Security Updates
Cybersecurity Incident Reporting
Technical Documentation and User Manual
Pre-market Conformity Assessment
SBOM and Traceability of Digital Components

What Whaller Guarantees

Secure Development and Code Reviews
CSIRT Whaller and Vulnerability Management
Continuous and Secure Updates
Native data and file encryption
MFA and Enhanced Access Control
French Sovereign Hosting
Safety documentation available to customers

What the SREN Requires

Sovereign Cloud for Government Agencies
Security Requirements for Digital Operators
Protection of Minors Online
Platform Oversight and Moderation
Digital Public Procurement (Article 31)
Protection against cyber threats
Transparency in Digital Services

What Whaller Guarantees

Service 100% hosted and operated in France
SecNumCloud Qualification for Sensitive Contracts
Structural Immunity Under the Cloud Act
Data Compartmentalization and Data Sovereignty
Support for Public Procurement Officials
Native Cybersecurity and Whaller CSIRT
GDPR Compliance and Native Export/Deletion

What the REC Requires

Risk Management Plan for Critical Entities
Physical and Organizational Resilience
Digital Resilience of Critical Systems
Reporting Incidents to the Authorities
Mapping Dependencies and Interconnections
Coordination with emergency services
Link to essential entity status under NIS2

What Whaller Guarantees

Hosting in France on OVHcloud infrastructure
Whaller RESILIENCE Offering for Business Continuity
CSIRT and Crisis Management Procedures
Data Encryption and Segregation
SecNumCloud 3.2 ANSSI
Documentation for Sectoral Authorities
NIS2 Compliance for REC Critical Entities

overview

Whaller Compliance Table

A summary of key regulatory requirements and Whaller's level of coverage.

Requirement	GDPR	NIS2	DORA	CRA	SREN	REC	Whaller Cover
Hosting in France / the EU	✔	✔	✔		✔	✔	100% OVHcloud France
Data Encryption	✔	✔	✔	✔	✔		AES-256 + TLS 1.3
Strong Authentication (MFA)		✔	✔	✔	✔		MFA Required: Whaller DONJON
Incident Management (Notification)	✔	✔	✔	✔		✔	Whaller CSIRT is active
Business Continuity / BCP-BCP		✔	✔			✔	Whaller RESILIENCE Offer
Human Rights	✔						Native Export & Deletion
Third-Party Qualification/Certification		✔	✔	✔	✔	✔	SecNumCloud 3.2 ANSSI
Extraterritorial Independence	✔	✔	✔		✔	✔	Cloud Act-free • 100% FR
Third-Party ICT Vendor Management	✔	✔	✔				Documented transparent chain
Portability and Reversibility	✔		✔		✔		Guaranteed Full Export

glossary

Key Terms Explained

SecNumCloud

ANSSI Qualification

The ANSSI framework, which certifies cloud offerings based on strict criteria for security, sovereignty, and independence. Whaller DONJON is the first community platform to be qualified at Level 3.2 (SaaS).

GDPR

EU Regulation 2016/679

General Data Protection Regulation (), in effect throughout the European Union since May 2018. It protects the personal data of EU residents and imposes obligations on data controllers and processors.

NIS2

EU Directive 2022/2555

Directive on the Security of Network and Information Systems, Version 2. It extends cybersecurity obligations to 18 critical sectors, strengthens governance, and imposes incident reporting requirements.

DORA

EU Regulation 2022/2554

Digital Operational Resilience Act, in effect since January 2025. It requires financial institutions to adhere to a unified framework for ICT risk management, operational resilience, and oversight of third-party providers.

CRA

EU Regulation 2024/2847

Cyber Resilience Act. The first European regulation imposing cybersecurity requirements on products containing digital components throughout their lifecycle.

SREN

French Law No. 2024-449

The Law on Securing and Regulating the Digital Space, enacted in May 2024. It adapts French law to the challenges of the digital age: sovereign cloud, public procurement, protection of minors, and the fight against cyberthreats.

Cloud Act

U.S. Law • 2018

A U.S. law that allows U.S. authorities to access data hosted abroad by companies subject to U.S. law. Incompatible with the GDPR. Whaller, a French company hosted in France, is structurally immune.

CSIRT

Computer Security Incident Response Team

A team dedicated to responding to cybersecurity incidents. Whaller has its own CSIRT ( ) for reporting and managing vulnerabilities affecting its services.

REC

EU Directive 2022/2555

Critical Infrastructure Resilience Directive, transposed in October 2024. It strengthens the physical, organizational, and digital resilience of entities operating in 11 strategic sectors (energy, healthcare, transportation, government, digital infrastructure, etc.). Any critical entity as defined by the REC is automatically classified as an essential entity under NIS2.

Our Commitment

Whaller, a Key Player in Regulatory Sovereignty

Beyond Compliance: A Political and Technical Commitment

Whaller doesn't just comply with regulations. The company actively participates in the discussions that shape the French and European regulatory framework for the digital sector—before Parliament, within institutions, and within trust ecosystems.

Testimony before the National Assembly's Law Committee (February 2026)
Testimony before the Commission of Inquiry on France's Digital Dependencies (April 2026)
Member of the Center of Excellence in Cybersecurity (PEC)
Partner of the INAS (National Institute for Strategic Affairs)
Partner of Défense Angels
Signatory to the agreement Whaller × National Guard - “National Defense Partner”

Ready to get started?

Whaller is available for free for up to 100 members with the Standard offer. Create your platform in 5 minutes and give it a go. 🙂

Schedule a demo